Analysis Overview
SHA256
956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4
Threat Level: Known bad
The file uni.zip was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar payload
Quasar RAT
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 07:29
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:35
Platform
win10v2004-20240508-en
Max time kernel
296s
Max time network
307s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUHveIzSWVxx.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1896
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rhTf1FP6ZUqx.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5052 -ip 5052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1620
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3yDe48LqYA5R.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1976 -ip 1976
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 1632
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gl6RtEtfEpEq.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4228 -ip 4228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x4ybiGFXL8V1.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2144 -ip 2144
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zG5Yn6ncZazy.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1608 -ip 1608
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AX3N6H5w7gbE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 928 -ip 928
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nl6QJzComgFo.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1872 -ip 1872
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 1692
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgLtjhTiOaht.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 512 -ip 512
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q5bobSyDoiX9.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 912 -ip 912
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQ8Db08xowjq.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4136 -ip 4136
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zv4kTqW14VPI.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4864 -ip 4864
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hv956tX912zg.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3456 -ip 3456
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J7G2Cj6EFUTd.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2560 -ip 2560
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jVjDHjRQ9pdz.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1204 -ip 1204
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/1660-0-0x0000000074D1E000-0x0000000074D1F000-memory.dmp
memory/1660-1-0x0000000000860000-0x00000000008CC000-memory.dmp
memory/1660-2-0x00000000057E0000-0x0000000005D84000-memory.dmp
memory/1660-3-0x0000000005230000-0x00000000052C2000-memory.dmp
memory/1660-4-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/1660-5-0x00000000051B0000-0x0000000005216000-memory.dmp
memory/1660-6-0x0000000005EB0000-0x0000000005EC2000-memory.dmp
memory/1660-7-0x0000000074D1E000-0x0000000074D1F000-memory.dmp
memory/1660-8-0x0000000074D10000-0x00000000754C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4380-15-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/4380-17-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/1660-16-0x0000000074D10000-0x00000000754C0000-memory.dmp
memory/4380-19-0x0000000006010000-0x000000000601A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lUHveIzSWVxx.bat
| MD5 | 556e2c9bc653231c5e40dd3972b43230 |
| SHA1 | 8177e60b4efc1b7fc79fbb3c6003643b0fa36d42 |
| SHA256 | 3c81eb2679c45bc94baf95b9ae03946b34e5ddef1b2c9a50240366daed565281 |
| SHA512 | 9531d814c20f94857491bdafbbb1b574abddfd95457b4c6e7dd4d52de36b980fa2b4275c655fdea6dafcd6f4fe42f4ed390c3eea737cd0e29ee4550843a389f7 |
memory/4380-24-0x0000000074D10000-0x00000000754C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | a8c6ea3eb0e6805e0e4d71b0a7320e2a |
| SHA1 | abdb5b423bec19f4bc809a7bdada2a73a11138e8 |
| SHA256 | a70eef9c00ec8e4824dcb5414bf3e3a464de1f1a129b3b9dddb5e914968bb87e |
| SHA512 | 4e006ac87df5ae7e0f5a14e2083efc495aeab4628aaef4bb1d95694c87b4c1184fbc5594ccc2a43c1b0dd91b88caeea37501bcc5d7552271f69e7d08752c2868 |
C:\Users\Admin\AppData\Local\Temp\rhTf1FP6ZUqx.bat
| MD5 | 8d3d6a8245533f2b0acad2d315b73f1c |
| SHA1 | e09a8809d717ab53bfe9868efe50e0eb03132df0 |
| SHA256 | 69c90c0ad720df82e1a40dc100c30b72a1b3eefcd53a86e37aee0566faf09be4 |
| SHA512 | 20f4665c900b64bde216f8100efc2bfbcc69df113f3265cfe224ccd9db3da13e2522e4453d5b4facb982b4dad083a9fa36b3840abb0f7fa443722910b85da02d |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 5ccbbbf7c851a90f28820db847ebd5f9 |
| SHA1 | 8388e22cb44bde3b229079ee20550eff53c96ab6 |
| SHA256 | cd52550ce4a3e00871d4cc6c45fe1ef788aaf530b0f5ac4d0b807567ca4f88e4 |
| SHA512 | 71bf084165c269a62603db2e92343a0522a372651394744eb86ab0dc77543ac4376a2dac1ae73afd5d315fd1c1ad51e12e65d535b7bb03b13fe14a354aa5fe4d |
C:\Users\Admin\AppData\Local\Temp\3yDe48LqYA5R.bat
| MD5 | e834e4a0a112bd4616c039317fc29813 |
| SHA1 | 3e2d3cd4ece4eb132b2268c486cd219023e08178 |
| SHA256 | d9448c070fc333fa3dd8126574f1d721a6e44dbef262fc81443f7202b1a702d6 |
| SHA512 | 15eb6e7679200ace1147216337d8d4443d00ef338834bd967fc460d58ffd0053e0be563d68fee9489f1ad9fa969788f208cceb73d7491676a4abbd2f518491fa |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 75462e0c666cd029b69cb5939fd2b785 |
| SHA1 | df25b4117e718668d842c3f924f7651eda82c679 |
| SHA256 | c286319b49c7f37c776e18b81192960bea7580884bff79ea1fd4eca93c9559c7 |
| SHA512 | 28847965b971b5e938784ded048b8706eaa215c5c7f5e1c7fae076bf41a6557707580e537f0f20374e6c3f0537fd8387849435e4d41a573c636306e1fa89afbc |
C:\Users\Admin\AppData\Local\Temp\Gl6RtEtfEpEq.bat
| MD5 | 8f0d905b348d8d9238d1978cfcb58404 |
| SHA1 | 91d9d03a9b5e48a03c240543a3c6728b4c07fc05 |
| SHA256 | 97a03b99a161ddeba7b54bc054d802a8b76de4e6c4b95f20261b0ae2b6ebdb85 |
| SHA512 | 92d9069bcc47c954b7b08dc2fb6c49c95fee2b8e8e9b980eaebfcf74f6b0c4673b4d342d40f7453021b2bba00c448b7e0d22642965769d8c252b5e081e4b0a49 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 0f6a4685066bd0ee19b849d38a8a5e75 |
| SHA1 | 171f9fc7493f87c29522d4ccffed09e7707986ce |
| SHA256 | d4292463b7d83ad47a8fe63517698afe9350290b1e29ec785dbc117837b9ce91 |
| SHA512 | cd9b8636c593c07970a2454f4bebd4dfa92ae22a59445fca5effaa2500613e800b89d96c44beabe52b41153591388990e97e5b5aa2c882f406ccfa7afd20bb71 |
C:\Users\Admin\AppData\Local\Temp\x4ybiGFXL8V1.bat
| MD5 | 2201105f24203c67bce2905735269eb3 |
| SHA1 | 251b17bd742dabe46b4f4e244e4157e43b7b93bb |
| SHA256 | 9357ac4051e007c3205a8742ceb3783c4f6503eee6a948421687b0bd0831d6f6 |
| SHA512 | 22282bbc170361c194226a457715adf16030a5c19bd846957a1c8f14d0c4ae6558ca09e999c66269ddf8922cf29d787584ecb048e1637f285eab31a62042fa29 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 153a86bf0ad8e4b2eecf731307f6ed95 |
| SHA1 | 8d1f77418545271bdcdddcc2542a1119b8922448 |
| SHA256 | 6981ea92f616b613fe72e9b7764eac9d008b0d434ba4a17af27128b303a0aef4 |
| SHA512 | b23ddaf087196345c52d068b6dc7a4d65c30ca7f02bb0436f6ddceb9e193aca27caa1a124d3067412c697c5c1391b02ab7a240718ca6679c0a9f609d7a60e044 |
C:\Users\Admin\AppData\Local\Temp\zG5Yn6ncZazy.bat
| MD5 | ce01692f5ba1c879c2a722d4fa4ae823 |
| SHA1 | b194206d2383be31de1d0977fc8755b7bc5eb1e5 |
| SHA256 | 19ccba77ecc47cbeda9e067c6bfbc205dedb829d9e9eb18f12d2d45f3be23825 |
| SHA512 | 6351d5d4da841b708bbc366a8c0ea46b6f4b22f4bfde28b7091be6fc6274218ce69ef9d83d1f38f63bce2400994fa126452081d35c310ce44d57aa5f0af4ba87 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\AX3N6H5w7gbE.bat
| MD5 | 0eafcd275c430ed3b893ee7ec7a98ca1 |
| SHA1 | 2103c06dbac3beb26654e65ac798c0b9a3f3297a |
| SHA256 | beba39e9c206cdec7658f48fe01e9fd4024a1f45f55b56f2801888881babf0eb |
| SHA512 | d01da5beb16239aacd8cd8834d829e62ab6c75e74e3d35b5ac58cd042e8e0e851ecb94d645d653d244b08590676dc95489c0ee6fae72d2db2402078688b4ca6f |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | f603cd155fe536e2d2085a3b29b336ba |
| SHA1 | fd6943aa937b48fe11d5ee9371b97bd585d118c9 |
| SHA256 | 459496c21bc7eaae8fcb27f0586a56ff1707930275e0f68b97f62e9ac741f3f7 |
| SHA512 | e0f958ac8015426901ce5d190ad945e93d813321de3569ce5718579f3e4e374ddc24d5d840cba89d4d0c2e5dc5000086a7a72c5185d329b55e5a032da368b99e |
C:\Users\Admin\AppData\Local\Temp\Nl6QJzComgFo.bat
| MD5 | fca918401b9f049ba5b5d4539bbb417f |
| SHA1 | 2cdeb9d54acc29a51a98f4bc859673c5ec786879 |
| SHA256 | 684e02e766fa1f723388f802c7f5a15df9258467c5abcab7a483457f681220ad |
| SHA512 | 29acf29a6cccda64ce38f2d6dab7697d765cc14306c46e54e2f79f1a12f7def33d7fc192c12a684e1619872334adab6e93840c5b05e6a66279e65138a1b829e7 |
C:\Users\Admin\AppData\Local\Temp\wgLtjhTiOaht.bat
| MD5 | 69431b528e343ee12f9e3bf9d1fd4e24 |
| SHA1 | 01c68cb49e1ca97b312218926679a4ceeea3b107 |
| SHA256 | 9d1a1557d6fe82ffb39288b3247aac6d101c71e09f674a47764d59db2c5851f4 |
| SHA512 | 26e1525c1f8cd96171109d7f4e53e432cb07bde1c3c0e5ca07b597a0d3395f7e18d65b6b3361df1aa7c2e9d18c86d1759c23959a169c2f1b85d525d4907cf923 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 8a0e0a7c2d1c9fd91c9df10d9d5d2c75 |
| SHA1 | 0898e1f2bb59c3832be49c396cba6e72e20b0c4e |
| SHA256 | 78bc98facf7bd6fdf7d1f849520f618800aa04cd8fd84319a76d76c415c961ae |
| SHA512 | 23495347759103359ffa6d30af9c994f9ff4c96077660e8ea6851e0983c6103b75c45cb0f8af552333915f6a9df6339fdfa2206b28697fd5a2ea578f298f705f |
C:\Users\Admin\AppData\Local\Temp\Q5bobSyDoiX9.bat
| MD5 | 4f835b7450e47fb7d7ac0c6eff0ee543 |
| SHA1 | de621a585af218745de10cd8531fba2e3af12ab9 |
| SHA256 | d696f0e15f19fa5b45f6bf77a9661466724a48f184efe5c7398ae51deaeb943c |
| SHA512 | 49f640dde2b38229189d142e4e9c4eeb2e707c0060df6eef3053f2403c1ad32bbdaffaaf53d9b960e51ac9d6683adff1f1782b1fa92a457bbfc1823a1875e232 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 52a6d89f06a317fe6248971d396632e2 |
| SHA1 | 8fa3e37d39aa4c9382ba9f4c408fd6944acad655 |
| SHA256 | 8cb41ed4bdab738cb52aa2035de4bddef5f01125a3a854a61dbf46781103791f |
| SHA512 | 1781ee822a23dbd6446e8799417827356f97a1e11388d88fe9bcb35544c289386a1cede4e039585bb4d77055f1a2fa44554d091f9df7de912690979a1c319d6a |
C:\Users\Admin\AppData\Local\Temp\tQ8Db08xowjq.bat
| MD5 | 6e82a7bc30afe439114ff69e76e59e4a |
| SHA1 | 9e14c777b99b293d0160afcfdd618afea6629bcf |
| SHA256 | a04a946b3db7963ed59da825dddc7e657f2fe7d72a79dca7d31f210815d97fb7 |
| SHA512 | 3d57acf757f766e0accfa16ac5ec94110507f3d8b2ad0f3af8e33181f51defc0b7a040d501cd298d5178c4a5222c7a92710049148c639dabad3bacd9d932b3fe |
C:\Users\Admin\AppData\Local\Temp\Zv4kTqW14VPI.bat
| MD5 | a159dfaf591050682dbc4994139c0df4 |
| SHA1 | 957f7ffcbf88795ea0c629bcfa9df08da597e755 |
| SHA256 | 224d12f1a2dad13e59100c47cb32bf868e1575a1ee886283d5f21c19e0047721 |
| SHA512 | 4b87a5b8afe9a6ef809bd9fbbbcd288f4129e3b21f3a8dea7b1ac905119d4366108d5b6a5c5dba8c62ff7877e783b8714019da78329f58e9ef804147dce69038 |
C:\Users\Admin\AppData\Local\Temp\Hv956tX912zg.bat
| MD5 | 1dbbdd51870908a64ddef12ab5eca127 |
| SHA1 | 33eedf8ba9523219ec40fc3de232e3bb6246e8f5 |
| SHA256 | ba5b8648aed458137f71935e68f84a68e07116e16d40d609343a528a6299dfa3 |
| SHA512 | 6811bad1f851784930a22e4a657771b0bfc5eb974f6e8bb996fa3e140acf9417d8bb82b59fd342253d16cff4fc350fcea32c14a9126cb96dcb9058b71d09c63c |
C:\Users\Admin\AppData\Local\Temp\J7G2Cj6EFUTd.bat
| MD5 | 58422cab926749e2b4e5f9b27e09754e |
| SHA1 | 1a77d6d6236f322b3084221c2795a432e58b32e7 |
| SHA256 | 72ac0ad88ef12f3ca11b3a435bdc47a551b34758a5afd421710768988c2eabbd |
| SHA512 | 20ec31569453f0407317668d43bbaf80a048ee830806f6f3e9c3b38f28aee46a17a51cf3272210085003a8b6338a9c1a85f6a46cdc6daebe890363b7f8b4eb3d |
C:\Users\Admin\AppData\Local\Temp\jVjDHjRQ9pdz.bat
| MD5 | b2fe1152f864b5511b146dd252778e2f |
| SHA1 | e7f94d25a81fb26f6d0a8a1508d3f195cf2b0795 |
| SHA256 | 4e74d8210fa052254e142541094191e801be528aa18446f954105700d52887f7 |
| SHA512 | 034bf4921b4beb588c81e0f6be35e3e560bf7705e3d681487519331ffe5a7b279389cb55f8be2499a6e387c9e82b4a85e67600353d9222398daa146e04cce366 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win10v2004-20240611-en
Max time kernel
299s
Max time network
303s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2664-0-0x000000007489E000-0x000000007489F000-memory.dmp
memory/2664-1-0x0000000000700000-0x000000000076C000-memory.dmp
memory/2664-2-0x00000000057A0000-0x0000000005D44000-memory.dmp
memory/2664-3-0x00000000051F0000-0x0000000005282000-memory.dmp
memory/2664-4-0x0000000074890000-0x0000000075040000-memory.dmp
memory/2664-5-0x0000000005160000-0x00000000051C6000-memory.dmp
memory/2664-6-0x0000000005E70000-0x0000000005E82000-memory.dmp
memory/2664-7-0x00000000063B0000-0x00000000063EC000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/732-13-0x0000000074890000-0x0000000075040000-memory.dmp
memory/732-14-0x0000000074890000-0x0000000075040000-memory.dmp
memory/2664-16-0x0000000074890000-0x0000000075040000-memory.dmp
memory/732-18-0x0000000006BF0000-0x0000000006BFA000-memory.dmp
memory/732-19-0x0000000074890000-0x0000000075040000-memory.dmp
memory/732-20-0x0000000074890000-0x0000000075040000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win7-20240220-en
Max time kernel
235s
Max time network
290s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2348-0-0x000000007455E000-0x000000007455F000-memory.dmp
memory/2348-1-0x0000000000A10000-0x0000000000A7C000-memory.dmp
memory/2348-2-0x0000000074550000-0x0000000074C3E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2696-10-0x0000000000210000-0x000000000027C000-memory.dmp
memory/2696-11-0x0000000074550000-0x0000000074C3E000-memory.dmp
memory/2696-12-0x0000000074550000-0x0000000074C3E000-memory.dmp
memory/2348-14-0x0000000074550000-0x0000000074C3E000-memory.dmp
memory/2696-15-0x0000000074550000-0x0000000074C3E000-memory.dmp
memory/2696-16-0x0000000074550000-0x0000000074C3E000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:35
Platform
win10v2004-20240508-en
Max time kernel
294s
Max time network
304s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eydYZm8p9GGB.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1984 -ip 1984
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 2164
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tibZIPUCvpQu.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3208 -ip 3208
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 2176
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G1GfSCyiJ3q1.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5108 -ip 5108
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCWIiFqaxVYP.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4864 -ip 4864
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1644
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WG7RReEuTrBV.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 2200
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeZcWfZ6NBLr.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1832 -ip 1832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pFBmObrhTAsW.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1952 -ip 1952
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1716
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAPEpJ8b64Jb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 936 -ip 936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2iHXmci7Giyj.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3224 -ip 3224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6PYJedsHB9Kb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4400 -ip 4400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1688
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4W704WwHUuS5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3148 -ip 3148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 2220
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\En5pMhEb2z4K.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3340 -ip 3340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1516
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyLSdk6TfRmi.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5004 -ip 5004
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LFKIvvOnEXOy.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4636 -ip 4636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f35PZncoVCIw.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1432 -ip 1432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
Files
memory/4296-0-0x00000000748BE000-0x00000000748BF000-memory.dmp
memory/4296-1-0x0000000000AA0000-0x0000000000B0C000-memory.dmp
memory/4296-2-0x0000000005910000-0x0000000005EB4000-memory.dmp
memory/4296-3-0x0000000005480000-0x0000000005512000-memory.dmp
memory/4296-4-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/4296-5-0x00000000053E0000-0x0000000005446000-memory.dmp
memory/4296-6-0x0000000005450000-0x0000000005462000-memory.dmp
memory/4296-7-0x00000000748BE000-0x00000000748BF000-memory.dmp
memory/4296-8-0x00000000748B0000-0x0000000075060000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4296-16-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/1984-15-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/1984-17-0x00000000748B0000-0x0000000075060000-memory.dmp
memory/1984-19-0x00000000062C0000-0x00000000062CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eydYZm8p9GGB.bat
| MD5 | 2cb9aaea3c7feca92e15ca3322a768d9 |
| SHA1 | a2b00159aaee73d9ee0f5e38c4174c9bbc42ef85 |
| SHA256 | 6a3b3e3b76c6740e2390fc832d8587627778484fee0edcc8adfbe3afe7860bf6 |
| SHA512 | 2eea8068d2bca6465ff725bcd27c55f76ba181375728d2b2d4b1eb0ce1ba8d5b2e39a547a534dbf602fba5773f027b4318fcc5bd009ff98d422fef0df4fabf72 |
memory/1984-24-0x00000000748B0000-0x0000000075060000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | f49f6bf6ec1100c66e660ebfa237a5c9 |
| SHA1 | 686b507e4acc366d54cb07e11cf22b351b0172b2 |
| SHA256 | 8a7ccb67406a8755382cd68a3ec6e00a48a76ed88a8f1fbabbeecad7a0ff3553 |
| SHA512 | 44891f2c0d9cad9b0055a5a11ef4d4a01c957cfc961752657a7549bedc8592b64389fa31f3db678cca13b9618d9624aafd3f75f388eb2b111c67f09e3acb7575 |
C:\Users\Admin\AppData\Local\Temp\tibZIPUCvpQu.bat
| MD5 | bc3830992f9bb8d216c131e35d8e3fac |
| SHA1 | 48688ca4cd239cd926c49a3c2ae24c837dd0c1a8 |
| SHA256 | dbbdaa93aea379d277804f864d8ac9428edd10edd4cb4c881ed6f6c40f3a76e9 |
| SHA512 | ea5c918781003035cbe0aa930b7fdbad1814f48f5e8958eae876b89dd5265d95787eca7f4f998b070c77c93cecd22f92f7fb7fd5125954cb6ec0cde625333526 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | a33ac7d2fa63ec71b293009457496df9 |
| SHA1 | 6ec11bf8b367be39c630b18d0221f15eb2827c98 |
| SHA256 | 159d570bf8c9b4df6b2f99ab529c9d78703468d599cc74a41ccf451094587ef3 |
| SHA512 | e76c0abe784b6e989b3e59f7a43d4c3adf3ed610589ed7e082f0f207a03847418e84136cdad01d918dcf867229da02ad145fb43bf47c261f84e2e177acf39dc4 |
C:\Users\Admin\AppData\Local\Temp\G1GfSCyiJ3q1.bat
| MD5 | bcb8b7a7f83d8609cae7e24449f0f3ad |
| SHA1 | 70e172f776ba884c1e0fe93d85fff6d54d07ca06 |
| SHA256 | 58b59bfb9f3aadedc906fbec2597d91ca09a045e35331744921d1284e3c886f8 |
| SHA512 | eb5239eb67fb0cf78020e033e9a45adf7327a0e383990887e027545b69fbe5fc05419dd09e574cb57cbd537628cd83bda04b38355a4c0b405c57989bd2e01910 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | bcc3178b4c70739f1e07db605ec312b6 |
| SHA1 | f1e2822ba73971f8b0eab00a6b094a162e62887c |
| SHA256 | cf988455aa84acfe411f37969c40dfaa6c2e5d940b5196044a5708e22e175a65 |
| SHA512 | 90ae93d586c00e127943529856149ef622653e12e55f83250f36c765252617e3029ce5edbaed1d70d3af8414fd6dcb803a12e502ff2fafe8712717e8fbfcdfcb |
C:\Users\Admin\AppData\Local\Temp\BCWIiFqaxVYP.bat
| MD5 | f735f0b2b62ad8115a70b3ee8b718d65 |
| SHA1 | 40a1263641f0e8c827c5c61b1cde3313bf8dfbb7 |
| SHA256 | 87641ad833f79cbe6a727812393329ba171e03f2de8a8fa1deb2082ef891f147 |
| SHA512 | fb23e197c76da43d4023d2d487da3652b5f5f92bd86e042dd88babb9b8af883ece37e75608db6dcef417e14715bd7797b0912d7ae8248e57102e6a03a0d9bb60 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | dcfdcf5874ddfb4f5422c808b26d19e6 |
| SHA1 | 78d512869b861662c646f60fcbd74bc6475f6706 |
| SHA256 | e6b046a8edef63070ff6a395e30175280dd80d4a9639cfb8d0236f6665edf357 |
| SHA512 | e54f9f6c95d7eceeffe43059fcdcfdd7fc3a327656f1ce69d11cf9733f3541d76e0ba77b0b42cee796c54e27ed9775f875a59f632549b6e2f9108798b9b9f29c |
C:\Users\Admin\AppData\Local\Temp\WG7RReEuTrBV.bat
| MD5 | 07702f6c759e7213945b324141421405 |
| SHA1 | 8a3d172c82de14d563e97ee1418781ec944c80c7 |
| SHA256 | a4c7421ad62cbf10ba1e39321ad949f538fcef54b28a61494e2917ba015bef4a |
| SHA512 | 192c173bfad2b0c2c787171ed24083141dfdb4fd25a25fae12b8cc74572df8b1767fcf453507134bda1f28eb18a1d0ce5fcc6af65d08c6e811333aa5c4d0e4ef |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\xeZcWfZ6NBLr.bat
| MD5 | 7866fc4151663471faf40ef1e0bc2ece |
| SHA1 | f003b00febbce0832e42087d5f6db4e8a036d6fa |
| SHA256 | 417f87c76d45cafab7743101fc23e862d1829a0f2a25299d566aa4e1130e89cc |
| SHA512 | c5dc14a7623f637209fb376c9fa1b5327ca082f9ccf33fc04c8e2834278996309ffaed4d1f695b27191afcbd672b0a2fba98fb437847895d419c86567445e54b |
C:\Users\Admin\AppData\Local\Temp\pFBmObrhTAsW.bat
| MD5 | 0d57f0e1952f7623f419424f4b0e9e72 |
| SHA1 | b8a1f1e1b57ebdf018917db41bf7d22932f10674 |
| SHA256 | 627385bb1f52e1d6f33f07d8ba1ed5dff608704c2d42914514f04ed9362db323 |
| SHA512 | 96d0f779d70fa344c7e5c5cbaa43a2af9c3b4af16220ce4713c478160f41bbc866bb58a2ede2292206f8f3f771734a4e3774a0d33c798657fe55b7b20bb39f0b |
C:\Users\Admin\AppData\Local\Temp\OAPEpJ8b64Jb.bat
| MD5 | 8cdefdad9781251d18c936186c8b53d8 |
| SHA1 | 5597475f3ec27ae582513166b3faca5d2a178ded |
| SHA256 | 4a97a4b69f8757196a3321d3b8bd12f0da609f00b6a5f52ab7a69253b4150399 |
| SHA512 | 8635b708fc7631cc26f1d769d32e112cb7c3cda06206adc3a8e93062b7d45b86835f3e9388bde275ee89dcc1f2cffd79efb6bb1217b5e56d1c5f292e77cc3868 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | aa75e41dc53dc90a741b58d891855c60 |
| SHA1 | e7a9988ae79eacde543f89d49409c829535d6164 |
| SHA256 | 796d904d949768be50185a9773a586f2f5dfdcd065da0b43d40c7c3bc3f38a9d |
| SHA512 | ed165696d22313f39649ff3982fe1082a747bd556f8065fdf26b4081e3201e58dcd6c74c7fb114f1a32c44a08e75bb3db26ee135208568bd94b63b6e14c84fba |
C:\Users\Admin\AppData\Local\Temp\2iHXmci7Giyj.bat
| MD5 | 140e7d210262d61ef74f6efd68bc4977 |
| SHA1 | d638bffb980adbe5e77c331bf831a686a4aae575 |
| SHA256 | 5de49f8b850e56bf01b573e710250d0ce413d16b9a295028462632c4a55ee93d |
| SHA512 | 29969a79ea409e4d84cd597ad394bd271d9cbf153d8875ac37a8739d2acd04542e5e1b96602f4fb09fa938a45f8857cf3b1ca0ca7f2f14697c87dd48707ce2f8 |
C:\Users\Admin\AppData\Local\Temp\6PYJedsHB9Kb.bat
| MD5 | 66fc4029a9acd691e5f69f2a98d2cb0f |
| SHA1 | 84d08c3bf46d457783e27aac34439729f560872b |
| SHA256 | 7fb1c2fc90eab45c660f2af3a5f92f868720b1980d98573bd20d77bdfc8c3d80 |
| SHA512 | 7e9e91caf28c11b30c204b7d24cf40d0047b20dcecb8abf03029a8b208cfb57bb01363c4b2c1075f22fbdc71d317d70d221503364c6c1d6d61914f256311bfc8 |
C:\Users\Admin\AppData\Local\Temp\4W704WwHUuS5.bat
| MD5 | 148f8b09cdd946b31faa1f6dcf44009c |
| SHA1 | 67848e8ec54c308e4ee97a5db7e7d1684a737799 |
| SHA256 | dbe050c06e2ad7762be10f3bf871f79735225a03a1a0191654b010733c772ed8 |
| SHA512 | 85b88bb12867f94fbba0a2178c83ef2f88a76a4ee52f39e000a889e3fb8418447f039533f91587cd5a4755ce88f658849beef0e56783c9f77844886e33027433 |
C:\Users\Admin\AppData\Local\Temp\En5pMhEb2z4K.bat
| MD5 | bc38cfc7668558bea0964482e76caa29 |
| SHA1 | 61cae5c9f5a833e44bf6a63d414e260147dfea22 |
| SHA256 | f118ebabfb6025119bf0991e3714a93ad7a350279607ebbddea59a075abaa8f3 |
| SHA512 | 5563d9987a13661eaba11a29c30967419292e9923e62b3fcd368e600c4b1178743557ddb92d7afb449fabfe92f4792ee17edccc7838838853b7aa30501116c8c |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | da6a7a97ed43a7eaa569609eb1bb6a39 |
| SHA1 | 87fdfa76a15bb718f79572c2bab68c4bb2f85d1e |
| SHA256 | d8a38604702b1c2bce0ecc7c1941f7ba0ee5d97dc8a0a8b1d01e53626e0eec6d |
| SHA512 | 83fb889f85008a72d3a3b59bcbfa2bbe824c4b898e69e52b9eef724d435dd01c039486c5cb749fd40fb1f094876c4a976a6af7fe6af1a74835affdc6e842b4b7 |
C:\Users\Admin\AppData\Local\Temp\AyLSdk6TfRmi.bat
| MD5 | 22e2fe5c1d70bb9ebdd146b9d03c02e2 |
| SHA1 | 2b59bcd0d7360e8aad733e9cad2e0792951b4bba |
| SHA256 | db8b01df69a43e0d382af898ce00b0dc512372903719b42c0fa77c8ee513ee8d |
| SHA512 | 25e9cb99abb31a04a5654ddd41a666d04849a97b2b94c05c8bc89e7ecb4a9159c56a9a87a65b8a432099ab36220005952f5068008ca1ef488631af88a7079eb0 |
C:\Users\Admin\AppData\Local\Temp\LFKIvvOnEXOy.bat
| MD5 | ae2773a9fe5c1828f5e14d5c3295e204 |
| SHA1 | 999107b5bcd25ba97db4769e60e3e3530f9c67c6 |
| SHA256 | bec17a95333f140864407721114f749f58012d70f2e3c9e490d4cb3d41d06543 |
| SHA512 | e1e5e4c46ebdb740c603d2ab5c77251b973034e34e1f4d3ededcd2f0cee84ee968fc625867a916e48446b6c3b319b2db94d903ae71baeb0b2d0be1435171b9f6 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 40009b0c430ef02781a49edcbbc10432 |
| SHA1 | f761db2fa3e08e03df5476f88fb96a51fc9230a7 |
| SHA256 | bf58666fa1fff99cdffcfbe2edad24f487894a998a94a4f47e7b05c2a5140b4c |
| SHA512 | c5ca6fec25bdd25887e0a789e56c132fd65e914b06fbe9a72d62abf66ad1d6edc8edfec3467a24dcc86bcc1217d9e3004d5a08de1e46a921f4a899a040618dda |
C:\Users\Admin\AppData\Local\Temp\f35PZncoVCIw.bat
| MD5 | 605268c14e9de363a97cfd47618bde7b |
| SHA1 | 58321be1b698344df450b42895bfe083850a4263 |
| SHA256 | eafc1efa5dafc5251f55313ccc9209c9923223e6fe2097dd18f902917086a4bd |
| SHA512 | 09af184f5e64ab2d2ec3b7eca0b03ea3c146c87365add4fa972193def6c533a971c0c4fee2f3d669776c63ce8375531a5d9dc71d52f1769606590b88314342f0 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win10v2004-20240508-en
Max time kernel
294s
Max time network
301s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EbrJTe830DwZ.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2256 -ip 2256
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1648
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQNarEzVhTTm.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 588 -ip 588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VTxv9dLA0wXu.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4796 -ip 4796
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1604
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaU2WUtHDUai.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4604 -ip 4604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoUK8BVu0Ajb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4868 -ip 4868
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsJBeQroNayY.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4692 -ip 4692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oaOgJCBIop2J.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1132 -ip 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 1616
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OVc9juTBRjTO.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4468 -ip 4468
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1088
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaGk2tyPKwQF.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2620 -ip 2620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KnV3SsvxS8Nv.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3952 -ip 3952
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1712
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CO6CKoCZY8ta.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2736 -ip 2736
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2UYXQYs6wAXL.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2136 -ip 2136
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 2236
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUes3bsEth7i.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1044 -ip 1044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2228
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c5F1vXAqzgeN.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2092 -ip 2092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OezrxhlFTfPT.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4400 -ip 4400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
Files
memory/1520-0-0x000000007503E000-0x000000007503F000-memory.dmp
memory/1520-1-0x0000000000510000-0x000000000057C000-memory.dmp
memory/1520-2-0x0000000005590000-0x0000000005B34000-memory.dmp
memory/1520-3-0x0000000004FE0000-0x0000000005072000-memory.dmp
memory/1520-4-0x0000000075030000-0x00000000757E0000-memory.dmp
memory/1520-5-0x0000000005080000-0x00000000050E6000-memory.dmp
memory/1520-6-0x0000000005560000-0x0000000005572000-memory.dmp
memory/1520-7-0x000000007503E000-0x000000007503F000-memory.dmp
memory/1520-8-0x0000000075030000-0x00000000757E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1520-15-0x0000000075030000-0x00000000757E0000-memory.dmp
memory/2256-16-0x0000000075030000-0x00000000757E0000-memory.dmp
memory/2256-17-0x0000000075030000-0x00000000757E0000-memory.dmp
memory/2256-19-0x00000000066F0000-0x00000000066FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EbrJTe830DwZ.bat
| MD5 | 01306112cd555bd26fd8fd474af7ca45 |
| SHA1 | 37d4eebf5e8835f3c07ba3eb59fd33fd63e54564 |
| SHA256 | 24226dd1ea6e2b40c3822faa9d876d13a40263850295e7aaa4abcdc7d84e3e50 |
| SHA512 | ea36dc3a715e8ebd72fb8c7ca901f1a8734535845019e890dda8509e23c5db750daac4b50378bdc30db58349713522275543db5ab362f9889d22b56467bad8da |
memory/2256-24-0x0000000075030000-0x00000000757E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 81f9adff0a19fbf136a990fb6ae8a6ce |
| SHA1 | 575ce415c97139fc52c3d3eea723cf3481bfb6cc |
| SHA256 | 81e3b98c7ce99c0d732a01226a86d66d53cab09d33df395a41cbbde3ff334fd1 |
| SHA512 | f62124ef82e69aa541dcf5c258273a1c0b3e1b8f00dcd6ee4464ae439c5c5083312285fe753878deef938e5a0a450314a05d61ab91c43aa24db1a69944852bb1 |
C:\Users\Admin\AppData\Local\Temp\YQNarEzVhTTm.bat
| MD5 | 78eeb63074443dcedda2ee5e893e37a6 |
| SHA1 | 899b99d0f9358ab4922ec239c6bf8bbb8433cc7c |
| SHA256 | ea3bf747b80ef68e1b6b7a8e8c3cd60852e42d77a9e1927427a70fd52f18038a |
| SHA512 | e4fe02a4bd4d433f7c9236835373b174eae7e942cc08ff37070e9406a69de2b24c3f0afca72fb336e3771ade0da50ba73af9286806bfea7c6c68df389de49489 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | c896d9104295f1b4c519230703c7e7de |
| SHA1 | 025072d64072200029123bb072abeec8b8bbfa0a |
| SHA256 | b69a91ba34fd3b7c08181c6f97cada0b24390202e835e9d676da0fd027b3dedd |
| SHA512 | d02c4d3ed5debad9db117cc1b7669978b07d61505953cea54572e0aa9c386651a873e8720d5d43232ebd099a26b932ed6ba89eae2a89ad565d79e0e07d0401f8 |
C:\Users\Admin\AppData\Local\Temp\VTxv9dLA0wXu.bat
| MD5 | 5f3fcecacf2905fac58a2e9337a018cc |
| SHA1 | 79e3534d57d789fdb20a401575b1b75ce9ea2033 |
| SHA256 | 0bd65fc501af58219a67b9d1fcbb08db9cdae7e0eed04b57b51702f1d386df6a |
| SHA512 | 45b504bb392e4bb79c67b19c06ec8558b5f6dd28b104d7a0c5dbeae8761784393269d7fd5e999a0e531cb6fc7cabc43f3d4601102a6307b5b759fe784fb9c004 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d2998788c6b3d1cd52c6fdfcbe4917b3 |
| SHA1 | f3eed960f23889a0768ff069b4309d91b1ea8e4a |
| SHA256 | fa93f84e655becfef5b2ef3f0014f78f374c0c28b61f0899989ad3dbfc40a40a |
| SHA512 | f869a884bb6debd8875b4d55d96d4b5ee8bb5ac70efc1fc8bc0c541ae09cf280197ef9b2654d6f0835dcdf2c386e271423b8d85159bbe61951d08b8e05c16d5e |
C:\Users\Admin\AppData\Local\Temp\PaU2WUtHDUai.bat
| MD5 | 728e13826682bbfcced19a3332569b74 |
| SHA1 | f01974604fd946bc7379e6f31a6878a3747b7ab6 |
| SHA256 | 6a215b44090e83cca83925fa050988360b7e129359c2b06b266fb33ec1fcc7fd |
| SHA512 | 03cc0e866e70f0db1426447f79fc802b79695ce2502b90fe1d201b8d72225eecd043342291dbfe4813863237a26f37f26d16078e381e5b8e25cc57b601c445ce |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | ba0bbf3f2d5fd725ed2eb28cb42fd7f2 |
| SHA1 | 25aa4258cdc1748f604b738d078dfb61c49a10f0 |
| SHA256 | 913274aa3d7544f1a07ace7c20ad1b2fd63738bbd42272622571022656876afd |
| SHA512 | ff121e2cfa579008009905b99e16323c0f9ae8164bd682e41a76a0269688f2601af6a030147df688aeb564be0f0f826b8de6daefc9676746ccb541a11aaa18ca |
C:\Users\Admin\AppData\Local\Temp\xoUK8BVu0Ajb.bat
| MD5 | 619730df4a229b38d88a6137b1d431b7 |
| SHA1 | 9688945e96eee27e8a36d97bb805716c6e0f5207 |
| SHA256 | 94c1a3d8bdee0ca8bae566201d1140cfa82731a85abe8cab1b65fdc74644d9eb |
| SHA512 | 835095d86e9d0d252cbcd09a7dff65f3ddf1a61f0c18e7e0856b79c2cacab1b3057413f0b779fe13e5663e6c7a9cd537be6ec7ebfb668ff7e8517760c448056b |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\hsJBeQroNayY.bat
| MD5 | ca13d17dd3cddfca21f325c30a223033 |
| SHA1 | 9c9e960c6631bf85deee2dce4327f34df0362bbf |
| SHA256 | 093f5c714e703ee1c7b80294e6fb90d0ca6eb78893d80b7598e2e69c4a41700c |
| SHA512 | a44fc4fa2aeff9d8d6cf6a9ab6c93af9693c06255bc469ce48fbaeb631b6474126adb1993e25b1f41537d1ef83e03d8928ae831895b487f1c950768bbcea383d |
C:\Users\Admin\AppData\Local\Temp\oaOgJCBIop2J.bat
| MD5 | de8dda894f8250eecb45979ca077ebd4 |
| SHA1 | 2d92a741e0443a2e5c40c0f02026585d014eb528 |
| SHA256 | 72586efb4bdec323f5cf7d4bb597d2c928dd4c68826844b01fb41cc9c055076e |
| SHA512 | afbb7a0d8dde3e23b22c5c3c576fb8cd87bc6b35c79d47e986103b78fec23714df067fd5c7ee2d09b17be9298c7c4f9db1e42dd7a4e981df402bc72b4ed89bd9 |
C:\Users\Admin\AppData\Local\Temp\OVc9juTBRjTO.bat
| MD5 | 9bfe8b114f279df0ab21b8b041b697fd |
| SHA1 | da04acf4fba410e9c9dddd4322e69c16cae20543 |
| SHA256 | 017bd8362a581a129dc4dafd44b024da24b85162509ebb11c39d0c381d3f8a37 |
| SHA512 | 46e600270454dd6d8bd5c041bbb11909b53f3ddcd55af9d1aca6f3c950dbafd12ac10432a45b1b27ca5c45cafa5ce75e71fc0a7e8033c3ec29cb4396d714bd66 |
C:\Users\Admin\AppData\Local\Temp\AaGk2tyPKwQF.bat
| MD5 | 651f5e0a5c57c367409df2736f562675 |
| SHA1 | 9f2f2521a4d2bf00b0c11c1ac1ea7de5343b56e1 |
| SHA256 | 235371639da3382bec4c07f3480864ea8f17051808ddadd7da88cef71e3b3d31 |
| SHA512 | 863af8dafb8d2f2354f90636ba66a21649f02d7d663bcf38af58c6f4d6f53a53ae54d07d270d7e04680ff5ff544c02a981a1f689393861ea7f80102e9f46040b |
C:\Users\Admin\AppData\Local\Temp\KnV3SsvxS8Nv.bat
| MD5 | 29b4f81e3fd151a63307f6bf349bfec4 |
| SHA1 | ed1f3e3ebf46c48ee14f98174823340ce485fcf5 |
| SHA256 | 1cc82c576f9d7b88848999e2f2ab037d65970c8832e73b986a499a463f5b1882 |
| SHA512 | f9f02f1259671910d8681c0836760eb6f8815c76b222bc5efcb1a111ec6024f1554de0aa53d177481552d368773808bb66185adce77208f9dc13431c517ecb25 |
C:\Users\Admin\AppData\Local\Temp\CO6CKoCZY8ta.bat
| MD5 | daf12d3b42e71a0b38f01e1b3686a118 |
| SHA1 | 568fe3fa18bfc86b761235d77c3a081551fa9dd9 |
| SHA256 | 532d25a8495687e0775669380a106df31afd8cabcaacdfd12fb082667e08f23c |
| SHA512 | f27cfef085e3da2c901c9290ceae45e175fc97a26a44745cfcf9463869312b26284e03719e1dd03ce6765085fcf672541fe6023d95d83ca9cc714ffb419f6357 |
C:\Users\Admin\AppData\Local\Temp\2UYXQYs6wAXL.bat
| MD5 | 9f58b0bc70bc634086ad722ca36593cb |
| SHA1 | 350cda2f13a3de07eb9026108328b3182b335146 |
| SHA256 | 4b79996af7277327716067beddc366bbeb914cd34b1b0293e63f58613854e76a |
| SHA512 | 8e8f7e3abe8dccbf83e4ff44e498ea875cfb09926c0bd390e00da50ee8bbf4088e85e36c8f0d7bddfed0062a4a32a18d0d3d7d19570511db80fcb776d7af43e9 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 4c11015866481eab7a6c96ee1f6b94e1 |
| SHA1 | 907e789b07704eb2101d4d6b9b9c93c1a075f411 |
| SHA256 | 0c1da1ce8247f79240812f35b5453011f739500e142ff59010391a1297b293e1 |
| SHA512 | b3b046c34f33876365d16d0c37af34f93e301a5d1521fed1f225bee2230b75d40b93c2cdaff44a59e8e6236dcbf8ec47f5fa080447443029ae327f9a51a659a3 |
C:\Users\Admin\AppData\Local\Temp\kUes3bsEth7i.bat
| MD5 | a6dcc80494668d9d9a8af51c3d1666f2 |
| SHA1 | c49b85720113f9c53ee8bcc1d40a90fe53a16313 |
| SHA256 | 5a97e8b4537d6e35e925906b67ed8e1a275d76909ddd3c80299917e09be902af |
| SHA512 | 179e4c8d0c3414ba17f8e1f4b3954d89dc06ac1b8fa2a7e7654678bff63d606fb6d52a6c837d9ef0430316935870547942e6bc2dc97e93b792584c1620684659 |
C:\Users\Admin\AppData\Local\Temp\c5F1vXAqzgeN.bat
| MD5 | 7bdfd547df71109d9e3b4ca151ac9e25 |
| SHA1 | 700c54c548270f6c8b2b9aa91426982cf3804c03 |
| SHA256 | cc848740f99520fd67f545397ed81d84330d51044377f93b6adaf954a78b5e12 |
| SHA512 | 0e200382156df18d7d255d5e7b7479a7302da66acb79a3bb3218d6fc559152f0611c0a28b1145c9f95be9ced4daf6e61abb930538756f9d0606c27e34202069e |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 422fca6b556e0b71e8c6dbd72674c664 |
| SHA1 | a455e9c01db1b181e49a9b474a7bf31e911718aa |
| SHA256 | e04dfb7055b51b31ad95b15f29b44c7bbdb8b5025037cf955049306dba9940d4 |
| SHA512 | 212189a30018e70735b69e301f4e38c618d23f36324507be9a7dd1a9116608c249fd762d87388d51de9e11c31e8569f4c9ee31ad26df5f1103afaf25531f5f54 |
C:\Users\Admin\AppData\Local\Temp\OezrxhlFTfPT.bat
| MD5 | d9d163a38503c9b3434da1919cd21b84 |
| SHA1 | db72c85085e66f31072d4cc12c82033ab2c6a8f7 |
| SHA256 | 5f328c5cb31b40cd343f8ec9431f5052157051952dbb1746f4c14301cae9179a |
| SHA512 | d76275d6a3f9bbce69f0326cbb407d19ca5d858c6c5b7fee4ac95101ecac28dbbb2f07d6b5b3a4e093870dd38c8c8d34f2b23b66adfecbc2ee3db4c166a53ea6 |
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:35
Platform
win10v2004-20240611-en
Max time kernel
238s
Max time network
293s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/3940-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp
memory/3940-1-0x0000000000640000-0x00000000006AC000-memory.dmp
memory/3940-2-0x0000000005500000-0x0000000005AA4000-memory.dmp
memory/3940-3-0x0000000005090000-0x0000000005122000-memory.dmp
memory/3940-4-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/3940-5-0x0000000004FF0000-0x0000000005056000-memory.dmp
memory/3940-6-0x0000000005DB0000-0x0000000005DC2000-memory.dmp
memory/3940-7-0x00000000062F0000-0x000000000632C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3076-13-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/3076-14-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/3940-16-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/3076-18-0x0000000006210000-0x000000000621A000-memory.dmp
memory/3076-19-0x0000000074E90000-0x0000000075640000-memory.dmp
memory/3076-20-0x0000000074E90000-0x0000000075640000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win7-20240508-en
Max time kernel
297s
Max time network
299s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4Gt7V0Y45NMU.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\C1enktgeaQlH.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vWLj6PgL0hp4.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XRKb1mZtmJeU.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/2928-0-0x00000000746BE000-0x00000000746BF000-memory.dmp
memory/2928-1-0x00000000002C0000-0x000000000032C000-memory.dmp
memory/2928-2-0x00000000746B0000-0x0000000074D9E000-memory.dmp
memory/2928-3-0x00000000746BE000-0x00000000746BF000-memory.dmp
memory/2928-4-0x00000000746B0000-0x0000000074D9E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2436-12-0x0000000000F40000-0x0000000000FAC000-memory.dmp
memory/2436-13-0x00000000746B0000-0x0000000074D9E000-memory.dmp
memory/2436-14-0x00000000746B0000-0x0000000074D9E000-memory.dmp
memory/2928-15-0x00000000746B0000-0x0000000074D9E000-memory.dmp
memory/2436-16-0x00000000746B0000-0x0000000074D9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4Gt7V0Y45NMU.bat
| MD5 | fd1be0b004854e21dc6dcc86cbeeadb0 |
| SHA1 | 2cf20808dbc2d14a600d3cdd3aeacfbdcca85ffe |
| SHA256 | fa2fbc80d5fb8dd61cae3376269c653a137f5c2ca7a558a215ded53d43804ee8 |
| SHA512 | 20001a8775ce0a9af4d9fea5a2bfe307882fb1896dd2951d818488d1e27a5ae41c0053165da9ef401f025528b5dc533f80cca0158d8cecb0228370aabef77fac |
memory/2436-25-0x00000000746B0000-0x0000000074D9E000-memory.dmp
memory/2544-29-0x0000000000F40000-0x0000000000FAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C1enktgeaQlH.bat
| MD5 | 26c8dd822b6e0817c395d6e731b4fac7 |
| SHA1 | 4e8a33c93384d5ec02be40c81f6131e164844bb3 |
| SHA256 | 1b1587bdbd7c52b3354700721b51d1a05e5e33d42565004f8522b9df08c0067e |
| SHA512 | 2a329d127ae7a419e5765b719cafe8e161d310db4efbbba842587b14ae4e36fdfeb25ff364e3528b09a72d6e797bedef7a73bca8137bfb03874567b747aa5d20 |
memory/1036-41-0x0000000000F40000-0x0000000000FAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vWLj6PgL0hp4.bat
| MD5 | bb8bb0345aa1b90c496cf53ecdf7b7d9 |
| SHA1 | 0b31a896d7a7ab05364c9446276c766025bf83ce |
| SHA256 | c30757c27b80bfbf0104f188e7eb9d65d60f5f3332d42ba179b4c8c8160d3e6a |
| SHA512 | dfd2647698bd960564b0a539088a096c6f1e510698b6e762e6377fb6a8b53b0a10eb4e3d9115484d84bf067778f64712c9cd677133a27b5a21a1ea80010ecf6f |
C:\Users\Admin\AppData\Local\Temp\XRKb1mZtmJeU.bat
| MD5 | 8d09de55fc1998c13c3c15cef8d5a946 |
| SHA1 | 1e847ad31b4605880a3ddd5c266dd274b5c26c23 |
| SHA256 | fc32fd7e59f5f838e946fb8d3c5d9a966a36a68c66778a8c91e516a82c00d90e |
| SHA512 | 71841fd3290fd6c2b57d1d02a058d009f62f3a2174a2da0fa8a1c1258b135089c38533c610d03a49ddd19f0e9ec504784cbb5b4a9d89fbb38857f6b1b60cf76d |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:35
Platform
win7-20240611-en
Max time kernel
273s
Max time network
307s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 172.67.165.196:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 172.67.165.196:80 | freegeoip.net | tcp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/1776-0-0x00000000742BE000-0x00000000742BF000-memory.dmp
memory/1776-1-0x0000000000350000-0x00000000003BC000-memory.dmp
memory/1776-2-0x00000000742B0000-0x000000007499E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2848-10-0x0000000001150000-0x00000000011BC000-memory.dmp
memory/2848-11-0x00000000742B0000-0x000000007499E000-memory.dmp
memory/2848-12-0x00000000742B0000-0x000000007499E000-memory.dmp
memory/1776-13-0x00000000742B0000-0x000000007499E000-memory.dmp
memory/2848-15-0x00000000742B0000-0x000000007499E000-memory.dmp
memory/2848-16-0x00000000742B0000-0x000000007499E000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win7-20240220-en
Max time kernel
236s
Max time network
289s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1640-0-0x000000007406E000-0x000000007406F000-memory.dmp
memory/1640-1-0x00000000008E0000-0x000000000094C000-memory.dmp
memory/1640-2-0x0000000074060000-0x000000007474E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2664-10-0x0000000000950000-0x00000000009BC000-memory.dmp
memory/2664-11-0x0000000074060000-0x000000007474E000-memory.dmp
memory/2664-12-0x0000000074060000-0x000000007474E000-memory.dmp
memory/1640-14-0x0000000074060000-0x000000007474E000-memory.dmp
memory/2664-15-0x0000000074060000-0x000000007474E000-memory.dmp
memory/2664-16-0x0000000074060000-0x000000007474E000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win7-20240611-en
Max time kernel
235s
Max time network
288s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1744-0-0x000000007412E000-0x000000007412F000-memory.dmp
memory/1744-1-0x0000000000160000-0x00000000001CC000-memory.dmp
memory/1744-2-0x0000000074120000-0x000000007480E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2528-10-0x00000000011E0000-0x000000000124C000-memory.dmp
memory/2528-12-0x0000000074120000-0x000000007480E000-memory.dmp
memory/2528-11-0x0000000074120000-0x000000007480E000-memory.dmp
memory/1744-13-0x0000000074120000-0x000000007480E000-memory.dmp
memory/2528-15-0x0000000074120000-0x000000007480E000-memory.dmp
memory/2528-16-0x0000000074120000-0x000000007480E000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win7-20231129-en
Max time kernel
235s
Max time network
290s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1992-0-0x000000007498E000-0x000000007498F000-memory.dmp
memory/1992-1-0x0000000000F00000-0x0000000000F6C000-memory.dmp
memory/1992-2-0x0000000074980000-0x000000007506E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2796-11-0x0000000074980000-0x000000007506E000-memory.dmp
memory/2796-12-0x0000000074980000-0x000000007506E000-memory.dmp
memory/2796-10-0x00000000000F0000-0x000000000015C000-memory.dmp
memory/1992-14-0x0000000074980000-0x000000007506E000-memory.dmp
memory/2796-15-0x0000000074980000-0x000000007506E000-memory.dmp
memory/2796-16-0x0000000074980000-0x000000007506E000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:35
Platform
win10v2004-20240226-en
Max time kernel
289s
Max time network
299s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 172.67.165.196:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 196.165.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 172.67.165.196:80 | freegeoip.net | tcp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/4404-0-0x0000000074F8E000-0x0000000074F8F000-memory.dmp
memory/4404-1-0x0000000000910000-0x000000000097C000-memory.dmp
memory/4404-2-0x00000000058C0000-0x0000000005E64000-memory.dmp
memory/4404-3-0x00000000053B0000-0x0000000005442000-memory.dmp
memory/4404-4-0x0000000074F80000-0x0000000075730000-memory.dmp
memory/4404-5-0x0000000005450000-0x00000000054B6000-memory.dmp
memory/4404-6-0x00000000062B0000-0x00000000062C2000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4216-12-0x0000000074F80000-0x0000000075730000-memory.dmp
memory/4404-13-0x0000000074F8E000-0x0000000074F8F000-memory.dmp
memory/4216-14-0x0000000074F80000-0x0000000075730000-memory.dmp
memory/4404-16-0x0000000074F80000-0x0000000075730000-memory.dmp
memory/4216-18-0x0000000007280000-0x000000000728A000-memory.dmp
memory/4216-19-0x0000000074F80000-0x0000000075730000-memory.dmp
memory/4216-20-0x0000000074F80000-0x0000000075730000-memory.dmp
memory/4216-21-0x0000000005B40000-0x0000000005B7C000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win10v2004-20240508-en
Max time kernel
296s
Max time network
302s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqDMB2sDAm0C.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3984 -ip 3984
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 2220
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u51Z8TcVFNH0.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 972 -ip 972
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UY6mAXKLtvDt.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3324 -ip 3324
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1088
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2xRUKPhQ7ZSD.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2832 -ip 2832
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1076
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hm9pNGRDXvrU.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5112 -ip 5112
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 2200
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiC2aisRgczS.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1292 -ip 1292
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 1692
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQHXFUDu7r3E.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2168 -ip 2168
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1084
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1LV0fBUoklUJ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2736 -ip 2736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 1708
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QfDfszUEEBy5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1308 -ip 1308
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1668
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u4UakkzkeJpL.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1456 -ip 1456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1712
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7IXdxT6cIJTw.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1292 -ip 1292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 1708
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xgzo2TRoCddI.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4480 -ip 4480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 2200
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUjvgLfpTJXG.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5104 -ip 5104
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIU2KDtrkyRE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1684
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoEIznREWKpb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 732 -ip 732
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1688
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/3664-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp
memory/3664-1-0x0000000000940000-0x00000000009AC000-memory.dmp
memory/3664-2-0x00000000058E0000-0x0000000005E84000-memory.dmp
memory/3664-3-0x00000000053D0000-0x0000000005462000-memory.dmp
memory/3664-4-0x0000000074C00000-0x00000000753B0000-memory.dmp
memory/3664-5-0x00000000052A0000-0x0000000005306000-memory.dmp
memory/3664-6-0x00000000058B0000-0x00000000058C2000-memory.dmp
memory/3664-7-0x0000000074C0E000-0x0000000074C0F000-memory.dmp
memory/3664-8-0x0000000074C00000-0x00000000753B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3984-15-0x0000000074C00000-0x00000000753B0000-memory.dmp
memory/3664-16-0x0000000074C00000-0x00000000753B0000-memory.dmp
memory/3984-17-0x0000000074C00000-0x00000000753B0000-memory.dmp
memory/3984-19-0x00000000064F0000-0x00000000064FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hqDMB2sDAm0C.bat
| MD5 | 8753cb27f2f9dfc44a5a5ddc3add85eb |
| SHA1 | 57cf5c53888ba662e2c7f075fdbaa3902e55956c |
| SHA256 | 41f827fbf96ab53efce03642d78677e9b6592d2a73b5375882384b8ea673455a |
| SHA512 | ccea575f7bfdb7db9c4391adbafce2d84b94631432bd421516ee8c387f70b9b2049fe1d3384ba798b037d7621c036bdecc12bf4a88c921363584783ddc5ee4b4 |
memory/3984-24-0x0000000074C00000-0x00000000753B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | c27558994d1d2c9991aacf3f54ac4a8f |
| SHA1 | c6558796cb6b0e3fe9798a7924bb1d6edf5942ef |
| SHA256 | 01ca0893da6078e24950d9f45187c24e1af578dc2a0455a467eaf7d2f8cb3fe9 |
| SHA512 | 6e910a3ddbac2f4603e44a4f43797ff86287c7d4cf4006401faf339cade9ffb89a80195d69100f82c56357243433bdfffe31c9aa7e663f637b85b705e1521ce6 |
C:\Users\Admin\AppData\Local\Temp\u51Z8TcVFNH0.bat
| MD5 | 1caf9e99192dec734f7a9fc1004ae45c |
| SHA1 | cdf72fa27885ceef980e52ba715a69e019d292cd |
| SHA256 | efacf43c3587f26f890e363d8cc895895c75b86853852d440a03e7c45e91b83f |
| SHA512 | 1aa2d87bed8970aa0b4728e0e64f51052e4c5da43f772df8835da8c155269c6baaa3c2a8dc330195c5cef8985fd6f6456726351115497f389525b93d254bbe53 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 28a2b9fab00c6ef72f77f42ce568f547 |
| SHA1 | 51ad8012461bad000018d05477a72c79f8796c49 |
| SHA256 | 4a7e50a33d1a6b493e27db8ba674567e3855fc21f120f0a59f0bd3532da38503 |
| SHA512 | 193f6f1a0b0887920bbd9241c0c83705e1aad6bf1f10d65e3704dc87af38074aaf3e1f4a6f08295b47259325d74f7ec71627f3d7bf6b4eb594129385e176808c |
C:\Users\Admin\AppData\Local\Temp\UY6mAXKLtvDt.bat
| MD5 | 2c5485fad0e92641163a23e4e06b4ab9 |
| SHA1 | a3fc4452e934431bc47af6b34af59409a992ab3d |
| SHA256 | 9990a4619ecd97ffffe57822426f7ef262f0655eb7283d646b06e359a273d5a8 |
| SHA512 | be51ae744dcb65f3f0806f3e42c419cee1d579feed368bafedef10d1b0741db370d0aa0ed42af7ffe1c95d1acaa76f60bad26061073474d49053cc2a3c8bf025 |
C:\Users\Admin\AppData\Local\Temp\2xRUKPhQ7ZSD.bat
| MD5 | db4f4cdcab8db7f3832c85618ce732f3 |
| SHA1 | 52a6852aa4b7a77e0f38b84224f6ce5ad058d08f |
| SHA256 | cf38bb7cdb980c731bc6b7b8ff242dd1c6880f5b786beee58b53ed85c62a0594 |
| SHA512 | d9494e72d6ef819ad76ef8797221698d173948efb78dee3be6900aa4e2e96fdc8484c2fafd92bd758420394eb98ac0c5f615424a5f05b8d0d89155697ff250f5 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 8f272f94562f1a9ac09da0116f3631bc |
| SHA1 | 6e2a9315bc529c3b7876f5fa79a188aa574f52da |
| SHA256 | 233c8f3fc183a90d4a0da9a747945887901853de5c3ce542040e49ebfcfca7a0 |
| SHA512 | 410c19b116cb1e99311c3a32d9472f80cadab3b46aa28997b970a565988125b008efe5078b0a272a01f390bd4ac3021bdbf9e7cae018dab6ba6023d9e5e2f88d |
C:\Users\Admin\AppData\Local\Temp\hm9pNGRDXvrU.bat
| MD5 | fcffa554d2c517fcf1801ea0612fb2ae |
| SHA1 | 3c6fdeeac15525406a9b1e54eefff95a9fa2eab9 |
| SHA256 | 3cedd5a31c24bdcbdb9784e66cba8ce1995cdae1902c7817b09543284e9f7905 |
| SHA512 | 32f1afb84108ef093752a390af0f8719a639290789313a1bfc1aec6a8846490d909e97faa62a385abf2a67b537da8b25530fce6256204b6c949c59962ca3dc04 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 6001f0bcffaf4135834edad4f9942c11 |
| SHA1 | 1148fc38f0f492df8abca8b635df275fc3e8e62e |
| SHA256 | a6b856700991d9f7af7432a51738ac7c93381f38ac2305a5f3f9a2340009dbc6 |
| SHA512 | d7b0400e29e8a25b2476dfdb1bda0448d8548535f3900287908f27c7b9f7a1cd976eac205019a92022df74676c54bc653b6d15106647f5854df3f18ebcb69446 |
C:\Users\Admin\AppData\Local\Temp\KiC2aisRgczS.bat
| MD5 | ca754ac2cddd63fef9feb029a55a9a09 |
| SHA1 | e2ae36d4736c68d158065338588f31bd7c65af32 |
| SHA256 | 819209d396599bbc3431d6234759a56b74a0caefeb390a290ea5f22b0044b208 |
| SHA512 | 3da4a7578de0aff120ee24be56de91f17fd914d41299831c8bd70c858fc957c243732f715c9dbe83cabd2fa3d32bddfb07f20ae12377c111138ea539cb86cd14 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | fa3846b520ca51ea5e12b173f3789446 |
| SHA1 | f33efc7b314e31fde7b85a8c8dffa312543e6824 |
| SHA256 | b4b38fbbd572e1dfceb5c355063e599bedca74b5cc435b0511672f01fb8cc131 |
| SHA512 | beda2f6dcf4178dbfa569966b03dcea18da0626fc5a3c6b8da9036ce115575bf65cd998da37cf39065e04b8d82b309d5850bb0af786fff334e9580e4fb24f47f |
C:\Users\Admin\AppData\Local\Temp\RQHXFUDu7r3E.bat
| MD5 | 3a1e261bb5f93cf8b753814a662903cd |
| SHA1 | 3b7055af2586ef578578da49b64841203021187e |
| SHA256 | 8d54fc5e1d89a01951064f8bea425a65d0b81d272ac9bf39191ddbe5f9e94653 |
| SHA512 | 85bafafdf6f07ccec1c0e6acc1c1791fc951750bb683024e36827023681099b28605b102e8e1e4c3393430b2133ed8cbdf0cee62e468c877ba354f4d78ec42da |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | cd4019bc32731b3a6893dd86630ee63b |
| SHA1 | 41bc51267789a1dce8b6647a59b983d7d65971b9 |
| SHA256 | 13c04e19eb763f716aa2fef4ce0e41ff5de99af16b99961f1fc5ea820e1718d5 |
| SHA512 | ea524a5ce3609195790927858c8ba57a1f6aa1adc614968dd1dffa60bcb174ace6aa3240c07ee3f6b6747dd7d49d4982d9bcbf6bf354e35acd6308ba22ca3ddd |
C:\Users\Admin\AppData\Local\Temp\1LV0fBUoklUJ.bat
| MD5 | ad239f8532211491ec909434108930d8 |
| SHA1 | a77bd3460e8604bb783ce43d65f1951d1abdfa55 |
| SHA256 | 9776546a2ce939ce5d7c8a4b8fded284f4f74e53e7085f2a281c7a0a09021bde |
| SHA512 | 8e17e1e311b525be58148437c830d129e0d8efb02666cca136fb381568dcd684ce1283ce4e956af6a6c36b9d70198b207c943ec9c85a45377926a85215c6edae |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\QfDfszUEEBy5.bat
| MD5 | 3c5ee841fb936aba189f78bb7e060b89 |
| SHA1 | ab693632a08525dff05f223c04581e34546a1f26 |
| SHA256 | d8aa3433983b0dff4afcdf85b833973e573ff17ebeaccd5cd172b4ce68e32e4a |
| SHA512 | 023a635b982c8fccc84e8860ef63056e7b986140490c9b61d1faecd521b8e8c968973ad2ebd2943ad05630cd25e30713bc1a47a1a49fe7de1c1b588e0251a40c |
C:\Users\Admin\AppData\Local\Temp\u4UakkzkeJpL.bat
| MD5 | e3c852221c9566ccfb721acd66942c86 |
| SHA1 | 328e1f95114fc9c0f2dc388dcf41f68f0704ac61 |
| SHA256 | d95246ba89b0045454bcaafcfe2eebe61f1055daec17fd0c4a8bcbaeaf765f60 |
| SHA512 | 3d00b8540f792e8616843623b92b9e70d3bc8bdaa3ef641c1cb0196cad6fd0cb68251b6cf0eb1d17af55c6e0a982879e6086a525f5e6986386080fc9d98cf503 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 5cfdac76a2624c4f0d487f05d0bd3d44 |
| SHA1 | 5f336cbdcb7d4711e2c699336935f2100768aa83 |
| SHA256 | 6b36d7a32ab9141424f9acd7c73260c9d4b0273e9565a169535bd5c2740922eb |
| SHA512 | eecf8e555dd74001e7863eae50eaa5a9da2ae543a07ab3d26a9ac524a36151d50c5034f5ffe4c7eb1ce5e7d2ffdb8356ab4f45a75c4fffe407ecb24f16a76afb |
C:\Users\Admin\AppData\Local\Temp\7IXdxT6cIJTw.bat
| MD5 | 7a80df2e2bc935a2508cda17d791f89c |
| SHA1 | 71249f294763bfd73ce17671c4c33575b14c1af3 |
| SHA256 | 871810ed7779c11df346ee0ce417861c5141236b9185169b61c38929d3e8faeb |
| SHA512 | a2d6b411fc01979eb787bbce59dd350512b878b02d52a33eb828290615d8111e44eb23f7646bf6a22e72910bf0b441606d8409d150d9fde79fe411b89312019e |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 6251e8a98f8f7ded4e4fc3a01446acc4 |
| SHA1 | 79fad1597b4dbff16ddc459c5f2b770c87145440 |
| SHA256 | a64a3f74793e5fa002bf6f24dc3a5287914cc30df884c7354ff00326dce7b9b0 |
| SHA512 | 0126dbc6f089dd2782a28ca514a95fc8d843aaf0440e2717103f0596055c662b3f403b2915699cb95279f73dc4741a7bb00c2309cee54300710ade34df973aa4 |
C:\Users\Admin\AppData\Local\Temp\Xgzo2TRoCddI.bat
| MD5 | 341f1a34f1bb0bb74cfdffc83c6aafec |
| SHA1 | dd9388b1f9757974196e29d14d8ccf22e5f53ff3 |
| SHA256 | 75db160efab312251dc0f4946daf3b0a4a4564a76b948ccc3a1f7f0c3ace4b28 |
| SHA512 | 1f4fff59de7d64a7d3b7d5402f1c14c36e31a0d3b517d8cf133cbf8f9675589e070d0a978e04fa2e841fed6759dc3d6a54e7decabc3b471ad8575c7ab4ec325a |
C:\Users\Admin\AppData\Local\Temp\rUjvgLfpTJXG.bat
| MD5 | f2df2a4f6b5cce23c820f5243a7f7f4a |
| SHA1 | 4f9697ee4230f13f88d78ff6fa2ba9412bdcead5 |
| SHA256 | 40f01deff79b74b7d157e3c1caf1a067963bfdc2d1b8211a88cd98c398a0ca26 |
| SHA512 | 00f597942528cbf8b152ff19505992db9ba21a254729c5242e7fea5e09b9c6b182d0457dcd9b3b241ba9cddebec3574785954b96d1eecbb71fb0d75fb425ec1c |
C:\Users\Admin\AppData\Local\Temp\BIU2KDtrkyRE.bat
| MD5 | 18aa3f6254eb97b195a1113681c9c89b |
| SHA1 | d954717d226673a0690e7ffa9de30832429db554 |
| SHA256 | 1ae158f90df3253b1a0687a518b9f51409f14e7c1feeff85332903ace0de5f8d |
| SHA512 | 0e8d591181d8a3b21fcf8688fc6c0be1bdb86afaaf798da1ef9e8438ecbfaf3c5c8239366863f3745b8a0a73a66057759399c9997b4ed605091f5dd9873e5685 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 275650efdc39e9dbe8caeb6d3d4a26ae |
| SHA1 | f18cbd9811d406ce982aa532e96e39ba8b8f9927 |
| SHA256 | e181c307f566beb1c6433b04e3921724ec1787cbf30a7a3769887d7ad70378ec |
| SHA512 | ae2ea792d98a46a13af06f6df25376c5d4d035d6d3269d1e997e52937c27114f5faa25c1a77f9b6a8f8f8618d2acbe3470ab1d1cb8bf375f3b9023aa708b0cc5 |
C:\Users\Admin\AppData\Local\Temp\uoEIznREWKpb.bat
| MD5 | c65bbf2baf10e696a8d1c3c5d8b64ab3 |
| SHA1 | 2c924f297e0b1fd3f43ffb43ea5bbac85700ede1 |
| SHA256 | 57491a77bb18b7cfa837c7fa6003f92ba77b96e4d0eae43d0b82fc8cda5cd23e |
| SHA512 | d45958e46e7283574d906556c40446bd75b21ad610f897ca62861966b2f2a778142654031ac9fa82abeafc34d048e51a2c14f831059d407563a810a7b19b2f20 |
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win10v2004-20240508-en
Max time kernel
295s
Max time network
301s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7GCofwvtsWku.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4944 -ip 4944
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1200
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qG3J3hZSGewW.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4992 -ip 4992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kNaQQY7YTCzK.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 688 -ip 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 1608
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TNQvoJl7qKCv.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1644 -ip 1644
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 1636
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z7HOeolfw2Rt.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2364 -ip 2364
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 2200
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ritXWk3H12yZ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4088 -ip 4088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWdeAcHJIhsX.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dPFe1pEZtzvo.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 872 -ip 872
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3nhp6qZloJ4A.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2432 -ip 2432
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1672
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCykyb4GERvQ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1512 -ip 1512
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1688
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r0ircSIIV6pO.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2408 -ip 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2Hhgvdac3CRe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3836 -ip 3836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 1668
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\floT0joMnxRC.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1640 -ip 1640
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQEv2zJJ7M2V.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 972 -ip 972
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fcMs7psOMpWS.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4640 -ip 4640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
Files
memory/1924-0-0x0000000074AFE000-0x0000000074AFF000-memory.dmp
memory/1924-1-0x0000000000EB0000-0x0000000000F1C000-memory.dmp
memory/1924-2-0x0000000005F80000-0x0000000006524000-memory.dmp
memory/1924-3-0x0000000005920000-0x00000000059B2000-memory.dmp
memory/1924-4-0x0000000074AF0000-0x00000000752A0000-memory.dmp
memory/1924-5-0x00000000059D0000-0x0000000005A36000-memory.dmp
memory/1924-6-0x0000000006650000-0x0000000006662000-memory.dmp
memory/1924-7-0x0000000074AFE000-0x0000000074AFF000-memory.dmp
memory/1924-8-0x0000000074AF0000-0x00000000752A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1924-16-0x0000000074AF0000-0x00000000752A0000-memory.dmp
memory/4944-15-0x0000000074AF0000-0x00000000752A0000-memory.dmp
memory/4944-17-0x0000000074AF0000-0x00000000752A0000-memory.dmp
memory/4944-19-0x00000000067B0000-0x00000000067BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7GCofwvtsWku.bat
| MD5 | dfec0ac1ece1808dcb5fdc7d05bc9bdf |
| SHA1 | e051a19cf179c5ef8a8c638f0dc30a5e2ebdf3fb |
| SHA256 | 4d7209e49fa66dcfe16491dd6ed0572d3313945ca9f16dd8f9d1fdb84459e91c |
| SHA512 | 7ab9499b056cf13dca8f7ee391379f3ef736f28f9b0cbb8dceebb6ece6565084d96d122bb120c5297ef534e07b40040260e0dfa2882346f42a4a97db0b4e9490 |
memory/4944-24-0x0000000074AF0000-0x00000000752A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 5a55355d24091ad683ced0c1825eebaa |
| SHA1 | 5e159d46537ce1818ef3b323f5e8a6d26caaf088 |
| SHA256 | 484e2a9c890fc5e9c9c1f817fd777e5526c6ebded498cc992b7d4a47398479e1 |
| SHA512 | b586d8adf48525cf41c81c917dac21ddd360f5cb6a9ee54e50aae87ef09cd21dc549a9859e755ec8f8014e16f9fc25113059bedb8be3426ed63b34bf4830673b |
C:\Users\Admin\AppData\Local\Temp\qG3J3hZSGewW.bat
| MD5 | dc2d10dcfa11bc064ffb4ce5aa75015f |
| SHA1 | 7c17f89742b0cde18ac0e0cf2ae450e35668cb97 |
| SHA256 | 55ff4bb4504ddaf619a2efddae75234e87942ccaccb090bf0577a747d3634984 |
| SHA512 | f17cec990e144f92065295b42e446eb69f4672124654f93f7ca53260450712ea4be21c9f86d47acc07f4f06cfcf470835b6c5547024a337c7cd7273000ba9227 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 7e9027e933e4326539614b8e76acd364 |
| SHA1 | 8dceab2516270f0d393526fd3dcb52fed22a82a0 |
| SHA256 | f71e2a3207068ae1d7017025efb834c0462fd0e2fa3b9e982234428c65a72dc8 |
| SHA512 | fc3ea417284e635b4d7ea2b05cd1acd0e11e3bb6b047fc440a524c184a2f8cce1b1582db67fd66dadde487ee9da1c161ade5351ea5977fa59f30e9ef9f417053 |
C:\Users\Admin\AppData\Local\Temp\kNaQQY7YTCzK.bat
| MD5 | 3d03d86bdc99384ab0743ae36141c5c1 |
| SHA1 | 37abd84fcff0e5083aeb91c149012a3ce428aba1 |
| SHA256 | 2417652bd6af07225575659512342f4c99b1d12e7f9bb0b4e3793fc939431209 |
| SHA512 | 85fa951f529ba5fa58f8f78d6a45dead7c2c98ab39c5c13eee348bafdc07358ce86b031e69385c7769b395946caef7bf9e0e64d84a365038d369fd3f0206f575 |
C:\Users\Admin\AppData\Local\Temp\TNQvoJl7qKCv.bat
| MD5 | d1b685e6acb66e653919dc221f7f4b16 |
| SHA1 | a6e11300c9069c99456c1de10123a5871673004b |
| SHA256 | d705f29b06f067628f6051d8b32fb2f6a183540097140e60b1e38fc961a5ef72 |
| SHA512 | 5bf4e7fb630cf85b0c23e42893ea3b9268819ba6444458915a00e4d5e0632706eeb27dd79dd93c1a2138961c51b7668c4331d993d1a1dc514c9ccf5504ccbb77 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 5fb0ea6c43acf982f9fc694fb873addd |
| SHA1 | caff8af2cc30ff4c702047d09679b2d907a7d56c |
| SHA256 | 34de238b4102e7fba852f10092ad02bf0aebf83a1445416fed7846637bea6ff3 |
| SHA512 | acaee88dc8f34b70152448ed09f0c2f7936a2da58344fa85d7270971b18dfa1c11cd2c1d39e9550f501ac57e631968dc6a802bd4c9a604fa40827c219155820d |
C:\Users\Admin\AppData\Local\Temp\z7HOeolfw2Rt.bat
| MD5 | 0567590aea33a728301f29014aa9a633 |
| SHA1 | 0638d43fba7743d2269c9e2cf4e3d573f090d977 |
| SHA256 | 8e433cf1f7fb70dee8cd8cb0b062e596bb0b770bec325deb26ae9c528f8f5d9c |
| SHA512 | 49e14fbfb6faf701764ecfea8aca41ec2ec49559e7a668e8f6a8b6a0bf027d355628c450160a167d30f9b75081a79a42b025584f0ffd688b900f65ab19372101 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\ritXWk3H12yZ.bat
| MD5 | 013f843bb8b08562f34940cce5b769f3 |
| SHA1 | dfc8a6dcc562787cf59618749d9cba39e3e77bc4 |
| SHA256 | 191755105482b5931a9b954019e5cfd472a9c67af436d4d38ad363e3908c9ec7 |
| SHA512 | 76949a5de49e974eb7136808b6c449f6435636821e590e1e4978618f7757674b8c79d772e0bf2d927ea25a537a6af768fb5d776f90a050f142f3555a8237a018 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 1f2df5636bfa24776c47e681b09d9c6b |
| SHA1 | c5cfd8ed4aff00f6a980c96b7bc700f77c868baa |
| SHA256 | 0ce708f309930092b2097376c0f482bcf3b972b18f7f54c60022f819d57ea96a |
| SHA512 | f1866836f98cf9f29c0e2f29062612da2b5c8fbf7efee06b80aee083593e3365b8e5424c00fa6d5b369b734990e8bc60ba5c39aa1fd194d5c439896d05e4aef9 |
C:\Users\Admin\AppData\Local\Temp\BWdeAcHJIhsX.bat
| MD5 | c76220ae32a41fa53f9e0d72d199cde6 |
| SHA1 | 784a27069b13973d511226d66bff53ed34709d84 |
| SHA256 | db4fc1948a28b6c22cb4b560527ea84b34be0f0a97a3137d591dec47601b3e2d |
| SHA512 | b71a126dee581c5d6f0e127cef3812dab6adabadbd3a75e1c484c9a2105eef4a0ab83634f0c7d15ea4e1588d443972faf5acdc7a12d930021fcf2ee28513bc93 |
C:\Users\Admin\AppData\Local\Temp\dPFe1pEZtzvo.bat
| MD5 | 8c2500d32d227758855b203290c214db |
| SHA1 | 8bffc60ac70ca90e5005967a5f4d9a5e6dacd051 |
| SHA256 | d013b576cc29da716c412a3020eb69ba7eca9676f0115d9a229f2e43e2033c51 |
| SHA512 | c179d1597b3eb67fc006ba2959ed76d987fd23236c6792f43642427e14d44e414316034c49711d1a7f06d78d4ecdee1a2b47e440dbd5080d976eff20c74a2e74 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 41eabc78f57712064f3f3fd258e9281c |
| SHA1 | bb22cbae4b054c6c26bd775b066f99362b8e7653 |
| SHA256 | 95d7d8445951eec3c5e2ad80f905ea0da430a92569dd79b49a35e5391b11f293 |
| SHA512 | 4c4dd067868606d7017ff1ecbc0be75392416a56ac88a44523f48c8230dfb2b0d9060c0d2090a94eea1711c8eb5467a29b8a76e58a16d3d3ffdcaccaa3cef47e |
C:\Users\Admin\AppData\Local\Temp\3nhp6qZloJ4A.bat
| MD5 | 187f18774235d8c0c20cd3ba44934797 |
| SHA1 | 0986f85c6f1fdc05e439b4125f0d4238c53e2e63 |
| SHA256 | 3e764043b9a09fb5b1b26d5bd2972744a31c10a8ffb237194968edbcc48a97a2 |
| SHA512 | 74f7a440f9d5f13c26d906af995ef90bd210344c31c13b89106057b48d1317df777f5cc31189fe4ab62413f7b9be0b0124974fd5b514149b7ef4ca164d1b1cbf |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 084768f2bc752c4a575221043b0d02b4 |
| SHA1 | 3f6f34ca1f5e3b77f191c4d45f0d7d8ca9fd299b |
| SHA256 | 220273e49a2d850d08269df66d5c6f3a809b46051368af68d353ae384000c8e3 |
| SHA512 | 20fa6588fbdd43fe9a147a1f27dd3536c94f1ebbc5b45bc12e31cf5a4d6f9b498cb0e0056581ce2f42856fa869dc80f5e832b076125c6e15bd41559c6aa40a68 |
C:\Users\Admin\AppData\Local\Temp\XCykyb4GERvQ.bat
| MD5 | 7ca0d3a0614503ec7ab87cadba703d69 |
| SHA1 | 243129516a609f81f703f6b3e3fde06732458b1f |
| SHA256 | e5fc0817c2df41f2c6485d453ebd50da08eb6da4db5930837cf2e4d33516e7b4 |
| SHA512 | 3ee959071d063c3918aea00e1cf7403208ea3eadf58d229150f5cb1adef84753575528da88c646e77910a15ec89d414b4e8c04795e603771dc3ff404ee0847bd |
C:\Users\Admin\AppData\Local\Temp\r0ircSIIV6pO.bat
| MD5 | 4ace390cb03be6bbc18fc535b779461e |
| SHA1 | 287c84679c1e7613e305d9fd29cc150587361cd5 |
| SHA256 | 18fd75333773f6c0c9c24e6aadc132ba3aa965a8c774e8d5e4e412e63f564dce |
| SHA512 | edd4355fe00375d5e3045024bbf9c4a12a40126321d0be456dc042dfca1459a8485893670d92f0b602f031b99873f597d53dd2d0b22e077e37ec00b46f4c5401 |
C:\Users\Admin\AppData\Local\Temp\2Hhgvdac3CRe.bat
| MD5 | d944ecec0dc7738c0edb89f528cff59e |
| SHA1 | c0c462b53a67d7b6fe276e63644d7604d85c8cf7 |
| SHA256 | 3a1194492ac545bee511930108e8e73c242873443d5448f7e210515b81758bcf |
| SHA512 | 161a1b77e3749f0d7c24e14ef48f654f18c444548c8c29595334392da165736d38355790766bb5b4f50e1c1b4296cc0c91d7182ef64c202c60ce6646577897ee |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | f441f876b641f662979ee61e06353aec |
| SHA1 | 6f58e92806b7e1b7587d75f8bac41bb8dd29756b |
| SHA256 | e9e1812399c3b67063fd0c900f3075562f5e83dafd322d4b2f40a160415d9e20 |
| SHA512 | 85acd71c5c360268b8e3d479db7652bccbd4e4737dd2f077b6787348ed2d3bc0965da00616779116d69e5d97683d98fa8567ff33393a98d65c6faa8454e71b27 |
C:\Users\Admin\AppData\Local\Temp\floT0joMnxRC.bat
| MD5 | 3b359322ade70be95ee93d5233cc4da4 |
| SHA1 | 9a7d19000797f1863828157f88d9e56057805c1c |
| SHA256 | 2b8111138c0a1d3d23378437697427efaa39087cdb020ce1544acffb1cf7046f |
| SHA512 | dec084cd7b91cf468ca136a2017f867b9b64f390da3daa7790bbba9b3b368293af139d60a36d71ae9a6dbda133e3e3bd2af97d093f15bad7f193a85d7fdca556 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | b4fa6bc75f439fa020cbaa149f3a086c |
| SHA1 | 39c5e35bbbf8a42372ac203d8f136b7972f2655f |
| SHA256 | 2e8b1dcd2fcce77508d8232489bbc0afde310177c37d8a4e416ba343c7a8fb8b |
| SHA512 | 0b8a68f9dbd5de769c6ae0a7932bd23661e1f8641f0528d8f71466d5ee98ada2ab36263bf373d6c64bc1bb275fc48391456dc7761e2b01aebca08a6eb717f9ae |
C:\Users\Admin\AppData\Local\Temp\cQEv2zJJ7M2V.bat
| MD5 | f57f078ed759a9af4738ef9d307dd968 |
| SHA1 | f756904b4edc698e3ce473bee6a07e5a3a094f0a |
| SHA256 | ba23c6a96c3a2274bf2c7eb632704569400d82fed97da2e8a25b7f58099ef2a4 |
| SHA512 | a8b6d412613d8634ef0fe210db14bb6be60f7d87efc633bb755a24fcbaf3cfcb20004faee1585461fc723d5c320976f3846dd37ed86bf6621a993413639119b4 |
C:\Users\Admin\AppData\Local\Temp\fcMs7psOMpWS.bat
| MD5 | 3d723b602d36dbc5cabf30148d3b3927 |
| SHA1 | 16244daef57b2fad0063f08eec809f60385ebdec |
| SHA256 | 8dfd2a4f9e7be0e3d076c65342c55034ca7c5acdc7e98acbebfb148154f2cba4 |
| SHA512 | 1a3459aa2a949ac34e513fcf74d601af5b7fda2cf1c142f87888b2b16751d722a5690883c6eb1b6accaf8617165f376aef62418c57540a5e996d52062f1c60ad |
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:35
Platform
win10v2004-20240508-en
Max time kernel
298s
Max time network
305s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c8q3rmnBFtnf.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1976 -ip 1976
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 1636
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RjOcggZtFgFf.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 852 -ip 852
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1608
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iW69HWG2R85y.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4868 -ip 4868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NW9vsXkGJSbf.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 596 -ip 596
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 2184
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAR936GkSTUA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4600 -ip 4600
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nLkMMBeWB8GD.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4340 -ip 4340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwMVD7w7H8ns.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2800 -ip 2800
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1688
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqmEr43hNDX3.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4816 -ip 4816
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 2228
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yvPpA4ZvGRTt.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2332 -ip 2332
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2cga16j5Csql.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1372 -ip 1372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKSabuFPyWtd.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1636 -ip 1636
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7iumgvaasq2z.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3816 -ip 3816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kC2Zl1oKcb2Y.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 544 -ip 544
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0zywc9s3OSFc.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4596 -ip 4596
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2B6tiyR8cuiZ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1180 -ip 1180
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/2612-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmp
memory/2612-1-0x0000000000DB0000-0x0000000000E1C000-memory.dmp
memory/2612-2-0x0000000005D70000-0x0000000006314000-memory.dmp
memory/2612-3-0x00000000058F0000-0x0000000005982000-memory.dmp
memory/2612-4-0x0000000074DD0000-0x0000000075580000-memory.dmp
memory/2612-5-0x0000000005850000-0x00000000058B6000-memory.dmp
memory/2612-6-0x0000000005D50000-0x0000000005D62000-memory.dmp
memory/2612-7-0x0000000074DDE000-0x0000000074DDF000-memory.dmp
memory/2612-8-0x0000000074DD0000-0x0000000075580000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2612-16-0x0000000074DD0000-0x0000000075580000-memory.dmp
memory/1976-15-0x0000000074DD0000-0x0000000075580000-memory.dmp
memory/1976-17-0x0000000074DD0000-0x0000000075580000-memory.dmp
memory/1976-19-0x00000000062A0000-0x00000000062AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c8q3rmnBFtnf.bat
| MD5 | 24a1a6842324903ae07ae31da62b355c |
| SHA1 | d961db82d7d430d5156a859a02d08138204e7915 |
| SHA256 | 83c6f5acdfa0a77d4418d9cea389c65230d5bb5e1fba4b83e4a70ab0ce7b7caa |
| SHA512 | 126ea8c0d9c0f050a053315cbbcef79c2e571921008a29b73d61acf5ffce87608ae5b022c8937c85a6f9907a034652be4265ee79b3a8dc906f5e2a62f36ebf39 |
memory/1976-24-0x0000000074DD0000-0x0000000075580000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | ba3469deeb494c4eb8e0e32e7117d1b7 |
| SHA1 | 1dbe426441b4ecfe822154ffedc3d22897a97a92 |
| SHA256 | 0731b86c74e20476a391b2b8f6d77b50661a0ee049a9c099015ca68b484fd7cf |
| SHA512 | 507727a2e40042983f9921615f9ecf5969345b412a42e4613b4b7d593bf509c55bcc8b2996adffec801d42bb82365dfbf8bed30f21d4e3536130d1e112a7216b |
C:\Users\Admin\AppData\Local\Temp\RjOcggZtFgFf.bat
| MD5 | 3602838911e84e18d9b5102bb3723d3c |
| SHA1 | b0f0d2b3ea45a2d4594cbc72211e4080ebb9c228 |
| SHA256 | 7909d7eea1fe06388eaaf702fcab6f0ac8ceba5ecaa0823aa1f54fe33ab9cec5 |
| SHA512 | 78661df543278c9d59741061b398599a88cc272c37002e099c23b2ab0fb2a25ddfd37ade20d033727774b8e2676cebcfff89993d2b930d29e6f9e1ea95e4e860 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | c484b2b91ff0bf05b6e695795de9ba17 |
| SHA1 | e07ecaa39c1909965791b8426102a371bf4f84d8 |
| SHA256 | 31c68483aba79de51d3d750a5d4c341f264266a8a422f54d5065ba2d7894f24d |
| SHA512 | da528746cd1c04ca5ba18517fe20ab86cea3fbc65e6269acfbc8bb7c9f717f969d4470fe95814529cfecb7ac7e5988a296b5cf120ce0348908454fd97935af0e |
C:\Users\Admin\AppData\Local\Temp\iW69HWG2R85y.bat
| MD5 | 177a4ab9623533898a8d2307414be81c |
| SHA1 | c5ad792bc4c8a837a1345339777f17b61445c139 |
| SHA256 | a830d56a5d194f2946bd4cf905f73f307c2b67689c955ae4027e6d5ae1506f8e |
| SHA512 | 2ea48e6ce05f5a889ded24555ca2d933061bb06e215d0cceb6ae158d9fcacb522aa2d7986b5827daeb26df4501de9013d2f18d1109fea4460442d78dbeacd16d |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 7b6a7cfdd8bb7abfde2ef5def577fca6 |
| SHA1 | 3e612616b6e8a42af50907e6189cb5c25e457603 |
| SHA256 | 2e2f08cf46e18b85bec43d416a95d3fe2a412a7e2d448aade7043a588d363393 |
| SHA512 | ab9cd7ae936f1a771f87caacd8ba8d005645c49611a3c5fbea1ae9771f84b0de30b4da3d8310dc96001efdcdff0c308808394300efd280703a221adb1ef60f4e |
C:\Users\Admin\AppData\Local\Temp\NW9vsXkGJSbf.bat
| MD5 | 76c26ee0821bc129dccfd953c76b19c9 |
| SHA1 | 4c86ef5a7dcce2fd309090b77fab54d24552adc4 |
| SHA256 | 0da800d46b008ea0e3cbe96acead44c778ae7697a84523ccdcae4bd3c27dd588 |
| SHA512 | 5700f49daf806a2e935233ade0090fa75f4e45b0c1fb84f172f24a056e8027b7e49d1569dfe97dd4859f611358ce8865a3efe5bb12fdaf94501bea78e69ee7d0 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 68f656a4f5ecb4f8c4609525f6c545a0 |
| SHA1 | 6b57dc67c28badb85357a6194a29add9b9ebabfe |
| SHA256 | 57775c019140f5d1998b4a3bac21d8ad4196c71e75dbfed64dc9a447936dd255 |
| SHA512 | ddbf8cd7970a2f792629d1b95ec5696b9a1cc994a8e3717903b06118c62f37dc3648b6029d5ef3c68cae45dda6109ade4f85bbfb441bb1fb0d56bfd6d0ba2f0e |
C:\Users\Admin\AppData\Local\Temp\oAR936GkSTUA.bat
| MD5 | f202c2ccaf3a008a1f9cf2400e92218e |
| SHA1 | 75b490c81f4acb3bb8ed3308532331fb861ba6f1 |
| SHA256 | f877fb4e0b417b9c9dd588a9c309cd3961685d2b2a6f4d4e24015de23e130a6d |
| SHA512 | 511230a0cbe335b3ad725ccf4a4777552fced722a655239b375c398d6d75e696aa9c5e75c995a69bd7314ad166b1e0de933c1d7a00f5d2805c80d3874cdf8571 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\nLkMMBeWB8GD.bat
| MD5 | 094498573400594563d248579988eb4c |
| SHA1 | a720d55c9fbd1717a22ed00810c216b4aedb6eba |
| SHA256 | c329bbc820beaede675cfc5660c342e96c1bba504c3a86c8e8687e9970a30ec9 |
| SHA512 | 1e6b1eb692b9a352e989e7beb6c3258f7e598264f5f45b2d6a28a8c0d2cea594d372f12618035623c63782ef5bea0cf500a71505b20f826ca5cc4308cf8d59ad |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 1edd6b6d77314677b01cad3ae02168c6 |
| SHA1 | 667e64f3fd107192cd6d3ab67c43f544ba0adba9 |
| SHA256 | cbfb2053238cb3493c5445945208a399de67c47b320d2505cf49a13975e0ebd9 |
| SHA512 | 10685c70616ba665221c81ae464200bfd2c78200cee11285eb8e8d3659ecc9a66ed512b6a8bd0e0e75a4d2b38285dcc6d79a0d0d862035c6206627e8aa989c1b |
C:\Users\Admin\AppData\Local\Temp\fwMVD7w7H8ns.bat
| MD5 | 0ae786025a0e765c872edd09447713d7 |
| SHA1 | b54cd19db06ee85bd4695c39e8161f894bbd9c5a |
| SHA256 | 5591e1044cddc86a284f551831c6fe0ccbcb79ab8ebae5373ff631d0c1d5a675 |
| SHA512 | c1df28c7ae27ca7f11c5f7fff604fa699607f71ca1a4e5e05e6e88858f7879a12e4d02722a388dd6729cc8145df80fb17d971cfc7545f49e6f0f3152c46c1594 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 87816129998f9bb22bf4e92958f57397 |
| SHA1 | 5a4fc17ced7ee7ced1ac33e8fa254d4fb6c46588 |
| SHA256 | c008ca418a9d3af7774b86a33485aaffdea8218a47dbbb8cfe8a16c47191415b |
| SHA512 | fd5b323c4a819890aa1007290f385c826eb0b53246668fae89d4a266a8a3c8dc09b1eb78ae3e16d95fa910f186e127db563c503783f4dd15fafda8405e2a12ac |
C:\Users\Admin\AppData\Local\Temp\BqmEr43hNDX3.bat
| MD5 | 78f1472af2ea6069f62b6fdb152b7720 |
| SHA1 | 343ec998ec8ea5881b911c8977df6bac28a7e068 |
| SHA256 | b87fd8dd7dd0871f99cfc7144aca24856e709897f2ce0e27f3c53dbeba8382b8 |
| SHA512 | 20598058be7b9df95eaaa152cd3f0f17f23597df63086ea45aae997b21e80fa63824671df56e1356710d2eb7203120f0df5f52b87e61d4f10b86383fe5ab0242 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 9f86567fa629482edb846bc4d8805964 |
| SHA1 | df33899c9e70c05494d7458344afdb5058bc927f |
| SHA256 | 61d2e9fd901facf5d5593de362d981b75b50d02f4e5960cf09ff9c980262c407 |
| SHA512 | bfaa73d31aead9babf2576712fd825cce11f1c2f655faae23f86c0253d98a1af32cc4393d193c1dad99037bf5d9770c112dd78813b6f8d24b52cb586a26a4b83 |
C:\Users\Admin\AppData\Local\Temp\yvPpA4ZvGRTt.bat
| MD5 | 675c1fca2861fd63b24cb6a52c6ad6a6 |
| SHA1 | a172d3d8a5387b058f4940187095dfe202bfaa5d |
| SHA256 | 3f10ae51b5dd237920acbee7c7c715fba00cbb00a2304898444c50742772a38c |
| SHA512 | b60ccd42b62e3e64de870a887c8f14f0545499801098d492a8060482e5c6b4ccc437cf2604f363aea609be10e8edc89129d947e3b9c0c4f24d85fb4d46515d9e |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 9f8e870d3ab7b3dddc4c2ce5dcb247b9 |
| SHA1 | a2a606bf6a6fd5f0367e1d76c1837bdf5bb2ef77 |
| SHA256 | 502ca69ffd1d31c5a59edcefd42eb1d6d9de395ecd37c5d006ded63c2890298c |
| SHA512 | b26161901fd7759a183d6a24c8004b555312e1ce9df71234c63503ab1335f2bd6054f4479da499ce9ea4652300b6d4ea583d55b570d18b03195669c2f670ac68 |
C:\Users\Admin\AppData\Local\Temp\2cga16j5Csql.bat
| MD5 | 76b21c344db60e0821985ba9e8031030 |
| SHA1 | aa14fb61f9698d9d46c805278fba81345847ec31 |
| SHA256 | 6022249a7d12650668d44244a1e213212a91e80d725bfe0e2d6970bdba09e723 |
| SHA512 | 623b8719ce4e1ac766bdd95a4a042a8175423b1f527b1e857bafd60e13b3c8a86bbf5f17f40aa04d8da72ee3aa56559da9a49698e7dd1c134a4ed6db39ff9ba9 |
C:\Users\Admin\AppData\Local\Temp\hKSabuFPyWtd.bat
| MD5 | 2baab2928e0642b5bb098fbf6b3d4fa2 |
| SHA1 | ebedc2c6a5bd4e1f0b1831a4d9e7ef9005aa1b86 |
| SHA256 | ce81b8eaf87c92503f45ee796f2becc7d9e54f72abbc95c6103dfcdc144626f6 |
| SHA512 | 796e5f4b38df564009aa3181cf7c16c5cbd781215f65363e04915e864fbffc53c615998357bcfdb3d64f9a0ce45fdb7026b62a7c2fa7511384a5068164093088 |
C:\Users\Admin\AppData\Local\Temp\7iumgvaasq2z.bat
| MD5 | 9e4308d767510b13cc4347789fc91406 |
| SHA1 | 315886a5b390673366b479659ba33b25c692cd7b |
| SHA256 | 75fd03ec4e1d0ac45424a7b2d328b60d128498f1a90d89bed4d4ae8862fac183 |
| SHA512 | bd7637188cbb444f821184892d1f837e5157fc319d2c03c72bdbb3379b592d9a540276ba5e1e88c6a2ae7f90b81c20b8795f789f8495324e99ce1e25b478c637 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 0c861cc6a74a062ccd823da372d9b0e7 |
| SHA1 | 3a3e49c14fbd9870fbbdc1bc7ae0c00e5886d0a5 |
| SHA256 | cf4383fa284d0d5ecd871b43fba45e0e243448abe115a89c190001620aab7a65 |
| SHA512 | 5e37f6c094f11cae7ec45890751ea442e94ecc16a1441b548d8d69451f04c59b2274b94d5361a3e20fc2887a1cb8d0f18ea1cf11d5d8680f49577ff511c6d305 |
C:\Users\Admin\AppData\Local\Temp\kC2Zl1oKcb2Y.bat
| MD5 | 68e9a116255ca66b6bc6d23aa4e2d873 |
| SHA1 | 47056dd2f5ec94653a6a7422fb3cc1a28c98cf41 |
| SHA256 | 02c84388b1156fe97858b10f7e96e5e29734a0edb33979ea9296e85ab13e6216 |
| SHA512 | b5e86db1c8e24ab2d3badd6f6fecd710778c6bc330c5fd6922de655d416732027ffaa03c639367dfea83f3b46c36d5eea80d72fe054021943b3d921ca4481873 |
C:\Users\Admin\AppData\Local\Temp\0zywc9s3OSFc.bat
| MD5 | 762b915faf4c8943e9bdeaf8c8b32da7 |
| SHA1 | 0dc2f2b2d953b333b05ee550296f3ed3f8efa062 |
| SHA256 | 4b03cdb56fdc504caf01b43af20485726c4f349f07269cd6569b857f49ee509c |
| SHA512 | 95051ff7fa2db46e09eb008aeced57b9fbd0bed73cf398a6a546117c13d1dfda05337b7956a38b64e268535cdc00f27915e9ba3bf5a786154e5a3e48994efb8f |
C:\Users\Admin\AppData\Local\Temp\2B6tiyR8cuiZ.bat
| MD5 | f4065ceccdcc671583882d294591f159 |
| SHA1 | c8002c422acd4f5ed044c3eeaadec0439c92086b |
| SHA256 | 9b4e8095760583a94e3502662ab7fe8c507674a8eb3a216e7c9721e9c21570ad |
| SHA512 | 664a4f175987bcf7743238f8e9ec4e617e58043a97aee745bf683aa82c16182a132be965cadb5b9e43bba62c55a1a951fcb4efd42ba30f2b58e5e454deaf3fe1 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win10v2004-20240508-en
Max time kernel
297s
Max time network
301s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sbdr1R5VvELE.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1524 -ip 1524
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 2148
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g7Svx9VSV88e.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1748 -ip 1748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcLrmyNcgUlR.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1400 -ip 1400
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1896
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KJZ3by2sWh3d.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2892 -ip 2892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 2180
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NlX2mLlF0rGi.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2420 -ip 2420
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIOfl4h5gx7o.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1992 -ip 1992
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7xkKVDKTBqJ3.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 224 -ip 224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1084
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pxpg9GKb8NtQ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4020 -ip 4020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1960
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYQp1CbDEMQ5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4284 -ip 4284
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGWKfywgfaUr.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2392 -ip 2392
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEgYB8P2Catb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2564 -ip 2564
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zinMGEdmwLtA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3488 -ip 3488
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fDjt851pCtac.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2488 -ip 2488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 2236
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HhrgDBGZweZB.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1492 -ip 1492
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1lgXjQbTJ4o8.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1992 -ip 1992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/3188-0-0x000000007484E000-0x000000007484F000-memory.dmp
memory/3188-1-0x0000000000BC0000-0x0000000000C2C000-memory.dmp
memory/3188-2-0x0000000005990000-0x0000000005F34000-memory.dmp
memory/3188-3-0x0000000005500000-0x0000000005592000-memory.dmp
memory/3188-4-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/3188-5-0x00000000055D0000-0x0000000005636000-memory.dmp
memory/3188-6-0x0000000006320000-0x0000000006332000-memory.dmp
memory/3188-7-0x000000007484E000-0x000000007484F000-memory.dmp
memory/3188-8-0x0000000074840000-0x0000000074FF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1524-15-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/3188-16-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/1524-17-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/1524-19-0x0000000006CC0000-0x0000000006CCA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sbdr1R5VvELE.bat
| MD5 | 09f3bd834ffe0f8e4a3018fca0d3b203 |
| SHA1 | f8efb3665ec2d8b3c8042a46741998ef4a1636e4 |
| SHA256 | f548789a769993b1a5d3ac5ee9beaa700c9862f434ab7681b9240fc46f71cd34 |
| SHA512 | 6361e5a691d20aebe95cb5a1ea006a30974018286a6857303fe23ffb9a3913ad713cf883f4384ca505620380380f42e843bdfef741e9f5921e5282bf139eb99b |
memory/1524-24-0x0000000074840000-0x0000000074FF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | b482aa903d43cbef57611d5a7ccd5afb |
| SHA1 | add889e9c9dd87dfb70b37cc6ae2890196cc3683 |
| SHA256 | b7bb02996d208a900e650d3587fae3ef65537e70995e97812aaa2a2e257b4d64 |
| SHA512 | 7bb3f84911d52d90ff7053a2fc77d1ba174e0e321e833cda787565d51a0cb984e40b94811324f8c2fb4304a2a7f6ccf9f65a2f029b64951d0fd5050c874c58cb |
C:\Users\Admin\AppData\Local\Temp\g7Svx9VSV88e.bat
| MD5 | f8442aa0947a0d413c86b6c1a52c3865 |
| SHA1 | 822c6c092f0f8af904c49c98ee65094a5aa52d80 |
| SHA256 | f06edfc05921791f54d4bb7a145938b1c085d3e6fd467d7a730c5f8200460460 |
| SHA512 | 9987886cc96aa33d822834ef9e2432e7d2fbffd88afe4ff04466fe6659bf98639274ccd95baada75907a0c1b6a1f367c8ca6bf804a9b572131fb25fa89fb5804 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 773e9bcaef75e037f821acc01a9b7bed |
| SHA1 | 681ade43a4318580fd065d3c09e29f7d2219654e |
| SHA256 | a1c10c6f8d71247e50df886d51a860d5e7ec0184999601cc28897622a1e7b82b |
| SHA512 | b08af075c4d83ccd23fcafde8cfe865aef178c36c6a1195643e0afbc2d7c1506ab7c0523a3a40cb9be7d37fb0ada9cf109fe9a74db9b869fb9b8f92ab77cefdc |
C:\Users\Admin\AppData\Local\Temp\JcLrmyNcgUlR.bat
| MD5 | bf05528658be0bb71a7b4bb89dc53abf |
| SHA1 | 953d6fdbfe3830ae8f1e119fc3db2e44bfa40640 |
| SHA256 | d2057f860d2c9ba85e79287b304ee2a6f61620c0d60d93cda20c862c8db45916 |
| SHA512 | bcc619f5d68dde3349d7198617d34d3d623b95376bff7a169149b53b46d52ab0db33c1b8d2c2bac0635fb7b2a2248c3e975536ba1b3a30de470463ca6d2f8a9f |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | eb5f3a8917b0ee99adfbe18a1588b1a8 |
| SHA1 | 941f55fbba6f221594c10a324e27caf724d4e68f |
| SHA256 | 6a11bd46c7f9189552596cbd3f78aaf77858344d81312ae5471874a575d5a539 |
| SHA512 | 578988ec897038f4fd023aea67c7a4610e0bce024a0dae7a21578d06f33a8f09a8d33cf394a0607971cedd3b3ca6b42203282a533d254826c096cf5da5128d8c |
C:\Users\Admin\AppData\Local\Temp\KJZ3by2sWh3d.bat
| MD5 | 8bdb157c2698d491a7cb796ef3f6afd0 |
| SHA1 | 5036f21125ab89f823140c23dfb11b6ace999671 |
| SHA256 | e5250cc3fb17a43370bba9823042ff42abe80de92b61a3d87387ef68b91ad3db |
| SHA512 | 52ef84922025f942db43bd551bfe1bb400e988d65a2b700494f88edb4167a00453d8e4280e2637ee4f18c02609fb7d3e9b3202e7f700f77a823046aeb99b97c0 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 34e994829da78e1eaade1112ef74b9f8 |
| SHA1 | 925f5a67b360fa59cd7f22f2fbbd7a8df62e0c49 |
| SHA256 | 1018c6044178aee59d8dd066afe90f91ba79a6636661ef9a0d96851cb6a463c0 |
| SHA512 | 263b6cade35ee9034d6b060ae56dd7c01566ee1d0fd19b3eac1d8a1530a68537cf05f3b049ae2d9a085c377e2d19fd937110f3fb3bd1c31b0769598d54f4e672 |
C:\Users\Admin\AppData\Local\Temp\NlX2mLlF0rGi.bat
| MD5 | 70aa95d433b6f7dc9ac03c79c57d5f07 |
| SHA1 | efaf9e613d0095c17976a37dcedb457fb224b739 |
| SHA256 | 858cd7d4f8ff44f3433e571ec4e04c75b3fae044b36b9bcbfe02162acad02d16 |
| SHA512 | 731e50c35f6ed5736a33b65fe1bfdc988ad488979084e23e2973b046ae043ae08951b81c1d8665b37b0c7532c05f23ad14ebf660bbc497202ef2b214ab8f7a4e |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 4200f51b458f2521ad6e457783c2510e |
| SHA1 | 2d1885b68698f44ca13c70fa201ee2dae06b5ac6 |
| SHA256 | cd1b545968108e5d3642277e7ff4d1a46cbd4ab8e4bd9c71af8ee06efa6d4698 |
| SHA512 | 9b30b19ac8ce058ce2c27a4d136202c4e94b6def31b83b5d2a1ffdd1348b6d63dc602998f740f090dab4ed668d2522a014f0965bcb5862ea4d754bc804670c33 |
C:\Users\Admin\AppData\Local\Temp\EIOfl4h5gx7o.bat
| MD5 | 5cdb6a5010a78c429a6f3b204f7c2028 |
| SHA1 | 038e3e972455adfa46de71e4c18bcf344fd475c9 |
| SHA256 | dcf342b151111d05f27e69e9d57c62549d80e763aba68c7eb317e220f1c45789 |
| SHA512 | 2fac4ab98fc0be3cfe0844113b5b8678b8592ab107aa08a63e271a0ae536a1611cf4024c9cd664e78138fff1502a605678247059fa833e0b16224f1181d2f2a6 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\7xkKVDKTBqJ3.bat
| MD5 | aa0e059344a57ab8cce79b3cd9d6d38a |
| SHA1 | 90d7345170bd6725eb4c34d034d18ae017520eb3 |
| SHA256 | 57e0da20508cf5f3c3de7838f4690570e3e675fb7cbc3e5d06a2d11db4b0e3fd |
| SHA512 | 65dd35aaf19a0017b4a3fc808004a8618b0a7bebf08f50570348c875df5b85cbd82797212b6328797b7a8008f8fff032faa74ca5573f4fcfc0458ef269773440 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 3cf1790a88f94d921aa689c99c8928ec |
| SHA1 | 5b847c3cd69118450c9e456fa1172e979b81480a |
| SHA256 | 0c72b1e45ab520cd26992e7311f005cea6a27ecec792c8ae1f2469b156e5d371 |
| SHA512 | e883a2fcc5f19df9376f7e077e16054593e2d4a270e2664a3d5767ca06f7cdd2dbe76e6336690e85c6333defca74705241181f86313f0e5a94280636dfd3cb9a |
C:\Users\Admin\AppData\Local\Temp\pxpg9GKb8NtQ.bat
| MD5 | 003691e3f678049a887cd0fd2750cff3 |
| SHA1 | 52d46d8c42ddc725af2962e95487147b7bd3823c |
| SHA256 | 6a9672cbec7f49dd9812f025cd61d781f6605126eed124047ca22c4404e76478 |
| SHA512 | 3c5d0ab859ac44f57f08200d579eaa001595c8c403aa0e48ab376ba41ee58ec4544a0b6089529e239dfcef394ec5ebe82f0794deb9496aa0b418b4dcb3ee371e |
C:\Users\Admin\AppData\Local\Temp\hYQp1CbDEMQ5.bat
| MD5 | 8565e824d9afd62e88df4f9531d3431d |
| SHA1 | 119e78ebcdae6218698b65355d0281f9b119d3da |
| SHA256 | 3fb8ae4f491cbe1ace755368d07efe4feec88db0df2b9b8346159216c7174b7e |
| SHA512 | 36b2b705d2f289ceea8fd1baa62372a2e8b9804175b704d48f6bb8d271e29383c375bf52115cdfadda8df40c9738577ce9f418671f510c4ad367b4a5ae5f7060 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 65d096e6ed5279155a9aa3db6b8b7212 |
| SHA1 | d7ac5a7ae0a8fa9f1ec2fe5c39ea6c7c157b1d08 |
| SHA256 | 7e2d27afcfda8772eb86d3d6a99f78cb1d47a4af3ac854897756b72b0e27910a |
| SHA512 | 4101c4b69b41d372a0e176f9be995e2ee5226d9d5a3c516ea1d81dcd9623b290b385dfce034153bc2f5e37494b0e0ffda0e41beaee0916a5bbaef606c52e8f00 |
C:\Users\Admin\AppData\Local\Temp\pGWKfywgfaUr.bat
| MD5 | d25e7dae1c99de50a1ebd80af735c51a |
| SHA1 | d8f1bc56945b518baa5944af9f57db62b70aa965 |
| SHA256 | 465ef29b6eacefed032314da8895da93497314b9404ac637145b0d5eaa167a64 |
| SHA512 | fe5708f71ebee054d2d306ba37203861896f49a64066e4eeaad4575356f08e3141dc93cb793ae9c587fb59798fcffe240a77d3b0d02a5de04dee46569a97c038 |
C:\Users\Admin\AppData\Local\Temp\MEgYB8P2Catb.bat
| MD5 | 3f5569309104da13c2f399f222be5f4e |
| SHA1 | fd8c16b550f6cb126e2536a4299f55a1d366527e |
| SHA256 | c6e80bed18a18f4312f5c8854851ab1a205134b1f13a1c580e2a61214b66c86b |
| SHA512 | 016a17bd96d4fedc01ba679c592e35cafb24d898ae30567ec01b671637e7895c7b28403dae1a82f78ca58aa50da31d6428debdb61df3f0acd508c2c3846d2f4f |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | c8549f7e762d24d35e72caffd904ca9f |
| SHA1 | a74bed0bf0fa98f1eba89183e9d9b511ad01c294 |
| SHA256 | 85b213b1225815805fa786eee0ffa1738ddc7f52f9832b47d907a0c65f3a9ab4 |
| SHA512 | 506f4837f7bf0be885749bce4097894827f09fc42827f918a6906ace02bb78b08eb4bedc4a78677ab6c23d8b062d4b2fd273c473a9c34f5f7349c7f4693d338e |
C:\Users\Admin\AppData\Local\Temp\zinMGEdmwLtA.bat
| MD5 | 357d20be713ca753382cd6d984e3022f |
| SHA1 | c507ad5ddb0bfe351d342c8d8322c09f89449b1d |
| SHA256 | b77d189fde48c3098823b993e2c05f4fb664485ef4e9c9fb16bae4ae3d9eeb83 |
| SHA512 | 38f8f5fb6757e1e742db6d2230dc28746c75762932132352c34b128f0a26626c983720fa945bd4f1863c121edc495cdba283e2ba1c21580aa83b0f621382ac13 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | e9fbe8f101fb77db7b0fcdc71634f8a1 |
| SHA1 | 3ad7831f996662e5db92c6f4559ac6cc688550f0 |
| SHA256 | d7bcbe28397f9de1bd8ce19c00314f97c2cc0457c190a1a5e05c08e58b479938 |
| SHA512 | 6ed817c4856220d1a3c4f24922e4f49a2451e64bfb2302ab0f63e821051c1e7decc3b72d50044331c72d67da070e6916119409705c9eee7bf60411a2fee0391f |
C:\Users\Admin\AppData\Local\Temp\fDjt851pCtac.bat
| MD5 | 52040b2ef943ee13518b529587e84638 |
| SHA1 | ef114536fedaa9493e579f23a217f493b8301c35 |
| SHA256 | d0e896e141c10499887bbfb2856927b4f0aea361fbbda1b2c5b86e4f18dc8d39 |
| SHA512 | 44802adcc226c97215b677e350409328c860f0a45a0281dc4284775b2841f2eb77713d2f4f0b26b18111673e8b7989c7f17f39239e1f07f9114c5b0fab9b87f5 |
C:\Users\Admin\AppData\Local\Temp\HhrgDBGZweZB.bat
| MD5 | 1639f27f95fe882996f5c3c21cc6faa7 |
| SHA1 | f6b2984fad3b04e1a8cc1665e9eb0bf0feb41d6d |
| SHA256 | 58c5d8fadc058664b225e947b5a2e4d152b9e0d0147eed46934a02eb36e1c129 |
| SHA512 | 6fbbd96ff1800bb84eff806910bd8b5eae3fb667824aba7d3021a8599db0ec50c97698638d52f63c1a81b8c650d6fee83f52504b43b05472533201176a3be3ea |
C:\Users\Admin\AppData\Local\Temp\1lgXjQbTJ4o8.bat
| MD5 | 153ac77b8945aae3509321a510e4d2c4 |
| SHA1 | 2487a1cc6e01af086abd2e50183bdd5b8e69b48b |
| SHA256 | 2af735bf8529a062eea70658978829d40d6342f86cd554c705186292a62e5f9b |
| SHA512 | a6d95a3cb725f12c34116de9082d3a73fe56bf7e93941833f8715399e541a03f0b09cdda68c51c71dd67406e88326a6ac893a8889d99e23a5b8dde1ffa934f47 |
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win7-20240508-en
Max time kernel
297s
Max time network
300s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vQs0hPx6e9kx.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\27tA26kvjHVA.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lca6Pckc9ZZy.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jEkNXyoCu5At.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/1740-0-0x000000007434E000-0x000000007434F000-memory.dmp
memory/1740-1-0x00000000010C0000-0x000000000112C000-memory.dmp
memory/1740-2-0x0000000074340000-0x0000000074A2E000-memory.dmp
memory/1740-3-0x000000007434E000-0x000000007434F000-memory.dmp
memory/1740-4-0x0000000074340000-0x0000000074A2E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2352-13-0x0000000074340000-0x0000000074A2E000-memory.dmp
memory/2352-14-0x0000000074340000-0x0000000074A2E000-memory.dmp
memory/2352-12-0x00000000002F0000-0x000000000035C000-memory.dmp
memory/1740-15-0x0000000074340000-0x0000000074A2E000-memory.dmp
memory/2352-16-0x0000000074340000-0x0000000074A2E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vQs0hPx6e9kx.bat
| MD5 | b1d795f0300778b35f106927c364661b |
| SHA1 | b875b24d6cd6cf2806381338d8fc73bd859a579f |
| SHA256 | 207548cd87b0e84eead9daf1bdeb174e11ff7806677b9da7c4fbe67ef7a955b7 |
| SHA512 | c2dad8ad1dc615a2f5512ec8554fc4e661f0f591702b83b4e2bd4606d3bb806185e28b4093fe600e264aeb147e692668f1f96a736932721ea730b7bf81e5aaf1 |
memory/2352-26-0x0000000074340000-0x0000000074A2E000-memory.dmp
memory/1940-29-0x0000000000BE0000-0x0000000000C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\27tA26kvjHVA.bat
| MD5 | cb2020201e6cb429842162c08eaee42b |
| SHA1 | 59d0e33f71ac43bb3afdbf026ff9f9b4b35422ce |
| SHA256 | bb7e6c621c3b2e1882c50739ed95c186d251dfedfa0706558f611f43955d34a9 |
| SHA512 | b716077917dbe60c978d88403188f3a290f94ea93e120baaaed2036a46f10266246630165e0821fefb0a60f3aa0394e459ba6b92fcb606ac71a65e1586b74e74 |
memory/2196-41-0x0000000000CC0000-0x0000000000D2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lca6Pckc9ZZy.bat
| MD5 | 1f29ec195ae8db97e5983603adf2bcab |
| SHA1 | 76befdaed28c4269a40b8a08b24100e0fbbf73a6 |
| SHA256 | 38ccb5a1d4e9ac6cde0421edfae74a69647e4961544fb5f8bb1abe914b699461 |
| SHA512 | d1c63f2fa77101fd820aac0c0cd0d4697404a33ce7662f8fdec8d11e31a3315e9988b651cdfe56a854fefa9c129a1ebfc79cfd5d16963887d8c186e39c0ba7aa |
memory/2624-53-0x00000000011D0000-0x000000000123C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jEkNXyoCu5At.bat
| MD5 | 35ad33abbd779adee91b5146d0e8bf70 |
| SHA1 | 1aa118bb05d9bbcc532236fddff9712c508f486e |
| SHA256 | 956270d66e71be16e833415c4bfb889b8e0ec9297520c59f6e10d44c972401a6 |
| SHA512 | 815447e70331e7276f8fbdbb9cc96914a2dc73ce223e4c918c409e9aa2b2917416f7f5e99da78b3b06096ba1ef91e9a8f3975701420fb715ff9857d76af5d66c |
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:35
Platform
win10v2004-20240508-en
Max time kernel
296s
Max time network
305s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsLPUktLY3Hx.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4932 -ip 4932
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1640
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYZaJkYbOGaA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 892 -ip 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 1608
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAvtvPTdvrj3.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4656 -ip 4656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1612
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YLJtVbjzS2vA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2900 -ip 2900
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 1608
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lxsGmWXMgiw7.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3512 -ip 3512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TPs1Yukx1Cfu.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3680 -ip 3680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P1IuCbBtdzsU.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1016 -ip 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 2252
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vvidqYJTk5ce.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3936 -ip 3936
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQeAiOhWzeJ7.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4648 -ip 4648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HvahaF5aFD0a.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 2236
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6VN6eRDspOpL.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3680 -ip 3680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PJ7DIIRu64jJ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2348 -ip 2348
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ebumODtYAx3T.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4824 -ip 4824
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K6qJG4HbQWkv.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2412 -ip 2412
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VNp8YFZvzbMB.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 224 -ip 224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/2824-0-0x00000000748CE000-0x00000000748CF000-memory.dmp
memory/2824-1-0x0000000000A90000-0x0000000000AFC000-memory.dmp
memory/2824-2-0x0000000005A60000-0x0000000006004000-memory.dmp
memory/2824-3-0x0000000005570000-0x0000000005602000-memory.dmp
memory/2824-4-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/2824-5-0x0000000005610000-0x0000000005676000-memory.dmp
memory/2824-6-0x0000000006210000-0x0000000006222000-memory.dmp
memory/2824-7-0x00000000748CE000-0x00000000748CF000-memory.dmp
memory/2824-8-0x00000000748C0000-0x0000000075070000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4932-15-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/2824-16-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/4932-17-0x00000000748C0000-0x0000000075070000-memory.dmp
memory/4932-19-0x0000000006570000-0x000000000657A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bsLPUktLY3Hx.bat
| MD5 | e5f1cc853503a610ada273793e7de878 |
| SHA1 | 5ade44e0b989d92346743326954db6af9b37232d |
| SHA256 | 55b8b9c53f0f5f2230cda4f1d80150de191b3ff65c34a2550b19288e67571d09 |
| SHA512 | aa17907f319c7b8128395abab492aa3a1fd26125de0735a19c6b3de12f294dcad57fd6faca4d1e42262417694619d358e6edf23a3ecc32d5be15dbfd80bca413 |
memory/4932-24-0x00000000748C0000-0x0000000075070000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | c3678b61735d5b60f496a7a35bea5b47 |
| SHA1 | 8b8f37c23499f7e39ff146d3d50fcfe6796da9ac |
| SHA256 | feb801b7e59eae7552a95858278935ba95c5be14dfcec2481eb2b627159d8b3a |
| SHA512 | a3aaca65dbae08ce66186564f36010bfbf77c77ff74cf6ba27cef63aea8f85ce7ff8bb0b97a20be6293fc2e1c4e782f209f8066a230e8d24aa54d25b6ef95770 |
C:\Users\Admin\AppData\Local\Temp\cYZaJkYbOGaA.bat
| MD5 | f1325231cd5bae084ed42032656d62e5 |
| SHA1 | f231c4bdc516dedc7a955e31c4795fbf05362d83 |
| SHA256 | 05aabc5147d50cc17ca14eb8d7c12ee40d726849468c1b8b6a3fa9d16f41fc52 |
| SHA512 | 58475241739df0b9b2634e282e5c64667626a5dfb00f74fcbe5e69aa397db21cc1b2527a6d66bf845ed3c4db02299bbb435d22aae9652d88291d3951bf7b77df |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | b85913bb3dd1b3bf6479c161f9aec592 |
| SHA1 | b7bb438732ecb1e681dbf6d0242af6d58dab2ca8 |
| SHA256 | 0687a867b4a89b54a4d886a9cbddb60e6aede461a41f018b945c6fb11628ff5b |
| SHA512 | d5b8abc53a3bdc89ad18c3ebe9b0ab66ac3f28d8c2071e9567717c6e4e9e5b087150cdd611f8e2f002b41b6aec4a97aac5cb4baf0bc4021e9006f7b8fc790282 |
C:\Users\Admin\AppData\Local\Temp\VAvtvPTdvrj3.bat
| MD5 | 88abcc22d36754c6dde0252c263229e4 |
| SHA1 | 205534d408772f8b946b540fa77317e4b04073ba |
| SHA256 | 871aa9c605aad7369cc7aff1d1b0d14768d4f486856d9c4eeae74539ca164249 |
| SHA512 | ded405ac018e47f3f15e06029166f69f2fe38393197c65978b16d1842aae82cd136a338e609c6a2c065abf06f7f87f3c6e23853e01b2b4d61b9cfe8bce993065 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 3bd40f41f0ec6727600c62b35dd03258 |
| SHA1 | 2d7315a7437cdd5e00a8007ca6240a1809b6a10f |
| SHA256 | 0a4d18a791a17c72305543bb59eda7c431b24cec3ef0785938bf6de0bb5f384d |
| SHA512 | 380a30b80b9948b5fe22c477c75594b9012cb31970b547f8b324b78d23d0fe564c0307130a531bf501059b0f8284603289ee488539b3d729bfaf82d1245c2959 |
C:\Users\Admin\AppData\Local\Temp\YLJtVbjzS2vA.bat
| MD5 | 6d9b9aec0b39867c868ae1ce69a7863f |
| SHA1 | 3c170cb7b090e86b07b197d7501df78e19ea73b3 |
| SHA256 | 28be0d7364a3693c3d5888446b8da03bdeaff324210be82ca7d8c28c6febfd0c |
| SHA512 | 211d81e06a1310614146818b82cb4c552a46555770d96924bffb100152a31cbd9bf3c3f42c32a4d289a53f53b6ede4e49771a130be6616f2dbd3f09bf73c27f0 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | f81ef3aeff862169bf754a3541a0518f |
| SHA1 | bf3109862ac669c7c7a5de51fa14984f88dc0191 |
| SHA256 | 81d8806e9bfd53bddc074ac97e4232dd3d22b02e15bfd6a3904caa46e97f6faa |
| SHA512 | 6382e4d0b592cf9f248f6cb7ee369bb8319533e69e94a763ff1d70e51d94317cc8adf3b8b8b60166830281f5c517e5bbe8c776bdb3a78106ad93f9177530e740 |
C:\Users\Admin\AppData\Local\Temp\lxsGmWXMgiw7.bat
| MD5 | 144025ab35a57877a34d467892238d80 |
| SHA1 | 273ca1acd2279ad0bf6853ce630bbb815777b885 |
| SHA256 | e4edbfb8acafcfb6708830b3807bc245598fb41f9e0c3622edf9e146dc673683 |
| SHA512 | a5a491f052e19c35b8dec495fc955da4d1126c4a4b1c8cb60fdf304001783981c837d2ba435e1297191dd30488dc635e6101776dea53a2d355933d77fd37ce4b |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\TPs1Yukx1Cfu.bat
| MD5 | 6879fee7a7c79d6053445210a8de8f44 |
| SHA1 | de5b063f0f686e8af718a0a9171b1fe4a2c4d4a8 |
| SHA256 | 42fb3f8b671379c78b1df8777fdc3a4ded592b7b1385ac7a434e8b1826d558aa |
| SHA512 | e349cc6d98ba5cf3449db952064e60f06114a4b53b15a3719d590e720d669592a4e01c8f938744be329c49a3f64ebdfed2543870b44985c4346bc4b02c67171c |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | e460c04f5451d4cbfdef6a7a530423f5 |
| SHA1 | 2584cd8e8f397e5e7337fcaadaf613c9177aaf59 |
| SHA256 | 21a0510318102e04b677d2b0d040792532bbc809de28844f87e3d498413b3c54 |
| SHA512 | a5b09717535e2e6547f6486a4b91fbb2d795369b94d9ca6547dfef83777564045932cb4fe2cb92b156245877dfa358ade26d6b1dea038b50fdc5d602b29893d0 |
C:\Users\Admin\AppData\Local\Temp\P1IuCbBtdzsU.bat
| MD5 | a1121975abac3b96a80d35be667621c7 |
| SHA1 | 379dc8e11f25400f67fa704109ae171c985e03aa |
| SHA256 | b838c261fed1418d5b2dada6a8a9e827ec927eb8cf216b8559d9416dbd09c5df |
| SHA512 | 00b0527bf67ab1d277a2d9786f3f41afec096d7eeebf8bae338892f5cd4d82d6deb7075a7b7b1b320d1717b78aa3a0b8e943d801da144a6867fb77d12ac41434 |
C:\Users\Admin\AppData\Local\Temp\vvidqYJTk5ce.bat
| MD5 | ab61d086591627c1dd11194e6fd9f775 |
| SHA1 | 432091c0da6389c247238d3edfcababa0d931495 |
| SHA256 | 39082e4a556ef6b14935dac38936b0658a7e7bded64162577742328d819ec6c6 |
| SHA512 | ae48b7af0696f440a43cff63ff11ad1754a8299881a69b3a0980b3598f3f1a8f68d372dd49a64632b203e891fd8b425747a625a66988002e8dc5c6e581380691 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 43a856880652307be0ffe2e49ad3d37e |
| SHA1 | 5a601ccd6f0609c4cda951d8f6023af0a117b131 |
| SHA256 | 954cf5dc92d514d08918448561577e260f8f894ced6b3a3b2ffd234b78f1a069 |
| SHA512 | 7f629a6a8796d9bf9823ce851cef39deff9255957bbbcdb34072f35c2ffb627ee5be2f81107aba39ad59db32ef9bf743b3d843a8f51c01e6110275458abfd14c |
C:\Users\Admin\AppData\Local\Temp\bQeAiOhWzeJ7.bat
| MD5 | 33d43761861510dea04da9b3f4459e01 |
| SHA1 | 7d7b1ad6e6bfabe315477d1a62f73c5224f1b837 |
| SHA256 | 6f010bc58449f84f8456ca22b134076bc0ab82bd162cd2b4d2ae05f5af260a06 |
| SHA512 | 3db0b5db2a4351ab46d6ae034f78f32499a33ce7b4fd39f72fc4938d795ba4089c2ad4f6462e691990314e2e451e94b6db2b7db395e520a9940ad29e14ba1107 |
C:\Users\Admin\AppData\Local\Temp\HvahaF5aFD0a.bat
| MD5 | e8ae4a8486145d1d5cde320406d0e6f8 |
| SHA1 | ec428e2e37c7ff612f15d92cff812bb0b719aa0f |
| SHA256 | 6c9f64ad29933d10250a447987122c4876731bc7801544db5ace8c3ad91f09dd |
| SHA512 | baf86956d2011404a9c4b4405c739a53e9c28d59dec35f2c983040bec4d53ea115666a85bf846bd316a0a009a57cf5174704c211853258940b7bdaa65ef0734e |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 49c16a9494913ebcf8dfc9978fc4a09e |
| SHA1 | f660e0d47ea1597ff07c942857805227b37aa748 |
| SHA256 | 05b738b79aa07754f300a4bf718d253b2d7436fdfb4c829ad9ae23e27c63c58b |
| SHA512 | 3a926a2d7c9737dfc5158157710723c813584860b5d33e033545e0a40387883597bcdb2f7bb55983807f30a4f3bfb6c44ef502a662891defe54d2c7c996a60e2 |
C:\Users\Admin\AppData\Local\Temp\6VN6eRDspOpL.bat
| MD5 | fa29c15bc88c1fee2a6e9c8777282e49 |
| SHA1 | 5a43c79c0b2cec68eb50a89e671e3a4c874a8e01 |
| SHA256 | 5462c39edaa04478ac04eb7f7a589a21a631fec4179372fc17fde5610396cf75 |
| SHA512 | aa09388d492c36384005f75ff93bee76904a2b539254ca238abeaa3ed4a1852614886e24dfbd40cfc0b45e46d6630e54dab44b9802f1707c9dc3cf0c91e348c2 |
C:\Users\Admin\AppData\Local\Temp\PJ7DIIRu64jJ.bat
| MD5 | 6a68cf7d80c3f15c9435d592c9e189ae |
| SHA1 | 1d17f971f94eed79b8854875f9d40464c7530422 |
| SHA256 | 01e52e5d484266474c7b3b5c7a8f29e810c0501e5891eef2084ec4b747a7c312 |
| SHA512 | 2240b625d3af0b4b71008b1660ac8b90de275844e4ed5632b2adce1a2e634bd8d8ef29e2729481f8c3ef07336971211093575e264f4c972724142ab8cc48e773 |
C:\Users\Admin\AppData\Local\Temp\ebumODtYAx3T.bat
| MD5 | 4e38e13fda93eac168dd9aec3f32c507 |
| SHA1 | ce6c92d2a8e581ed14f2214048e9474d7a94adf3 |
| SHA256 | f10ea0ced4c4769874fcdcbece9b0597219c94d98445bdbc406c74a775412dd1 |
| SHA512 | b705519debfee96019377635e6c93786eac6742aaf6ebc6d527656b29de7d5160df57afc7a415baa45f47393f642e842ef518b4a5713b275fd3d7101399146e1 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 39857ca3a21b43b533c1a4ade2204c4f |
| SHA1 | da61bf9fa038c96a45f995af7d43c3dc77ce9e91 |
| SHA256 | 1bdee5adbb44f98054d0d50b7caf5fc47251e889122024796de02fc5c11621b9 |
| SHA512 | d26aebcd08b4de512660079d3cbd093e548fb16842c0d2b4295f86b2167137c74deb924c7e0dac85763242307e233e1636f103528cc83d05824047f48b36fd9a |
C:\Users\Admin\AppData\Local\Temp\K6qJG4HbQWkv.bat
| MD5 | f1cb578283fecdf46338492fe3dbd295 |
| SHA1 | 66ddc80062e1ec9a225d2bfbee0e603d57498f6d |
| SHA256 | 13c5346ae1caea145df5d2a9f1ba26c49c9d637ecefe68229d25418d8e9b2b5e |
| SHA512 | e49696e41704936a71e04e0012c50c671a3820d2f329e90dbcfa5b7cc24965f9242eb2a644ac47aa851fe212d056bc374b380565af06a5ceeb83bc436a9b153e |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 62d2938290718846efba0b142d752b92 |
| SHA1 | 356ac168007a9187de834bbcbe811baf1f179087 |
| SHA256 | f3b6332708f026a34300bd06babe5f02fe0167a085b24e2096b4eb262e9feb31 |
| SHA512 | 87fbc20c10a4d382de6e9fcf49c970f672381285d4a9bf5e011386debd0585f2826934d8651d5e850b667b0d521c0e141988b17fef28cd09ab7069186a57558a |
C:\Users\Admin\AppData\Local\Temp\VNp8YFZvzbMB.bat
| MD5 | 4be25e9916f82917706eff4fc5451e64 |
| SHA1 | 33d5c50374ffc7ba798f416faf06f0f46576fb45 |
| SHA256 | 25a64a1c9f0e9b440af463e6a4a209823a4d883580d7ecff194d826b90c752d0 |
| SHA512 | 69df3be123659a04fc7d6ac5046966604e1f8160c6d7450ad24d737b4ba7a5239b92d99bba6f5935262f557c678f83d10c64e68109a081a507c1d371348c1ffa |
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win10v2004-20240611-en
Max time kernel
236s
Max time network
291s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (15) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/940-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp
memory/940-1-0x0000000000E50000-0x0000000000EBC000-memory.dmp
memory/940-2-0x0000000005F40000-0x00000000064E4000-memory.dmp
memory/940-3-0x00000000058D0000-0x0000000005962000-memory.dmp
memory/940-4-0x0000000074AB0000-0x0000000075260000-memory.dmp
memory/940-5-0x0000000005990000-0x00000000059F6000-memory.dmp
memory/940-6-0x00000000065F0000-0x0000000006602000-memory.dmp
memory/940-7-0x0000000006B30000-0x0000000006B6C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4900-13-0x0000000074AB0000-0x0000000075260000-memory.dmp
memory/4900-14-0x0000000074AB0000-0x0000000075260000-memory.dmp
memory/940-16-0x0000000074AB0000-0x0000000075260000-memory.dmp
memory/4900-18-0x0000000006730000-0x000000000673A000-memory.dmp
memory/4900-19-0x0000000074AB0000-0x0000000075260000-memory.dmp
memory/4900-20-0x0000000074AB0000-0x0000000075260000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:35
Platform
win7-20240611-en
Max time kernel
236s
Max time network
292s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2424-0-0x00000000745FE000-0x00000000745FF000-memory.dmp
memory/2424-1-0x00000000011B0000-0x000000000121C000-memory.dmp
memory/2424-2-0x00000000745F0000-0x0000000074CDE000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2668-11-0x0000000001040000-0x00000000010AC000-memory.dmp
memory/2668-10-0x00000000745F0000-0x0000000074CDE000-memory.dmp
memory/2668-12-0x00000000745F0000-0x0000000074CDE000-memory.dmp
memory/2424-13-0x00000000745F0000-0x0000000074CDE000-memory.dmp
memory/2668-15-0x00000000745F0000-0x0000000074CDE000-memory.dmp
memory/2668-16-0x00000000745F0000-0x0000000074CDE000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win7-20240221-en
Max time kernel
236s
Max time network
288s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1244-0-0x0000000074BAE000-0x0000000074BAF000-memory.dmp
memory/1244-1-0x0000000000910000-0x000000000097C000-memory.dmp
memory/1244-2-0x0000000074BA0000-0x000000007528E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2640-10-0x0000000074BA0000-0x000000007528E000-memory.dmp
memory/2640-11-0x0000000000360000-0x00000000003CC000-memory.dmp
memory/2640-12-0x0000000074BA0000-0x000000007528E000-memory.dmp
memory/1244-14-0x0000000074BA0000-0x000000007528E000-memory.dmp
memory/2640-15-0x0000000074BA0000-0x000000007528E000-memory.dmp
memory/2640-16-0x0000000074BA0000-0x000000007528E000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win7-20240221-en
Max time kernel
236s
Max time network
288s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2160-0-0x00000000744CE000-0x00000000744CF000-memory.dmp
memory/2160-1-0x0000000001260000-0x00000000012CC000-memory.dmp
memory/2160-2-0x00000000744C0000-0x0000000074BAE000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2500-10-0x0000000000D30000-0x0000000000D9C000-memory.dmp
memory/2500-12-0x00000000744C0000-0x0000000074BAE000-memory.dmp
memory/2500-11-0x00000000744C0000-0x0000000074BAE000-memory.dmp
memory/2160-14-0x00000000744C0000-0x0000000074BAE000-memory.dmp
memory/2500-15-0x00000000744C0000-0x0000000074BAE000-memory.dmp
memory/2500-16-0x00000000744C0000-0x0000000074BAE000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win7-20231129-en
Max time kernel
236s
Max time network
289s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (15) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2356-0-0x00000000748BE000-0x00000000748BF000-memory.dmp
memory/2356-1-0x0000000000100000-0x000000000016C000-memory.dmp
memory/2356-2-0x00000000748B0000-0x0000000074F9E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2868-10-0x0000000000950000-0x00000000009BC000-memory.dmp
memory/2868-12-0x00000000748B0000-0x0000000074F9E000-memory.dmp
memory/2868-11-0x00000000748B0000-0x0000000074F9E000-memory.dmp
memory/2356-14-0x00000000748B0000-0x0000000074F9E000-memory.dmp
memory/2868-15-0x00000000748B0000-0x0000000074F9E000-memory.dmp
memory/2868-16-0x00000000748B0000-0x0000000074F9E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:35
Platform
win10v2004-20240508-en
Max time kernel
297s
Max time network
305s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bh0zwZ9t75AW.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2300 -ip 2300
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 1668
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oTtmkfhinjIv.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5068 -ip 5068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1644
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VXg4EtWi4wTC.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2236 -ip 2236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1580
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bjsncpwN7vMD.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1316 -ip 1316
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1600
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N8HD6poKAw0r.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4272 -ip 4272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 1648
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\58NYjsoS6SaF.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1376 -ip 1376
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1216
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3Jgl2xDEp7MI.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2752 -ip 2752
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N7QsgpQG6mGG.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1836 -ip 1836
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fi21YlisClnv.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4760 -ip 4760
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 2236
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWm8CcwuTRht.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3788 -ip 3788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noZhHXOXXK13.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2432 -ip 2432
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\26MGNSqAbDKD.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3980 -ip 3980
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 2236
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3mpIRkr11q0A.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 432 -ip 432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q8Tjk12tPMSd.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2912 -ip 2912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1664
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l1xMG5bg6u1A.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 32 -ip 32
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/4024-0-0x000000007474E000-0x000000007474F000-memory.dmp
memory/4024-1-0x0000000000BB0000-0x0000000000C1C000-memory.dmp
memory/4024-2-0x0000000005B80000-0x0000000006124000-memory.dmp
memory/4024-3-0x00000000055D0000-0x0000000005662000-memory.dmp
memory/4024-4-0x0000000074740000-0x0000000074EF0000-memory.dmp
memory/4024-5-0x0000000005540000-0x00000000055A6000-memory.dmp
memory/4024-6-0x0000000005B50000-0x0000000005B62000-memory.dmp
memory/4024-7-0x000000007474E000-0x000000007474F000-memory.dmp
memory/4024-8-0x0000000074740000-0x0000000074EF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2300-15-0x0000000074740000-0x0000000074EF0000-memory.dmp
memory/4024-17-0x0000000074740000-0x0000000074EF0000-memory.dmp
memory/2300-16-0x0000000074740000-0x0000000074EF0000-memory.dmp
memory/2300-19-0x0000000006260000-0x000000000626A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bh0zwZ9t75AW.bat
| MD5 | 3b003f0a897a1a5f768a3c3c0fc2d39f |
| SHA1 | 463604971d70c9e942bb3f72ed238af44a82e544 |
| SHA256 | 45fd3603ce97ac5b613f57e7cd3a5f4f18551e092b71692b7aae64b70c5feeaf |
| SHA512 | 119fb17e6ee0f94e5bf08ec9e07ac00ac9ca82b1635d324f0c357bd42796bc6f3107eb1199cfbb3b9a86eb9d32e367f6152ff1122dee72c7809ae0797d9327cb |
memory/2300-24-0x0000000074740000-0x0000000074EF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 2bf82f64721d935d2595770adbb62f36 |
| SHA1 | ed492d00aaad55764cd8adf3613e7745ccf587c8 |
| SHA256 | d86b6de1b37d9531000319d0452db29a9dfe3ba1b5afe16f1b781f81bf2d968d |
| SHA512 | 00a25dd40c4a0fb7b8490941e9100f07259f5525daee5e7343c0e15f34ff7d32d5e4d1b242e959c7c768c178a3a997e35b8300a977bf3018e2ebbb38ff2f2913 |
C:\Users\Admin\AppData\Local\Temp\oTtmkfhinjIv.bat
| MD5 | cbb15c44477f019777d7d6e1b7dc6936 |
| SHA1 | 645324864b6d605e947efd8f276d8095cdfd0a00 |
| SHA256 | a5b7ec1e7210b9bba933fafeba2bd467971364240effcda7e65e01bfd8e69010 |
| SHA512 | afd9dd693b8ac5848b2a24ab82345a7e487f7b66d3ebeae37595e358abb8b4a6edacca89c594b7ff44bed814da386698004fc333abda8929a3b963f80e29e2a1 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 8513b0f90151e2a5189a0f72996e7a6b |
| SHA1 | d16f7d84ac4259db74b1cc4699bf105d98d42900 |
| SHA256 | 0f715fa6799ddbe3f7639ede5eda73632e72573d4902656a2913288fb204f49f |
| SHA512 | 0bec69992d326d743df277a47538fc30575ccfb7ce25c10b6b75e4a00553e7b2ffe9b64f8bb79bb35de9b1bfd78ea429a11971207e642c89cf6ea8f394876f5f |
C:\Users\Admin\AppData\Local\Temp\VXg4EtWi4wTC.bat
| MD5 | de80d7b6284d2d49362212270efa7aaa |
| SHA1 | c00414237a8249bf56ba942ee0244ffcaeee905f |
| SHA256 | 2ddeebe396ea8e76c85a669661c37d197f9d5a7d861780d3c73c5e1d339ebcff |
| SHA512 | 9635dfab238c8c1c6ce4a81c83afe58d6656054c2899b7b18011569962f18bf46641b6cd6a9581d56f59814f252d8e6a1e37826d4ee99562f37cc4e72978ce23 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | c12512a30e432cccaaf3ebcf69c4e95f |
| SHA1 | 2b5d8546ca8265c44c55bcd0955a3b0a6d62b97f |
| SHA256 | 1fccb3c480a8196c34dbfdaa00b5058dc54128971ca8afc60834ad3a8199bef9 |
| SHA512 | 6c042e7c3cea5890db63414591c6f61ead3a7353771cb1bbf9aafd8d05f3933a0d9dbc05c5c08abad5a418033bc05facd7ed4d7c1a99c79f42bd875a21d49b2e |
C:\Users\Admin\AppData\Local\Temp\bjsncpwN7vMD.bat
| MD5 | 7736e89cf14f1cf06091438558e80dd0 |
| SHA1 | 0d7cd0ec332ade80a32a78ca890a128a192bd170 |
| SHA256 | e5209e4d274962a094d9a869e5deb909b5babf57a1658f073f3e88740acb8b4d |
| SHA512 | 99554aff2f7660e5722eeac74ece79881ffab244e5f6c7b22e1d689a2e6a8ef9e21cb6d22f412d62c03ff8e955842f5a78d6b0701645a60cca8d113bcdbe2ae6 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 19636f7ff8c0923a009eac6bc3d869bf |
| SHA1 | 62cd162b5364ad5e3e4074d99226bf60325d63ff |
| SHA256 | 67fee24e0ebf2117284efcea34e9b0a0a01a0ef57240fedc99f8147e0dc1c5db |
| SHA512 | ae5d9aa928c4ba4ef0ebef097d77690012cd900d9a634e842e1095f6e30a981ad95dfd3e9cd1287990d9825152e316c4945bca91f23ca070368c088b321b5683 |
C:\Users\Admin\AppData\Local\Temp\N8HD6poKAw0r.bat
| MD5 | 67c1db9f16098fbadc082f95d30927b7 |
| SHA1 | 3fb7765b6e876114ec4ade74c36836c0caf6f61c |
| SHA256 | b9d29d62aa7b3c582b1f82a2cec9ef1cc30a2242a0fcb939d954122045495590 |
| SHA512 | e10e636a919a0abaca9df932884260032ee17f51421e022ac6c9ada2ab6bb9a6a8e7db6462a83f569bac340f69a31502a9f8893ee188877cfea539a067d1f939 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\58NYjsoS6SaF.bat
| MD5 | bab7806d32f48ae2c15d351d6fecb9b1 |
| SHA1 | a5a4dbd598e20dcc19971ad047a413ed3f91cb2d |
| SHA256 | 67f7678b1bfc454fa8a29b087d46a00116e88fd0fff6a3507cbe8f79b44787c4 |
| SHA512 | 94b4eabb6f22bed21f648435540c3ca3e557f61f7b1097171e39ce5ccfa1e8a34a84958d1c6877aee29d4fa283779cd2efb465ffab5b0e38e79a043c9796c852 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 6d14c1973294fcdfce418bf5c7143243 |
| SHA1 | c96ccf8ab803e7bf02d98273c15f06fccce4525e |
| SHA256 | b8188bc02d89ff92715f2b69b267f02af0e115c7a01ce5babec37a77e1d38686 |
| SHA512 | bc9c127195a6751c989d8035dfe4e4087813edc1369c590c9261e56a9be8578098d9b98343487ba046dbce143e99bf7db8f731fc46b2ff14c7e37d9272fbb8e0 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 728cfa75972556a3bbf14b586206c4ce |
| SHA1 | 5b1677e0d4bf9ee3e2a524c5d0f4686ecd132799 |
| SHA256 | 81b5ac2665deb7d51ba1ee97469c9a07940d8c822c2d2781fbc28d91cecb6f80 |
| SHA512 | 2938dcf597363efc645a000d21ea59509befe2baecdfcc82538b67a0e6b6194bb63c42edae0dbc089b20368a895df6d3927927bb1f40afeddf0de0b8a9bc26dc |
C:\Users\Admin\AppData\Local\Temp\N7QsgpQG6mGG.bat
| MD5 | 6213c8a0c60cbfa6ab4bf0345a0dfcc0 |
| SHA1 | 38e8834e935bd2375b23b29fe52679367738cc00 |
| SHA256 | 626cc428cbfdb139a422f0bbc38d6e4963068e1e7b899b91beb4272b3504a239 |
| SHA512 | e41cdefdbd9880df65f3826caf95438c251bc19c4702ff59cd82db0ddb84b9e40c27af61a2ff593b3d732af656ea7ddac31f02a01e45fa55ce331d66bfc2cfbe |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 2cfe57f21bd640fd10cc5300596b54cb |
| SHA1 | 0d884c1e82d77ae4a06e21779cf6abc623e16b7e |
| SHA256 | 0d9a6905faf82a98f08820989200a45841766f43a08932256bdd32501f78d836 |
| SHA512 | 15fd10bd01ca29d40d31c374f16377bae652eabef44e0fb81852dce7cf07aed5909f4090193ddfc68c4eb03156d38143d0c3abf01060b02312050499b59a4575 |
C:\Users\Admin\AppData\Local\Temp\Fi21YlisClnv.bat
| MD5 | a1f1d3627f205695f4ac7b7cf5e4c361 |
| SHA1 | dd9056ae9fcad4d9c7ed36aa5d33f56ebf925d07 |
| SHA256 | e456724ca22b9ecfc379e630bb20f44e6079d90ac91486758a6f9d7b6c75f42b |
| SHA512 | 54a172d59cc3255283780271e0493955e0c40ed6cf782427586d4c3c8e6ab8771e8a909675183ddb135dfd0f72671a1eefed09b06d4f2c9ce686624e60a93ce3 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 2dd48adad31aa89f5e5005473839b9a2 |
| SHA1 | e2d8b0aa560f721e51b72ab2697d5e11bdaa0c6b |
| SHA256 | aa5bc269e2ec4131386559a26ee6bd9066dc3a5c2195b175a829858a2d9467df |
| SHA512 | 557a23e77b88ea2b4bd29ce4e8934162f525f02b2ba76312c003e15ecdb9285e8bf54a58bfab82ca638392b6cdc9989365d54a56d46470f6ccd74ea95f35455c |
C:\Users\Admin\AppData\Local\Temp\ZWm8CcwuTRht.bat
| MD5 | fb9feb6cf2900b9cef8915a55106d139 |
| SHA1 | 60164ab8618535a9630ea4a130ce657fdf78fbe7 |
| SHA256 | 0e0322445944ff58941657d46c87702ac8c02d9ee3986b88cc4963fc5aae189c |
| SHA512 | 60c76e9b4c030d0a5b0ea6443c6f7bcd8d5212ba06ada568785b4abe4d194b706bcff0bf3a714ac3fb48eca10a22b1d70268e77f98dba3f13b0f751e02236c40 |
C:\Users\Admin\AppData\Local\Temp\noZhHXOXXK13.bat
| MD5 | c143f9206ba6624356b03a6586026d7a |
| SHA1 | b9e211fb7b073fe894cbdee907b5bc3b48b078ea |
| SHA256 | 0c58ed8ed9726d8e1a3e54d73a14f82df5c7caaef3ed553cf8e0eaa3eb46d1c0 |
| SHA512 | a7702d6039e8be6da7755b318028cb22e45ba0bdbcef081d445e47e84017cf0e00883c0a233f014cda4e5ad79bfa4bc474d7420292012b6d23b70f4b1a472374 |
C:\Users\Admin\AppData\Local\Temp\26MGNSqAbDKD.bat
| MD5 | 68427c8809b0488d83142f8917077153 |
| SHA1 | a1bb2f9e2d45b0487d9ff12999c22b225f7a02cc |
| SHA256 | 72b1a329e772598872d664f921966e35feeaf9af14ac1d982535fde93ce6560c |
| SHA512 | 743eed82c501d2b9a7f9a15797a557133dcf6c9ec71dcb7a1920d658b773fd2fe68e538ca5f730a81b30810536fc841e5b5ce4304e3983dc37482c356074e41a |
C:\Users\Admin\AppData\Local\Temp\3mpIRkr11q0A.bat
| MD5 | 94eef7973cc201455c86f8beaf17db61 |
| SHA1 | c2b61ca5a0e53f980e5f9b35f42a9a4d4b3f869f |
| SHA256 | 3f8e403b29d75e71f9276118d4fff0736559b45e6e356abda06b1361c46c51d6 |
| SHA512 | b131b97269116e1194c85656b372720c962da9ab5221fb8f20a1e6940859c01e07e7cf89e7059a13e4ed626bff60742a0353abda3ff0bf35c32b7723de1439c4 |
C:\Users\Admin\AppData\Local\Temp\Q8Tjk12tPMSd.bat
| MD5 | 8b49d1a9799f72fe543bd7a985d4cd5e |
| SHA1 | 9ff6b2e5aa2393eed2c64078b6d2efda70b84787 |
| SHA256 | ee9f55cf0d2dd771eaecac4fc6385987941b6d56c23ee10276345e73271e86a5 |
| SHA512 | 4057476dee4015b400354cdf557cd91c53fc43830a3ea43968f281529c85866c678bcd129d69611cc9d50043c1d428b45908866870b95cc0a32fc18df659fa3d |
C:\Users\Admin\AppData\Local\Temp\l1xMG5bg6u1A.bat
| MD5 | a8a452e32cc03a49f195d837b2c8d864 |
| SHA1 | 30fbb4eff406326e02f2665f2244e60796936867 |
| SHA256 | 3d7dd643d65c92d60bee0eb824a5908e6fd32ea21e9ecdcaaea26bcb79115b99 |
| SHA512 | d45dc333d9f3e6cb281e09b7614a7201ae3e61600c7e49a2aadd7629662ec1524914fb565dbe37f2a47ea32cf40286cd88e61b554161f431089ef21c6b464224 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win7-20240221-en
Max time kernel
236s
Max time network
288s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2020-0-0x000000007427E000-0x000000007427F000-memory.dmp
memory/2020-1-0x0000000001260000-0x00000000012CC000-memory.dmp
memory/2020-2-0x0000000074270000-0x000000007495E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2700-10-0x0000000000940000-0x00000000009AC000-memory.dmp
memory/2700-12-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2700-11-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2020-14-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2700-15-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2700-16-0x0000000074270000-0x000000007495E000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win10v2004-20240611-en
Max time kernel
236s
Max time network
289s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1048-0-0x0000000074BBE000-0x0000000074BBF000-memory.dmp
memory/1048-1-0x0000000000270000-0x00000000002DC000-memory.dmp
memory/1048-2-0x00000000052A0000-0x0000000005844000-memory.dmp
memory/1048-3-0x0000000004CF0000-0x0000000004D82000-memory.dmp
memory/1048-4-0x0000000074BB0000-0x0000000075360000-memory.dmp
memory/1048-5-0x0000000004D90000-0x0000000004DF6000-memory.dmp
memory/1048-6-0x0000000005210000-0x0000000005222000-memory.dmp
memory/1048-7-0x0000000005F10000-0x0000000005F4C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4124-13-0x0000000074BB0000-0x0000000075360000-memory.dmp
memory/4124-14-0x0000000074BB0000-0x0000000075360000-memory.dmp
memory/1048-16-0x0000000074BB0000-0x0000000075360000-memory.dmp
memory/4124-18-0x0000000006640000-0x000000000664A000-memory.dmp
memory/4124-19-0x0000000074BB0000-0x0000000075360000-memory.dmp
memory/4124-20-0x0000000074BB0000-0x0000000075360000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:35
Platform
win10v2004-20240611-en
Max time kernel
236s
Max time network
294s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4484,i,8998666007764333392,14724298544432336038,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| IE | 52.111.236.22:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1648-0-0x000000007500E000-0x000000007500F000-memory.dmp
memory/1648-1-0x00000000005B0000-0x000000000061C000-memory.dmp
memory/1648-2-0x0000000005450000-0x00000000059F4000-memory.dmp
memory/1648-3-0x0000000004F90000-0x0000000005022000-memory.dmp
memory/1648-4-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/1648-5-0x0000000004F10000-0x0000000004F76000-memory.dmp
memory/1648-6-0x0000000005410000-0x0000000005422000-memory.dmp
memory/1648-7-0x0000000006100000-0x000000000613C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4060-13-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/4060-14-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/1648-16-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/4060-18-0x0000000006820000-0x000000000682A000-memory.dmp
memory/4060-19-0x0000000075000000-0x00000000757B0000-memory.dmp
memory/4060-20-0x0000000075000000-0x00000000757B0000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:35
Platform
win7-20240611-en
Max time kernel
274s
Max time network
309s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 172.67.165.196:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 172.67.165.196:80 | freegeoip.net | tcp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/3032-0-0x000000007472E000-0x000000007472F000-memory.dmp
memory/3032-1-0x0000000001210000-0x000000000127C000-memory.dmp
memory/3032-2-0x0000000074720000-0x0000000074E0E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2624-10-0x00000000012A0000-0x000000000130C000-memory.dmp
memory/2624-11-0x0000000074720000-0x0000000074E0E000-memory.dmp
memory/2624-12-0x0000000074720000-0x0000000074E0E000-memory.dmp
memory/3032-13-0x0000000074720000-0x0000000074E0E000-memory.dmp
memory/2624-15-0x0000000074720000-0x0000000074E0E000-memory.dmp
memory/2624-16-0x0000000074720000-0x0000000074E0E000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:35
Platform
win7-20240508-en
Max time kernel
297s
Max time network
300s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4ItM6F0jOvrk.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pIj7ExcWU9pT.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\B6EdMTSCvX6m.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\czIOAxnxIckZ.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/1188-0-0x000000007425E000-0x000000007425F000-memory.dmp
memory/1188-1-0x0000000000BF0000-0x0000000000C5C000-memory.dmp
memory/1188-2-0x0000000074250000-0x000000007493E000-memory.dmp
memory/1188-3-0x000000007425E000-0x000000007425F000-memory.dmp
memory/1188-4-0x0000000074250000-0x000000007493E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2936-13-0x0000000074250000-0x000000007493E000-memory.dmp
memory/2936-12-0x0000000000D80000-0x0000000000DEC000-memory.dmp
memory/2936-14-0x0000000074250000-0x000000007493E000-memory.dmp
memory/1188-15-0x0000000074250000-0x000000007493E000-memory.dmp
memory/2936-16-0x0000000074250000-0x000000007493E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4ItM6F0jOvrk.bat
| MD5 | 2b30f062f883eeaf7507485f470ab976 |
| SHA1 | 6367a66a64b48a0f01102d3737a0deb170759f80 |
| SHA256 | 0b83c06c042eca4cf46ec712fb056d9d42af3883f66bc3f6e41fb9ccf1f15193 |
| SHA512 | 5c42a63f50faf68fe00777f61c47976aa9e4110f28c0f03a5143453cbf2d430faa88db8730d201436b8c273dda9c4b683e6d48a2e611eeb17995344de26e5d21 |
memory/2936-25-0x0000000074250000-0x000000007493E000-memory.dmp
memory/548-29-0x0000000000D80000-0x0000000000DEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pIj7ExcWU9pT.bat
| MD5 | f8abdfbe1e5599ab4ae726248e3d413c |
| SHA1 | d9b77e59f47d282b46e60a463727cc5322df3583 |
| SHA256 | 19d98b9a9b017f2eee32aef3a4158c53ac1b61fc0a5f2e48c94d7b511cfc686d |
| SHA512 | feb4fbe85c86f735282b3d36de699f550bdb396b5e023a372b333d732f73daf1777e0bf3d88347363810436f40c180e1298af2e12524b62f83250e4074240876 |
memory/1096-41-0x00000000003C0000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B6EdMTSCvX6m.bat
| MD5 | 634a0131c6d6aff07a4954a8e26eff36 |
| SHA1 | ece8e220c2ae672885abac1f502a88eadfa12db4 |
| SHA256 | ee9d3310ec6188935cc2bef24b8b5986a0a1cf3b4522fbea14c5ad90621389b5 |
| SHA512 | c11dfbe8f809221b184bfb3962012ff79749cf992dc4601706a1f4f53dc12c81be1524551c12abba772a9183e092bb4ba3afd3347b5c0c07edeadeae697a10cb |
memory/2744-53-0x00000000001C0000-0x000000000022C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\czIOAxnxIckZ.bat
| MD5 | 73c06b67ee3a86c6b07258cc059ffb9d |
| SHA1 | 7cb3a30ab7c81ca676751a944720cef0b5bcff51 |
| SHA256 | 0e1bc4233d96fbd62346ad2f111298b7b843eb8c5eab534309046cfc9265d6be |
| SHA512 | c969da9b31d76d0c9d0ac15aa375b8673d8729855975a45ba1d34d4dff56918f51333a56c70f8b9781b99f74468db0deec31fa694045d9f36c4933868ccc19d5 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win7-20240221-en
Max time kernel
235s
Max time network
287s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2964-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp
memory/2964-1-0x00000000003A0000-0x000000000040C000-memory.dmp
memory/2964-2-0x0000000074C10000-0x00000000752FE000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2016-10-0x0000000000920000-0x000000000098C000-memory.dmp
memory/2016-12-0x0000000074C10000-0x00000000752FE000-memory.dmp
memory/2016-11-0x0000000074C10000-0x00000000752FE000-memory.dmp
memory/2964-14-0x0000000074C10000-0x00000000752FE000-memory.dmp
memory/2016-15-0x0000000074C10000-0x00000000752FE000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:34
Platform
win10v2004-20240508-en
Max time kernel
295s
Max time network
302s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMUGLU4lInqz.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2848 -ip 2848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 2204
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsUaVSKOMswV.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 388 -ip 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rlrk6Nv5Olc0.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1788 -ip 1788
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1640
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z2nzMXhVrdAa.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 408 -ip 408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1084
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqVKPNRIHzYr.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4228 -ip 4228
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 2200
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7B2jOvb2GDkX.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 948 -ip 948
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 2228
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qzmq2np4XteV.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2724 -ip 2724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1088
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaOzuj6gdsAB.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2960 -ip 2960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tZMyDdjLgfHp.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4880 -ip 4880
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3maIdbftorEV.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 548 -ip 548
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LnBszR0CccUs.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1520 -ip 1520
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGG51Wi2HAPm.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1064 -ip 1064
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 1604
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\blCctM76Xi6E.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1732
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YslKJFA6pUDi.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2844 -ip 2844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1668
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgWRx7O8697g.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 528 -ip 528
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
Files
memory/640-0-0x00000000750BE000-0x00000000750BF000-memory.dmp
memory/640-1-0x0000000000EE0000-0x0000000000F4C000-memory.dmp
memory/640-2-0x0000000005FC0000-0x0000000006564000-memory.dmp
memory/640-3-0x0000000005950000-0x00000000059E2000-memory.dmp
memory/640-4-0x00000000750B0000-0x0000000075860000-memory.dmp
memory/640-5-0x0000000005A10000-0x0000000005A76000-memory.dmp
memory/640-6-0x0000000006670000-0x0000000006682000-memory.dmp
memory/640-7-0x00000000750BE000-0x00000000750BF000-memory.dmp
memory/640-8-0x00000000750B0000-0x0000000075860000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/640-15-0x00000000750B0000-0x0000000075860000-memory.dmp
memory/2848-16-0x00000000750B0000-0x0000000075860000-memory.dmp
memory/2848-17-0x00000000750B0000-0x0000000075860000-memory.dmp
memory/2848-19-0x00000000068E0000-0x00000000068EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eMUGLU4lInqz.bat
| MD5 | 80d13a5c33019e2adf122a4b19ee3bc1 |
| SHA1 | ce5c1d4c638549ba9bb86e9b6dceba0d11bc90fc |
| SHA256 | cc6e3240d9588ae521817e710591b916dd58bc2c8a9d375c1351f87f4165eaaf |
| SHA512 | 31923b32f14d1996d93005fd0bb4eea20964b9eb0933c451bf8f1a61285cc57a44195250eacbbb93fc7716e3c4d43669e30096dd1b461bc76a19f26518dc2d86 |
memory/2848-24-0x00000000750B0000-0x0000000075860000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 7d267891675ba33661067453595c76c7 |
| SHA1 | a9cfdcf8f3409622c880f913b799b420e510573e |
| SHA256 | 638b5c16d407b3be26e534791d9707ea3314433a4b1a4753f7626c45ef9d82f7 |
| SHA512 | 72b9177777605e86bc9afdf54cb57ccf3867960e8efdbe350fdce6049871a11b06e0585d39e9a1375e094542b595f0db60708c6bd510f26bee1f17fd7aba4575 |
C:\Users\Admin\AppData\Local\Temp\PsUaVSKOMswV.bat
| MD5 | 601d15851805267dfe3e316fd45e886f |
| SHA1 | d8be1e5e29b50bfe7a3d0a7b3899c184e999cdd3 |
| SHA256 | 7f5983efb062bbc9892b79c82b53b299d90b79165ce43757721b8d0212ab144c |
| SHA512 | 47e357bd6a0a36f51ce2ffa31e6ba7ba147368b8f356387751c9bdb005af1672dd4db91fbe1af3f67c4bf3b36bdf4c562eb025b3edb85db5f9f8e9adb1869c74 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | a83f4da8419c1082b338d2182a92bf2b |
| SHA1 | 958f439aea190ec539eaa5b51c4d0f4d4c747259 |
| SHA256 | c0355425f0da6554251890161501133348dd167e55b8f7d49fc9c4d3e5cbd4a5 |
| SHA512 | 04578f56a5e3410ddd9726c20ea8a081a9a35624748cf9e6f06613c43258589d064517c1f1cfa1cb1cc7139ed40a0072a08865ad44ded070ba965050ba21a93d |
C:\Users\Admin\AppData\Local\Temp\rlrk6Nv5Olc0.bat
| MD5 | 9aa030a594e9471473a7d827a689adb3 |
| SHA1 | 378d63e34175630ec4864724bc7fd62f19c0cfcb |
| SHA256 | cf7db04791fdecad64a1789a896ee91f72b1cdf053d6c9030ede07805aa5555e |
| SHA512 | 3135276391b0421314c29968ed12ff6f0c10a0e2f5fa2e18b0457f31a62840680e5393169b0c919ff0e65e1ec7ab7deefaec0e627aa746393042a090f4f1123b |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 89362c79caa169e2b1dc16936efcdea3 |
| SHA1 | 225d871be3a42c60b3ca8cf8cb0104524db4b0ba |
| SHA256 | e3e43d900b46baf187bbd94517a34246f23dc8a5432b92dfd68e407d4e0d5595 |
| SHA512 | 02b8b74c4900530eda326e556f1a6a8f35eeb6f232e5ba12a593e3b30bf360764d5d78e5d70164e5956b2a72cf01d6d8729052b4b587d4f0b5970c7167d6fc7c |
C:\Users\Admin\AppData\Local\Temp\z2nzMXhVrdAa.bat
| MD5 | ac9997304df78fe2a3504aec6be28cd1 |
| SHA1 | 2cdc68b0a1a9acb9244d9e9b45987a62087b72de |
| SHA256 | 21966280745c029c828f0df0484e25d9e204d9fb44605b8b3533069632c5c494 |
| SHA512 | 3e031e9408b97bea5f2d03a389a3bd336e8e2d387760525c4e25905c525208b516999b592c4282b68a9c92b4c682616eaadf9629c5894c9d4599da06e4c28cc5 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 0e9729c0f2597b7c5550a4990cba31d9 |
| SHA1 | 04594143ddcd73055a926e8c8812209f585a2c7f |
| SHA256 | a830880a494e581dde2af758deb49a405b21d50394607267ecd9394de985edc7 |
| SHA512 | 9f4dbba123d266bfbfa9656edb8723faa3bb832e6e6191dfe69423308a1cd34dcdc600f68f0e90b8c4b09498402e46b50718531eb96e6a72cceb399a212448e3 |
C:\Users\Admin\AppData\Local\Temp\eqVKPNRIHzYr.bat
| MD5 | 1fbd4fa3a3f1107bb296a114062c6874 |
| SHA1 | c43e01f00b7659e369333aa579c9d22c46da3934 |
| SHA256 | aa0c4a6ad02c29644ce9dda263a5fdba5a177ded16dc46ab8111272168ef0953 |
| SHA512 | 4886dae776b37f09348f91d2f197a72e5849dcb9ddd24753c63420f02eece6b634f006ffcef5f0fc2cc8a239e13b3ee7a4ff933fd4d49700da26d4f0d4afd0a0 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\7B2jOvb2GDkX.bat
| MD5 | c119f451baef25e6ba172faf397c12ee |
| SHA1 | a51cbf0bcf61d744b7c7320b2ab2bd8414f56ae5 |
| SHA256 | bc3e31878c950cfc010ddf38ea10caa13982ec7f5abec491ab5090c506d2118f |
| SHA512 | c9fd0f398d4441a776dd2b39294e1218de68a54147d95e3ab68376d6641fca554f78a1819324e3115daea53b94a1d6287907e0f2a0871743b752a1dceff9ee7e |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 470b3230ae533b755ea1fb9ac37fa047 |
| SHA1 | 3c645065dc9cfcc35fdefd20f7b152a128eeab38 |
| SHA256 | e0fe021d3620b71dd8791a4fff3cccdce6a29e9661451b68b35ebceccbec52c7 |
| SHA512 | d81ded538069f9701a9dbc9cd497c6c6a3f4d41921a1c2408c728a1ee34e7951bcac3d4a7a875bc4056a7b3725fb3b54ad1bfed00c482a23defc3112c01fbdbf |
C:\Users\Admin\AppData\Local\Temp\Qzmq2np4XteV.bat
| MD5 | b0fd3d86cdf5d7587f61e6f849d72c45 |
| SHA1 | 995188fc113141a0a4b3f829554fa5b5205c851a |
| SHA256 | df1e64f527dfbea81c1d84bffc2b46852bd1d16d2bed019d5d47552cc2d2503f |
| SHA512 | 294f3cdea29b0960ca49b727a30937dea8662df82fc596af2497b580d5712e7131a60c7a7a7b0e4fa27f0b8a1e530e9c0d003978282d8e9370f6c56451380e07 |
C:\Users\Admin\AppData\Local\Temp\JaOzuj6gdsAB.bat
| MD5 | 59f903945f6bf6738ddd0ce7f78c4f9a |
| SHA1 | 45179e313485d4ba4ce8a180c53d17b4be7250c3 |
| SHA256 | 66f9c5bbca54dd7d0871a0e41e1d2d6166edb6652a57ab7330edd4036d7ada3b |
| SHA512 | 55c3a2a21195e42260047e78167e2ec1f03bb51d4dc4735c09527eca5095e08e7f013e9a03742b546b544c0ffe45051c290c5b3a90e0e9977a6f1043f5480e0a |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 6738b0c960c7ad8c6b2f5756caabce9e |
| SHA1 | c6364f3d944db132209d08eaae8c7cdc198a703b |
| SHA256 | cc32c992ce4d7b7864eabfb1e72d99703ac1790938726783cdef562e3ba7068b |
| SHA512 | 606ff03690b954dc456c1d450f70eb722f50cb49b10c4c66e640a395effad2d98b2e630e75b2a7534a2d404b79b825a279f8133ea2391ca3bdedd8a45e28b1f1 |
C:\Users\Admin\AppData\Local\Temp\tZMyDdjLgfHp.bat
| MD5 | 98f7cec0ae736cdf36586fa8c1cbd91b |
| SHA1 | 9381fd5011769b2f7c726de000c67dbcaca749a0 |
| SHA256 | 57efc5f19ab9c6e032a9629896784de0f80a006785e4d8ba4581b4a87f9ef8eb |
| SHA512 | 2a87c4e6956d916a113bcdd7552be2eda9b128011aa40f44cab1d9fc305289e7289d2d9399478edc1b357be8fa14aa05ae09f6067fb7017952d760077a7a0fd7 |
C:\Users\Admin\AppData\Local\Temp\3maIdbftorEV.bat
| MD5 | 669664d89406c134ebe508f1ff97bd0b |
| SHA1 | 023ec874bc6b16777977cf72181d1fb4a969f8fc |
| SHA256 | c1b705e2d4ca0a5e5d72195100eae87c5c9f7498953fc710ccdfcee5f42ab29b |
| SHA512 | 67d630f3323463ab9dbd452d06628e013b180c94c53991385ab4d9ad61a290a4ba4bb97a4da86838503a8af37bc6abdd2b4699580b19bbd6172e1f52b49f5d02 |
C:\Users\Admin\AppData\Local\Temp\LnBszR0CccUs.bat
| MD5 | bf8672a5b1402c1e604fcda4fa4f78df |
| SHA1 | 83c977daa8b364db55b63d4605d7d34aa13def6b |
| SHA256 | 217d0b2cdf30b9b1162cdc235a2635f7966a12833490642d4d0782e1b28ea9bc |
| SHA512 | f1f226cdfd5648670eddcda3bdda8c305b6fe813792fe28ba3e9a22a7c820b31de2d8ccaf854a036bb1b1b2eefbb49c81ab5b9e4c7876da4e30bc5ff0b9ce121 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | ea3d4b298a36befba19504dea4d44211 |
| SHA1 | 030c312d7afa348be7e3be5af705724301748be6 |
| SHA256 | a5d120cf205a84a1cdb4bf38e534a9376ce8a3e2b61732a4ecea05a57240107e |
| SHA512 | e6e0d8e6c751ada704affa5a8fcc9c1f1f963ee3f4399dd2e2af21f9b8f5a2f32930a90cc07b0a5ef26b199a2289c8c0e7812a8a77e36b82bd51f72ba3239ede |
C:\Users\Admin\AppData\Local\Temp\vGG51Wi2HAPm.bat
| MD5 | c315a63d1e5a2377b1d9428eba107279 |
| SHA1 | 0b494ec211ce7803ab79c3c5af59ab4c2273e086 |
| SHA256 | 1f7377c91fcbfaaf67560715f4fbb5853e4f45f2369ad756c181f81d70ca4c6e |
| SHA512 | 665931e044996d92b0ffff3e2b3ce55d5823789c7a7bf2a1e3736ae0bafe3860ea3a4f113f9411d0c65042ad1e9b75256b1ed6e25d1acc2af2ac9795cf5cf8f2 |
C:\Users\Admin\AppData\Local\Temp\blCctM76Xi6E.bat
| MD5 | b6aadfacacdde6f99cf4041e01d62e50 |
| SHA1 | dc753acdcb7b09ca79562ea05b4784d3ab5ebad5 |
| SHA256 | 20563a21bf5d26d4865b10f386539aadc0349fe45501abc8f06dd7fef365cb98 |
| SHA512 | e9c7b70d4a48e3852f30f7c508b70a66eb00bfee694beb0ba45230880d10c09212b10b9f4f093987155e15f0f566899885d639085835617cfa4a26d7e3f78f30 |
C:\Users\Admin\AppData\Local\Temp\YslKJFA6pUDi.bat
| MD5 | 4ca70d06fc56e8958ac0adce98be5a25 |
| SHA1 | 8f170b60ba3ece0e6b4c515aab883162d3bc7b3e |
| SHA256 | 87bd194f66d3827efbff4989bbe40a7693b6630547df3aec781d14850c1549e5 |
| SHA512 | 876115d8d70bd4068279fdecaf1b0d92826e70e442045bc2b03be0685638105f0feb8736465671dda73b5b16fee35e94dad7a4400f7005036ba689833ad2a23f |
C:\Users\Admin\AppData\Local\Temp\sgWRx7O8697g.bat
| MD5 | 328b76688f2ab18a93b126ac8627947a |
| SHA1 | f407cd1710104d37538f5c6d5c745d5559a99b5e |
| SHA256 | fed0a5834a93fbd7e857a9114e68f6ec51234eab238affe29018928be2931801 |
| SHA512 | af1819b57c4a48f7b01fab85e9b83fde0324f88c1b77e56fca5be1494b838297500f5c297c6df68d028fcb8434ec8c90876083575a022edd3344b574708b99fe |
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-15 07:29
Reported
2024-06-15 07:35
Platform
win7-20240611-en
Max time kernel
273s
Max time network
306s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/2208-0-0x0000000074CCE000-0x0000000074CCF000-memory.dmp
memory/2208-1-0x00000000012A0000-0x000000000130C000-memory.dmp
memory/2208-2-0x0000000074CC0000-0x00000000753AE000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2656-10-0x0000000001330000-0x000000000139C000-memory.dmp
memory/2656-11-0x0000000074CC0000-0x00000000753AE000-memory.dmp
memory/2656-12-0x0000000074CC0000-0x00000000753AE000-memory.dmp
memory/2208-13-0x0000000074CC0000-0x00000000753AE000-memory.dmp
memory/2656-15-0x0000000074CC0000-0x00000000753AE000-memory.dmp
memory/2656-16-0x0000000074CC0000-0x00000000753AE000-memory.dmp