Analysis Overview
SHA256
956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4
Threat Level: Known bad
The file uni.zip was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar payload
Quasar RAT
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Looks up external IP address via web service
Program crash
Unsigned PE
Enumerates physical storage devices
Runs ping.exe
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 07:31
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:37
Platform
win7-20240611-en
Max time kernel
252s
Max time network
310s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\uni\\Uni - Copy (12) - Copy - Copy - Copy.exe\"" | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2924-0-0x00000000749DE000-0x00000000749DF000-memory.dmp
memory/2924-1-0x0000000001230000-0x000000000129C000-memory.dmp
memory/2924-2-0x00000000749D0000-0x00000000750BE000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2704-10-0x0000000001030000-0x000000000109C000-memory.dmp
memory/2704-11-0x00000000749D0000-0x00000000750BE000-memory.dmp
memory/2704-12-0x00000000749D0000-0x00000000750BE000-memory.dmp
memory/2924-13-0x00000000749D0000-0x00000000750BE000-memory.dmp
memory/2704-15-0x00000000749D0000-0x00000000750BE000-memory.dmp
memory/2704-16-0x00000000749D0000-0x00000000750BE000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win10v2004-20240508-en
Max time kernel
296s
Max time network
302s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iHi3NjG3kkQu.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2880 -ip 2880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 1908
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PDo2sHZqhyxw.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 552 -ip 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1088
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CrJNneW0bqOc.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3700 -ip 3700
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 1080
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CTn3jSpV1A1E.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1672 -ip 1672
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1640
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCpmmCfkb5ZI.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5104 -ip 5104
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vRgZmfwwltum.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5032 -ip 5032
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1712
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\assalJzEbYwg.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3040 -ip 3040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9n73C1G8DSNk.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3628 -ip 3628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\km52VvtnHFTO.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1544 -ip 1544
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1720
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vnz7wi3Fjakg.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4412 -ip 4412
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1668
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuYoMa6F1Ls9.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3948 -ip 3948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3tWnfUju58yn.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2224 -ip 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZnwWJRqUBEiy.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1052 -ip 1052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1668
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UPMPx8HQn2wX.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 412 -ip 412
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1712
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CPRkbBIYkYWu.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1324 -ip 1324
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 1676
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/756-0-0x00000000749CE000-0x00000000749CF000-memory.dmp
memory/756-1-0x0000000000420000-0x000000000048C000-memory.dmp
memory/756-2-0x0000000005410000-0x00000000059B4000-memory.dmp
memory/756-3-0x0000000004F30000-0x0000000004FC2000-memory.dmp
memory/756-4-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/756-5-0x0000000004FD0000-0x0000000005036000-memory.dmp
memory/756-6-0x00000000053F0000-0x0000000005402000-memory.dmp
memory/756-7-0x00000000749CE000-0x00000000749CF000-memory.dmp
memory/756-8-0x00000000749C0000-0x0000000075170000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2880-15-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/756-16-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/2880-17-0x00000000749C0000-0x0000000075170000-memory.dmp
memory/2880-19-0x0000000006AB0000-0x0000000006ABA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iHi3NjG3kkQu.bat
| MD5 | 84970403fa7ab8e77aa1f14a66bad681 |
| SHA1 | 36a6f7db1211ca06c2ecac0b19fc7dc3bf95c174 |
| SHA256 | c82636d26fb74543e28a636d38bf2c60374dc9f78e3674d298bde2a45a82cda4 |
| SHA512 | 0188e432e5927983947007b6d9205d758428dab5698e7e1686704075a658fd47344e1984bc56f3e9e5cd5d1bf6378dbae17cd42429a0e0b6d943545680f91f94 |
memory/2880-24-0x00000000749C0000-0x0000000075170000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 73821baa8f3cce64ffdacf2fc7d5c512 |
| SHA1 | 015e623e4c4e0acf6777441287e532e2c2df5281 |
| SHA256 | 371d2f4a33623938b6743bdabe27b8c14b2075aa4c6eedc23232240714223080 |
| SHA512 | f5b24e18f4da775139bf5223ff9f61c83b20f06f5951cc4dd33c395216e1fcdf347f84f509b0b57ddc40a445865b6429ad8835b9d5ca3f80dec936193f254077 |
C:\Users\Admin\AppData\Local\Temp\PDo2sHZqhyxw.bat
| MD5 | 11f3bce5fae64624bee64fdca87de098 |
| SHA1 | d15682c4b8845c79c2f49de355fa04d9338a73b0 |
| SHA256 | fa36c0f410ffb06fd4635fe725542e1f0fd24a935f1bf25983c7f7022d4c5f94 |
| SHA512 | 9d26372ba90c444aa88827ba2a9b95b7d9fda13533b6714601547023091b12c11c6b7efcc20dd8a20d729f4805443e2672ca1f8d1b135ad80049983244c96e58 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 97a8501e31d232b0a939b8f3592e9f43 |
| SHA1 | 7589cbc2c6efe87086f9271db861ea6ce3e3b538 |
| SHA256 | 9ec98518d1757301b3ce3dedb1ed6cce9433277954db0fd98192617d10ef72d7 |
| SHA512 | 921c3db7fc2d9d8cfc66a6357f86b3e572294e460471973d671041b3d92fb32ab6792a63d397b52f3e5413c7e458830af145b68a53427538a52bfbd0966f3152 |
C:\Users\Admin\AppData\Local\Temp\CrJNneW0bqOc.bat
| MD5 | 6f9946e350f6358a3867c4cf049d0091 |
| SHA1 | f5604143fefd10ab07d4b55a50e465b1130e63af |
| SHA256 | 37965aeff527a0ec09fb2f67653edcc5c89696b27a9557cf8dd9e5abfc79f497 |
| SHA512 | b46a2bf2b4ef2daaa1dab32fe4443dab93112aefba961e8cb1d4918bc398236e79c89c03865a1610a1a68b6154e5ce3ac6c325224f763f7b8e8771008976a714 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 35aef2fee10a41e8d2c7c9123faff4cf |
| SHA1 | 625438a02e3b62cde5a3850226f46f3c35a94c5b |
| SHA256 | 00dcee2ec4fe467d4574e9ac351737686796fb7dc29febd56e47a7c23f8d416e |
| SHA512 | b8050bea02c4f831de58c0975fdf7a2970d01088ed426039a481d974194f2f34d68bc0eb9bdbb05a361d09e9e33b0b876112662e213daba166dea90b5cb55b31 |
C:\Users\Admin\AppData\Local\Temp\CTn3jSpV1A1E.bat
| MD5 | 8923da715014849cfd21749dd4f4f4ea |
| SHA1 | 2b6630e02ec2841e4750268a1af8162333915f1b |
| SHA256 | 171cb8377ca6914ed04140a4b072171ed78e0a4b03274c37f150ab784e949a29 |
| SHA512 | 15e29138e0b0c249789a6e595ebd5a46ec067a30a90e6498ada2894ce651093b839d01c1c25466b3a9fddfcfa6112be97f03690d57fa19d3fe774d142b64f354 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 9c8ab48b4d1bb586f14b2e06c90a13e1 |
| SHA1 | 442bb7e73c19d32390be97cf38ca0b988a2624ec |
| SHA256 | 370df25280eb7739b4727479103f22ba49a604b130e6d31e7fe104f631bceae3 |
| SHA512 | 20eff8553937425e4b6b2774e7018f38d6dd5d2283e649ad942888544f94e83cb0537077a566da1fa3c4eb5d95fb9e1e22f3a86281f571cb355a928093d089a6 |
C:\Users\Admin\AppData\Local\Temp\eCpmmCfkb5ZI.bat
| MD5 | 695aaf3902370db9fd4853f00cdccc79 |
| SHA1 | 39c871555be8c034e9a90f2c0b8087170181fb16 |
| SHA256 | a5384dae8106dfb63426e8b82d9927787398b960ad2679cd9c53333fc211c935 |
| SHA512 | 7c54b4230e4bf88a93e6d8028a0add6b97742824a925da0adea5a35d3a6e186c13683e095fb95db33ff15ecbb6054b67465122a5b2346b65495d750cf64c9572 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 3579edcd5968641238a2f8e3ed9783a8 |
| SHA1 | 83eba73ebae1ef1aedb4a6c3f8cf64097671dd43 |
| SHA256 | b77181c0555d15c9b13003299c98e3e459cba3a20fdb860884b237913c8e537a |
| SHA512 | e053bef892573053564f036c2bb7b96252bae9837a2397e956b761e4f24295cca03f7babbea5c9f5254b3a336e7377203860a55361b835d6bccacf231d6107ae |
C:\Users\Admin\AppData\Local\Temp\vRgZmfwwltum.bat
| MD5 | 971f4a22757808236dbccae5033d2554 |
| SHA1 | 5c5778266aec7aff9894e274c1638a36e444ff18 |
| SHA256 | 0bdc7d794522475cfcddb1a37396435e15dfa6c2d5a6511e0cc1a9b9e4b48015 |
| SHA512 | 3a07ceb9bf5e941492a23acc305b78ca6caaede1c15b455e0b4f04615c16d42a340e4eb0b7f9cf035b939f999cab849169bd04758df73f02a754e8b571e3940d |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\assalJzEbYwg.bat
| MD5 | 59f6b811be73baf3d4547541ae1036c0 |
| SHA1 | 34d111c077bc1f0abdc2ba0fe3e94ec0e63915bb |
| SHA256 | 11d1949d25218a19803edac0a1cf5115fa233ef34695fe452143049f428c4011 |
| SHA512 | 5fde6e8a19c0a593c79c06c423f4bb8606b64b8f3165f0d73bf81fa704d0b8f0771d810ef4c6044b52929d83e58b4e2382c6214e5850a7bb2db21a76fb0fe0e9 |
C:\Users\Admin\AppData\Local\Temp\9n73C1G8DSNk.bat
| MD5 | 1d5da11196593cd39a927d22b91e90f2 |
| SHA1 | 6d13f4a371be346e4bbee367af50f5bf17d56aef |
| SHA256 | c574176f3d2efd02e202e7d982c2b24068e91465ccd21fea8ceb9c5195c70d08 |
| SHA512 | 0870f223f8ba7587038e1349bd1305197be037b7f65ef72c9d2cae9217f33c2f9a9d4895d24e06bcd9218d69ec89ee250fa76671bf4a05e413582f965a080249 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 80b820727bf831600e2e44d375998401 |
| SHA1 | aad441d2010fdfb0eb5d0813537e0b9389251c49 |
| SHA256 | 854f473cca45cd24b82a0e2deded10038b963c21227749398dcb05bfc21dda17 |
| SHA512 | 1cb4f69e7a7ba0fb55c24bb24df7151651e8b91ceca42feeec6211dd05927781e352933f042fea210892e092ef0d1b434aa347d4f5ef9b3ef2bd9303bf88f58e |
C:\Users\Admin\AppData\Local\Temp\km52VvtnHFTO.bat
| MD5 | dc660bfa334b132d63748b98ddff3be0 |
| SHA1 | cf11c98fa6288b0986a1d8ab03b78515b9152889 |
| SHA256 | bbcd7e53e445c153df5e70f8b6faef5c5b9428964a485ec2fa328e1adb45b127 |
| SHA512 | 521b6a53b7fa4cc7a6cc73060f2cab6317c80ee8d70ef3460e628158bc6583b3b5c681f6f45748874dee2360c0a53e33d271ac23c204f3b5d3aa666e2b4c1df9 |
C:\Users\Admin\AppData\Local\Temp\Vnz7wi3Fjakg.bat
| MD5 | 094b8e6665858a2811ed0c4d38fda8ff |
| SHA1 | b72a1e507c554839a63b5e7e6ecf2479963ffb8e |
| SHA256 | 6e2b2e453a85ec7efa350a5f188b53325740336adfb18a4c14fba7a188788dfb |
| SHA512 | c3a823c02497fa266fc7fdc6a33eaa52108fea048760c43b538aa70ece65ea23ebb35d448a36833367dd66d870bf9ffc54614cd786af9b04e6d8cef5315864b5 |
C:\Users\Admin\AppData\Local\Temp\SuYoMa6F1Ls9.bat
| MD5 | ffb480d0a14040790276ab29846d5200 |
| SHA1 | cb928b38f21fbaac75d2d4e56be4ed3fdedfb76f |
| SHA256 | 8348741fe4e880ef4b4d39e1787c0ad085fbc3d0c18559ec0bb787470c526fce |
| SHA512 | 288b81e871e2b833ce4a482f9c3a80f93cbeca2d81ae65e4eacd9c208c8b41c59dcbc1234f1541500263f7ad46b01cd9ee54389ba24f1db1038300e86af86f7f |
C:\Users\Admin\AppData\Local\Temp\3tWnfUju58yn.bat
| MD5 | cc77247929bce6f8a72a279267d86466 |
| SHA1 | 75c98de2f9665053f904a23a5e307d4e9ceb2aef |
| SHA256 | 5067a1bf303b310facc626cef2732708f519e58715f8b4ff0208282ff4cf1a60 |
| SHA512 | 7e459144720e57bfa25971fc20cb2b2b33eaca640dc281f253978242e9036bf3967506a8a96601f3cbac5113e8127fa8ac5d1ff60437e3ccc996be93d36da1c4 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 9a13571d3e74285d48248d7699b172ab |
| SHA1 | 921bd313d985b0086c956fe92912953a66ce2ee0 |
| SHA256 | 9f56220c20dea7e01ce8916364a61e2e1c9efa1a120e1273c12a64410660c1b1 |
| SHA512 | ba4f1efb388264e8910904dac3f522b4925ec022027d45c7f0d271e990271e9791f4eb8be3e5f27069e55bf650da23ef2bf07bdeb0936b4b0edf10f53bc68006 |
C:\Users\Admin\AppData\Local\Temp\ZnwWJRqUBEiy.bat
| MD5 | 5586cff564df9214934ea93a12d49878 |
| SHA1 | 9e550138e9df05ce7a52d7162815fd2c26ad27ab |
| SHA256 | f4994d12c06d5e21606ae2455fe8c582813ff9ad6845c28ebdf9ca5b706a74e0 |
| SHA512 | 018cfe67fe373242c7b322c7267d35f1f0d6ac5efda72eda2662c72b010ed20671c5f1a20a26bbd39d3b9a57e9a5bf800810955f5615dbf1d7c7a32df683b828 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | eff94a02c91b0520cc8d8e074776c652 |
| SHA1 | 97dfc75eb57413109e92cb8b7275eefd2df5241b |
| SHA256 | ece0444f7e89eaebee5343bbcfd6cd1dae15517a9bd760d47b3c1c98148be7ea |
| SHA512 | cb9e0b4382b2f42b5d4a31ed991c597ba3945e76b2e2cad987ca42e1e971e948d11c124f5ab506d97d9499281be8212db96275f9b7aa61c37ebfbc399e3a05ad |
C:\Users\Admin\AppData\Local\Temp\UPMPx8HQn2wX.bat
| MD5 | 750d32fa2b2f6b886e8d3b7d1b1da2ec |
| SHA1 | 42312ad1843bda13839ca92d5801ce2e6594dd3d |
| SHA256 | 4703c9fb0d2f51a127988d5e3ec542a49275e2d8598c5f8a2f0d51657274a20c |
| SHA512 | d07fb3d2334d77a9c81844473de101de09c441100bc10b6d6914e1cc49122e9767157dc57e5f2c5d10242d2d08a84428c339461a7fa2ab51037340aa7dd09193 |
C:\Users\Admin\AppData\Local\Temp\CPRkbBIYkYWu.bat
| MD5 | 4fbecd9396cb2c9f8034896873f2baf8 |
| SHA1 | 2fc93f5f764b3b7bbffaedf97d388eacd5cf12a8 |
| SHA256 | d8dfdc5c22ce4f1071dc9ffb79f15874cf0f68ef54a9bb2650dcca6ecfd46c14 |
| SHA512 | bd737ee501c5cfd2b629eff47d34ae4505ce89957b8448632520d0c9941297c1cc3fa8490bd7632d76d3611c0b3e8384c0d8853f5da5876730f2a79d2b2842d8 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win10v2004-20240611-en
Max time kernel
236s
Max time network
291s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4088,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=1064 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4220-0-0x000000007496E000-0x000000007496F000-memory.dmp
memory/4220-1-0x00000000005D0000-0x000000000063C000-memory.dmp
memory/4220-2-0x00000000054F0000-0x0000000005A94000-memory.dmp
memory/4220-3-0x0000000005010000-0x00000000050A2000-memory.dmp
memory/4220-4-0x0000000074960000-0x0000000075110000-memory.dmp
memory/4220-5-0x0000000005100000-0x0000000005166000-memory.dmp
memory/4220-6-0x0000000005D10000-0x0000000005D22000-memory.dmp
memory/4220-7-0x0000000006250000-0x000000000628C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2528-13-0x0000000074960000-0x0000000075110000-memory.dmp
memory/2528-14-0x0000000074960000-0x0000000075110000-memory.dmp
memory/4220-16-0x0000000074960000-0x0000000075110000-memory.dmp
memory/2528-18-0x0000000006B10000-0x0000000006B1A000-memory.dmp
memory/2528-19-0x0000000074960000-0x0000000075110000-memory.dmp
memory/2528-20-0x0000000074960000-0x0000000075110000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win7-20231129-en
Max time kernel
235s
Max time network
288s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1964-0-0x0000000074C2E000-0x0000000074C2F000-memory.dmp
memory/1964-1-0x0000000000080000-0x00000000000EC000-memory.dmp
memory/1964-2-0x0000000074C20000-0x000000007530E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2576-10-0x0000000000C50000-0x0000000000CBC000-memory.dmp
memory/2576-11-0x0000000074C20000-0x000000007530E000-memory.dmp
memory/2576-12-0x0000000074C20000-0x000000007530E000-memory.dmp
memory/1964-14-0x0000000074C20000-0x000000007530E000-memory.dmp
memory/2576-15-0x0000000074C20000-0x000000007530E000-memory.dmp
memory/2576-16-0x0000000074C20000-0x000000007530E000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win7-20240508-en
Max time kernel
296s
Max time network
299s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PTPrJgcWYyqF.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Q6OsElqPpI94.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nutONIg5GfQN.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9iOuVpVmg3hg.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/2132-0-0x000000007448E000-0x000000007448F000-memory.dmp
memory/2132-1-0x0000000000F30000-0x0000000000F9C000-memory.dmp
memory/2132-2-0x0000000074480000-0x0000000074B6E000-memory.dmp
memory/2132-3-0x000000007448E000-0x000000007448F000-memory.dmp
memory/2132-4-0x0000000074480000-0x0000000074B6E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2952-12-0x0000000001300000-0x000000000136C000-memory.dmp
memory/2952-13-0x0000000074480000-0x0000000074B6E000-memory.dmp
memory/2952-14-0x0000000074480000-0x0000000074B6E000-memory.dmp
memory/2132-15-0x0000000074480000-0x0000000074B6E000-memory.dmp
memory/2952-16-0x0000000074480000-0x0000000074B6E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PTPrJgcWYyqF.bat
| MD5 | b9d4521957f7ebadbfecb46cf7566734 |
| SHA1 | dda62bc6e871d90c07a762667f74b330dd6d5d0d |
| SHA256 | 8f79c98f1a63e22f4a704540e6a35cb19d1c25fea1a2f49cc7cee40b251ade21 |
| SHA512 | fef6f2b50627dae7012876c2ca1dd0844e4c17747a0faf7fc8db33c1df54265cd2abbed64be652d16c9d975e3a132fda2d807574cbb7b6147d00b20e60ddbdea |
memory/2952-25-0x0000000074480000-0x0000000074B6E000-memory.dmp
memory/2272-29-0x0000000001300000-0x000000000136C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Q6OsElqPpI94.bat
| MD5 | 575c3ddcf5007896deee8d5d81b399b9 |
| SHA1 | cae4555e9b7c336b71ac43f012c4efcfa474f0e9 |
| SHA256 | 6e5f7d4438238b9cf9863e8b472b1b90ae8dd3448f1dfede048c812726c02ce6 |
| SHA512 | d92fc084d57488a12979e3bc50f513c0ae610bec9a6e67e38975e1ef02d46f69b7c4f59e9bfe873415ddce8ed3f52d22a6459bd288c02cdb0b8b6513680e692b |
C:\Users\Admin\AppData\Local\Temp\nutONIg5GfQN.bat
| MD5 | 7633d49ac8e08380a5af16ef46ed3640 |
| SHA1 | b8f1b9c7f740cb75e90ad2559c752010f396278e |
| SHA256 | 14ab247fd0bbce38982cb3926ebe0a385b718c4950d7ea25cf1f812b87d5e0a3 |
| SHA512 | d6ebbeeb77d589a646cf473090641d236d00191ab0b064e4670b3d94540583e3736c288f456f7c2f37f9b48fd3b9fb01f825d86a0613af105ababe2aa34cd9c8 |
C:\Users\Admin\AppData\Local\Temp\9iOuVpVmg3hg.bat
| MD5 | 8125471393a09d59a2b1974d473ae8ea |
| SHA1 | 679b9a865cb61b325dc1931de78a915953c1d278 |
| SHA256 | f77799c8d386e5c7e97d4c3703e5754d0f17a5b0a4f0c56c35a47ecfe5fe2d5d |
| SHA512 | 7ebe06ae0501e5202f1b7b6752df8bd4be1b06620fde9950bf056d9c77fd067a207d1ed787813d01c8b32ea256844fcec325c12e0f7b8524b9539c499d228233 |
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win10v2004-20240508-en
Max time kernel
298s
Max time network
302s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V03PYytV1Bgh.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1756 -ip 1756
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 2164
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\olpA3MPBIYXK.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1276 -ip 1276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 1644
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C8El6LET7fd1.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 412 -ip 412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMEEG1pSgSDv.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1236 -ip 1236
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 1656
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rZQm5zHmxLeu.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2472 -ip 2472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1644
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caKrWmREPfvB.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5056 -ip 5056
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PfxSplxRIts2.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1340 -ip 1340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5AtyhcLUYSYV.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1960 -ip 1960
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 1516
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5qM0ltMLx4ES.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2020 -ip 2020
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYRVPfhpPJIE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 936 -ip 936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 1720
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KTMTlP9ZNciP.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3192 -ip 3192
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dH7bPHNaeHcN.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3404 -ip 3404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 1712
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOgIpAQbx3jr.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3084 -ip 3084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1672
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U31xaI3ySwv5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1688 -ip 1688
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1524
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwdwRW0E3DyM.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4216 -ip 4216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/2408-0-0x00000000746FE000-0x00000000746FF000-memory.dmp
memory/2408-1-0x0000000000600000-0x000000000066C000-memory.dmp
memory/2408-2-0x0000000005520000-0x0000000005AC4000-memory.dmp
memory/2408-3-0x0000000005070000-0x0000000005102000-memory.dmp
memory/2408-4-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/2408-5-0x0000000005110000-0x0000000005176000-memory.dmp
memory/2408-6-0x0000000005D50000-0x0000000005D62000-memory.dmp
memory/2408-7-0x00000000746FE000-0x00000000746FF000-memory.dmp
memory/2408-8-0x00000000746F0000-0x0000000074EA0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1756-15-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/2408-16-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/1756-17-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/1756-19-0x0000000006240000-0x000000000624A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\V03PYytV1Bgh.bat
| MD5 | 8665d218226c5250e1a4d4ba4251e1b4 |
| SHA1 | 82a7a4697e3d69f48320a8ce317a53c9c4e0047a |
| SHA256 | 721bbd953356c5391b22c0fd75335201eeec0f43d5bc6ddbf4f048b66aff10bb |
| SHA512 | 10854cda698849c41cf7579ac2af585229a135a19fd544b4bf4f814f30859e935b6b56127fe8d0b877f160f02ab4b2b436d3575eeb0fb8b2952c1a822b6924d1 |
memory/1756-24-0x00000000746F0000-0x0000000074EA0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 0d42f062dcac90c2480bb300c6556000 |
| SHA1 | 0843eac63afe066ee95d028630c63868df5a8edc |
| SHA256 | 4e19a1c5dd16cc6aba072b902f15c5785941450e52d455d76ea2568252ce4737 |
| SHA512 | eb9443f9e36bf91412ec8590d9dd8ffa93edab43d1b99f93ca316918495f4155574f77841fd9b951bfc7cd77410fd349568aaabe5d1a81332da074f25149167d |
C:\Users\Admin\AppData\Local\Temp\olpA3MPBIYXK.bat
| MD5 | 217899969d00cbbd3e263eab786163cf |
| SHA1 | 01919fac7e22f7d6899b09793b1c1794b5f5b535 |
| SHA256 | 428cdc160a0b8e1d164a6ab5435d74e91f06abfb4a707a73e55450b8ce9ec479 |
| SHA512 | b78b1e07e8080a7347e49ee18d8f993c22637b514765d393179442254708bdd9be15a41dfeee93cf863b12e98e01ac7840bc56ec889be50c57e30a4a2fc4d9c5 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | fb2a9a4160b8c71e08b4b910f978984c |
| SHA1 | 3b1c1100f7791822082d79e3535260ba4d94cb5e |
| SHA256 | 6c0be66cd98a2d38b573457ec5afd03bee6f80789d04e16493c4679145b0b2e9 |
| SHA512 | 391396aaded445635b1cf8169e8b0053922c95c7e3599a9f61f5571d01beca3c1181d53254ac6a52902db29772b2a6be1b22203d11cb8db5d838890248d34a9f |
C:\Users\Admin\AppData\Local\Temp\C8El6LET7fd1.bat
| MD5 | f4fa4265425039619f2987b9323e5e04 |
| SHA1 | 4e1961a2092d5864a4e7ee11397a252a0200fd10 |
| SHA256 | e85014b624f217edc74ce8f12a8de931cf7de7f6784596d875fc5d9c220558a7 |
| SHA512 | b6bd97748849d48d550bcf1db0f2a5f4e67ebaf9f2ff1b801fe9278184b67838362c80ef70414d31fb3e8027c3d14dae618c6fc5a2ef954f61e215097bab36b0 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | ca6d495809fc66fef2f80801f99b988b |
| SHA1 | 932a9f804b3bf2245e50dbf11cb5a972939c8d00 |
| SHA256 | 50dc0711fa714f161cd4ac2d4034d1396002af261ee84df6920467ab5abf619c |
| SHA512 | 5c8d52330ecae09ee4fdc1196f02c96899bec59709119286388f642c2053b5a76e807aebb444cd9b7152500f36608c8f71847f47668daec0c190471e2cd4fa81 |
C:\Users\Admin\AppData\Local\Temp\MMEEG1pSgSDv.bat
| MD5 | 4c02ddba076d2401f34a6db7b4b6207a |
| SHA1 | 2b16c0f8f08ce6d675753d440104d2efff8269a2 |
| SHA256 | b4e5f2c395ef678509cf0f06827e1ed0d9a2667db9a1bd0b65512f3a99803b64 |
| SHA512 | f388d06086b5ac4450f29725d5825aebcbc0a4873bea9c23ac2ecface24e3ed8e9e000ff0cc80cb85880772484ebb558af85b458fb57616a607b7858cee575ef |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | a8aad513901d3e48ad4b08475be13113 |
| SHA1 | cfa74b58113d50ede2386465a7e9d612b35daf46 |
| SHA256 | f92f2530ff2342c0972931484bc06ceba782ab0591dcf3962b6b1d863804900c |
| SHA512 | 78b3b8b763e310f905c1d402ea98646add609b3d08cd0f3ebff4e5a018f5346068f169251ee24cfaf9f1650d6908eaee607edf9b8197ed96800bb032d8b35d14 |
C:\Users\Admin\AppData\Local\Temp\rZQm5zHmxLeu.bat
| MD5 | eabb42b9b3a1920be3520b5dc8072791 |
| SHA1 | 06b7968419c5934e2d019881e3e9dd65b3d175e4 |
| SHA256 | 621458dac7301d3c30b6045441e98dddec2a49a6fbe063e76c750f00e0bb148c |
| SHA512 | 164d947a3bc4d463c62748484b82b380d9c29a8971dbf1475171d3536320e7d805b6e9bbebb524554df3865b249aa73bc30fc5288f197c9ac894654739a6e13b |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\caKrWmREPfvB.bat
| MD5 | b99ca64307f9664e9e53aa5dfa56f8a7 |
| SHA1 | 003d93c8d21a4c68e539b54514294518cec9b025 |
| SHA256 | 1c19a54d41127fba3738417e7d61ae93a564e8f8972258f5929fe3a77fb1fe6e |
| SHA512 | 4bb021d304e0c7375a7abcec24b5aeb733ff300a892b0c8e76f8b2af9017e0b2bd4033d3707fb5b8ca7f913ca46eb4aa0fd0d7af379e9f632f88550c8e5488bb |
C:\Users\Admin\AppData\Local\Temp\PfxSplxRIts2.bat
| MD5 | 018ce2b4a7a2846fe65cf73810e53114 |
| SHA1 | a86afd2e4fc083ab9ce28414759597225d80d8ee |
| SHA256 | e11f22089452897b32e3e7f207d39b744de1db9054c1a97051a582fc2124e78f |
| SHA512 | c9de8f9de08fe26330ec792a5ca214c795cc47b8f618dabf44972ec0855f4678145c9d95b8c053da91cca85734c736cb6f75cbaa9c4b64a257c71089acf4da35 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 671fa015b2a7ec5df347033e39a30ef0 |
| SHA1 | 28f43c1f78d61a4e0dfba66c79c544901426c801 |
| SHA256 | b861174a78691a479192ce44b54b08de9f9f30d2c1770fe105d2088f9f12a994 |
| SHA512 | d3c1d6dd7c922264d1faad4e39616fb860868b6dfc8b005460b313afec3cf8011dbff5aeb671b74e4065081c384ddfc2327cd8be66c53ac71071bba95c1d3c0b |
C:\Users\Admin\AppData\Local\Temp\5AtyhcLUYSYV.bat
| MD5 | dc8847e6a864c4d67a68c47d4c093a72 |
| SHA1 | de85882294445d1e829dda604c271b833b411b92 |
| SHA256 | 2abbf0f2491123498a07773c39826bcee91fabf04b7a37c876045c58ab220ecc |
| SHA512 | 354a4367c3ec3ea95a28a749e96bfd0f56121ba345ca87276ab5fcfa6cdd92cbe3a8e669536816067795765c8d4a047aea98e339f4b98e0668efe9b029c7e4aa |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | bfc5cff2e60ff8d0ed1a3c91551b1caa |
| SHA1 | 111df6f23c9b590bddbffcd6c6c361fb5b9b2353 |
| SHA256 | 20a89d4109c8fbff1d72a3ce5885ac6bc646cf9228832d7cbe305933d47514f0 |
| SHA512 | e3743ddef6bffc9258bf42d7d4d1cc3d454e1be479a50ae322e66109a910d9cbbafe26fcbf5add3c89f78e23b40efd0403552d3f07ae620078f012eb512b3e5d |
C:\Users\Admin\AppData\Local\Temp\5qM0ltMLx4ES.bat
| MD5 | 9e58f0f30994a2af762784fe3558c2e9 |
| SHA1 | 6bd4d6211b1149c40a97b65e730751f3b84e55d6 |
| SHA256 | 0fe1973d0dbf0479821d9b3400aa445ecb730f2e47ad4933906598a3fc1725ff |
| SHA512 | f09df30a22c71b2345726e1dc487d7d202cce3d13418468ad4f6660e326883c7a287ef93c6aa0a2a9a075bf9bda2e852a102678de799e9ebb74df5c6670ab1cb |
C:\Users\Admin\AppData\Local\Temp\DYRVPfhpPJIE.bat
| MD5 | fa3c37023f3725a647a8aaf44ca89314 |
| SHA1 | 1ed0e4c6bf9d71ceb8f8e73a1a95effa77784356 |
| SHA256 | f02a42ca43a9e509f1e023b5acfc3350b451d3c88160209d4a8972481cbf7a74 |
| SHA512 | 9a7cc2bb54a27f16371545c3f33e1be3ddbcf21574ca62ce3088af6d4861d1c1b63ad2e5b8d220f15f01955ff30d3295c882a56980827eec7b14e066d1d115e3 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | fe5300371a7d1851af5bcd6f5eae06aa |
| SHA1 | 8ccd6e85146c295e186398b803a83668e289073d |
| SHA256 | fd011a3d6b992aedc5ec7a83099e1d56f44e284bf4b95ec6735dfc92d5fde146 |
| SHA512 | c2fa063cb8ef581aad4a3ad63653138caa67a6af8f8fc16387fccb416b88c4a7d5f44279b092f3200808226ecff0087b62be7443490bdc77cf9746751822b68b |
C:\Users\Admin\AppData\Local\Temp\KTMTlP9ZNciP.bat
| MD5 | 7c61bcef213ba755c641f5c7eb59ea65 |
| SHA1 | 3c1b3a98af68a24ab1d86f761540b942a98a494d |
| SHA256 | acdc8e0234272127d1b7ddb7c7e2a8722bc24442317690166334ea06536b9961 |
| SHA512 | 4274ead6bbbf76cd52412b1a322fe2bcbabd030041a15058c4eb192d7dbd4a071f74a38f32700e1456478e4c2021a088d7642f01a2c4c538594456c56461d667 |
C:\Users\Admin\AppData\Local\Temp\dH7bPHNaeHcN.bat
| MD5 | 6300365b2fc09f5c81eaa7d00d967831 |
| SHA1 | 06973bc23c1b07ddb09e90f9e9c5422fa4f28ab4 |
| SHA256 | 63cefc549fec60f0afb6acc2b294b3435e82b00a0de48ef4c7d2ef59734d84b7 |
| SHA512 | ef2077f433acca0b0c4568c18eb16d35b8b6167c77b7be926f4648580afda7484913f7fa4fc881a0507268ef86971dd86d58cbd7b8b9e949ab07daa4ca970753 |
C:\Users\Admin\AppData\Local\Temp\bOgIpAQbx3jr.bat
| MD5 | feb02e337e00e6d1eb7acde8d5c4eefd |
| SHA1 | d5b78548325bbfc6661c29f8c207f770ba46cee2 |
| SHA256 | 82ac3c5a439a7cc08ef16a28845480975778ad4b59768990f546c707602d37a8 |
| SHA512 | de531c5cba13aa8093d40135e9c5ac95a904036871d11c4a7f84308498b22153bfa51b114240dfba63a3c483800295761889512b6645b27359af9a9ef020afb4 |
C:\Users\Admin\AppData\Local\Temp\U31xaI3ySwv5.bat
| MD5 | 2a089019478fa6a198cefafbc8288977 |
| SHA1 | 20121165c3f6367cd58170ea045b2f2a59714908 |
| SHA256 | 6cd96653a4e9e45d5a704638ad231ce77601b25032a1c8287b12d09019d5eb60 |
| SHA512 | bcfff96929bad4ae585928060d90e80a29b4b8f207674e035fc30da7f99caf7787cf9cf00264d9fd2c729882bfb6769ccf691bf0f725d333b157182553bd18b7 |
C:\Users\Admin\AppData\Local\Temp\xwdwRW0E3DyM.bat
| MD5 | 6d89d7c7cf1aa65d8d4f7f349602782f |
| SHA1 | da7712e35cb42d6a02393f2fd749d16ffa733af9 |
| SHA256 | 685483c38d3a584223981539b31f3f3131887214e17ded8293e08f941bc37116 |
| SHA512 | d7398672a7b6c6bd1fa8931f0ee9e02fc3d716cfc55a3b47d7665b49ce2cda7c33c6e0a370cf83789ec79579f2dad57c4157376080c29850da4bc0318beb7fbe |
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:37
Platform
win7-20240508-en
Max time kernel
296s
Max time network
300s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (15) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8BWfZR7KO5KE.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DNO19vI4mGBW.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BzZIIHMdYmnR.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RDMkzf4AMVoM.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/1464-0-0x000000007414E000-0x000000007414F000-memory.dmp
memory/1464-1-0x0000000000B70000-0x0000000000BDC000-memory.dmp
memory/1464-2-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1464-3-0x000000007414E000-0x000000007414F000-memory.dmp
memory/1464-4-0x0000000074140000-0x000000007482E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2164-12-0x0000000000D80000-0x0000000000DEC000-memory.dmp
memory/2164-13-0x0000000074140000-0x000000007482E000-memory.dmp
memory/2164-14-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1464-15-0x0000000074140000-0x000000007482E000-memory.dmp
memory/2164-16-0x0000000074140000-0x000000007482E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8BWfZR7KO5KE.bat
| MD5 | 56470d6a6ee78ae6fbeb6de24d219480 |
| SHA1 | 1c23c028a2b95a9928b950833112eea9466f1143 |
| SHA256 | c3d242be6f6a0b4c83219b60b564102bbf330570aaf4f1e12cf7001920aa447a |
| SHA512 | a2c7f354aa1f60804c11043ec62d1e25e6209d7ad3d65e32b645de464797ebf59a563a16b13021f6f3cc6293eb162d239658f868efd9d6d17773d6006dec078d |
memory/2164-25-0x0000000074140000-0x000000007482E000-memory.dmp
memory/2172-29-0x0000000000100000-0x000000000016C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DNO19vI4mGBW.bat
| MD5 | 87fa842b487ef824db2110421e00656d |
| SHA1 | 2d0a5731f5df2435035335525725e0ac47776a41 |
| SHA256 | d79e1ad43f71646f98d7b20f44548e948233eb4c7bec14ece815bbeac3396af0 |
| SHA512 | 11845d358148755291be173df084cfe1b59ec30e09cc60b740c187012763041b9c3b2c8b6a08e60ba754a5cb8ca20eb86ea744bf3ac35d69cc1f27f53da097a8 |
memory/2080-41-0x0000000000C70000-0x0000000000CDC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BzZIIHMdYmnR.bat
| MD5 | 571e08c4773f95068daa5bed92a8b128 |
| SHA1 | 87e3a2472b9f027776a952a93640448167bcaeba |
| SHA256 | afd9a8f882b76426c2a9a3161a34208ba7a3ecf33b974df63fe8390eb23bf489 |
| SHA512 | 4b0ed697661f8f1b995d80216c9c648867d988b030f1a20e0fcbb2ada5d72fc0207091bf906e8c233b1399330209443b564c389d5926eac52219497c09c8b9b5 |
memory/2692-53-0x0000000000120000-0x000000000018C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RDMkzf4AMVoM.bat
| MD5 | b15e0856cc19accfeba7362a0ec189ea |
| SHA1 | 3324697b9f2ae4a2fb9d5b4a5f2cc5cc9b58ed82 |
| SHA256 | c0f4cf0970bb6796e564c75ed70967cac93cfb89f6526217c89c4aa320a89d4c |
| SHA512 | 7201f157614af31b484227e0af616ea69259bdcff5151bd0b6690d827b82c74c0a773dfbcea99f55a69565531bcb11c096db305166f0335394330827871d2a9d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win10v2004-20240508-en
Max time kernel
297s
Max time network
301s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KFHWz3Qlhs8F.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3660 -ip 3660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 1824
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYxb9qtI56YM.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2248 -ip 2248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1672
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S8hRC0Vha5JS.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4012 -ip 4012
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1616
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oRMWMmyDyIjZ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1408 -ip 1408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1636
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZtSBeYzPkKL.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2412 -ip 2412
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2BJKpKzu1YYu.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4340 -ip 4340
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 2252
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c6XnG2GoeRzz.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3388 -ip 3388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuHuutUqv6tx.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1464 -ip 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 2228
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DlyneDtJ6rlb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4144 -ip 4144
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LT3IIzEnX5pM.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2588 -ip 2588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 2228
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SB8nwlZHzKt8.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4924 -ip 4924
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOM7MjVp7Wqo.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4248 -ip 4248
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uhxPEP7mhDrs.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2904 -ip 2904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roX7fHBmzyyM.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2948 -ip 2948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fd5x5tZ8mRZE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2252 -ip 2252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/4484-0-0x00000000748DE000-0x00000000748DF000-memory.dmp
memory/4484-1-0x0000000000F30000-0x0000000000F9C000-memory.dmp
memory/4484-2-0x0000000005E50000-0x00000000063F4000-memory.dmp
memory/4484-3-0x00000000058A0000-0x0000000005932000-memory.dmp
memory/4484-4-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/4484-5-0x0000000005940000-0x00000000059A6000-memory.dmp
memory/4484-6-0x0000000005DD0000-0x0000000005DE2000-memory.dmp
memory/4484-7-0x00000000748DE000-0x00000000748DF000-memory.dmp
memory/4484-8-0x00000000748D0000-0x0000000075080000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3660-15-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/4484-16-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/3660-17-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/3660-19-0x0000000006170000-0x000000000617A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KFHWz3Qlhs8F.bat
| MD5 | c4772cc9683c87e363874a75a698c5aa |
| SHA1 | 8fd935ae693a4f63ce3a1ee371653f580592241c |
| SHA256 | a076d43631ce26f7fae54a5e6e877c8758a3c7dbb1ef8a130d09181decfca2c0 |
| SHA512 | 7ecebf9974710dec476e3efe79e1d5e9eea16b03a13744534b3c94b4a2d3b8a048027afaecaae7b1ff13e3d8c18b914d892213f20c2d448fbc68f2c86a700827 |
memory/3660-24-0x00000000748D0000-0x0000000075080000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | cedfd0c855e2c3240d4e8d6f3d2bbd5e |
| SHA1 | f549d795c72ce0c162583b76737e3c49212e7b28 |
| SHA256 | e9461dd0c001f0f7b001be469982fe1137fdb54ce341a62b56004c8378b6be98 |
| SHA512 | 39017324ce6a29988e7bc9de4b8dbca83d4ffc75f61c771a1c1c8299b35d4681f41aa3331735b54b2e8ec3afd5611ad7d04da729ca2b5a9ae2e08c6149fa51b9 |
C:\Users\Admin\AppData\Local\Temp\hYxb9qtI56YM.bat
| MD5 | fc69700d5a40c2361e9cbed9c95f91a3 |
| SHA1 | eb3b4bb2763fcfb9f004f1824aea7e1df6a33604 |
| SHA256 | 0a876253005ba7920699101938c9c2114e507f13bfb9339e988289b15f9648fa |
| SHA512 | 743f7c9023cbffed6709d0818dbbf3ed5ec7e3199f20651d7965e2d97cc1416ba8e147827943ff62c3c47b18e731267afdfa09cfb1ba192e953c2548cac7a76b |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 51d8ac1788afd91c058ddff318c3a2d4 |
| SHA1 | 87a49e39b206774ca4195e79225e7ae3db92cb15 |
| SHA256 | 4b7f02fdb9ecb98fe97f6e789fcf3fff000326243c62d44db5b113b8db035e24 |
| SHA512 | ceb3b60481ebe5f6ef13a1dccd557c45a21534982348fd759c0798d1bfb14202f66cc3348223f32fd4f1911f9650a3345daddad59dfd3fdb6cbbf1cf9da43097 |
C:\Users\Admin\AppData\Local\Temp\S8hRC0Vha5JS.bat
| MD5 | 071c192192db10a5c4d059b5fb93549a |
| SHA1 | e6ac6d22ac7246f1b5edd7985d20d1fde5baad5a |
| SHA256 | b4d9c4d7673b4882b5f81084fe8d5807b2afa063a2394640f4873854e2434e9f |
| SHA512 | 5688c44df291e30460d0cbf4524e93d6859f8814d962c75168bd205a7542853f4751e751acec61923d0ec60197892e4d3c2e61813a251d91cf777e83ce5cab23 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | cf6e3173d32096809abf349b74603fee |
| SHA1 | 195af5bd0e00282a230436b82a3677a9e9ca44cd |
| SHA256 | bd603b8f1536981a0bc7d2dccfd0c0d03ec4315b4fd891852cfb1f9e2212654f |
| SHA512 | 36b039b7b85e50425ad7eea19db1378948563cca842197cadb8a8b4631bfff5090160b91b70a483af44aef1e120261cf806dd08e7f1696abd1b0bec63373a584 |
C:\Users\Admin\AppData\Local\Temp\oRMWMmyDyIjZ.bat
| MD5 | b7189eb0999d6d4f69d85f0d55b64cc9 |
| SHA1 | 9e80a18a4e6d921be2b3c683d2b15f2b2fc7c665 |
| SHA256 | 206b1572f9d9cf087ed81d8f6637b83f6b352fb6ec4386a602b192149d4ff7d0 |
| SHA512 | 66f5161708b71b25da9a0b0fbfa28f05ce6cf2ee432202ff314d73b95c8770b3f2c0d4615e85d18e615422865b966be3742f0ae0352f46ebe9ee99b3fe4232dd |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 7bd0e152fe349970636b45aa73f5b0f1 |
| SHA1 | b33c983c82a65f263085d88ae5db58b008546916 |
| SHA256 | 22289da02501dc221d401ad0ef01a6f82ff9d8ff091898763a81fff02b7f2c27 |
| SHA512 | f4cc70cf68fb086aa1f09fca5ddc0591508c2f2943bd3cf40572837f905397b01f8ed6ea7864b813cf9bd6643b9779225b2c6391b7f2933671143b0d7a1a4e2e |
C:\Users\Admin\AppData\Local\Temp\7ZtSBeYzPkKL.bat
| MD5 | d3f643e3bed9665a58eb72ba167cfe7c |
| SHA1 | f09518f10b8bba2cadc5bd9b966177af72c35391 |
| SHA256 | 55f0e95adca748a2b04d316e50c0e885fb209b9b3b5e2f1ba5244a40c16c17e3 |
| SHA512 | f5d6581b585e1c62c9ca93ab35572d70ee2269e42193664f66abc71a1b83430d98ee216be1e5af2fcdf73032ec195f1ce66032f84bc76b73125eb585b83420a8 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d03b489aa2ff6ba1ca0f92f293a63c25 |
| SHA1 | fe90a564827605242e0d9685dce0c9115e7b8a8f |
| SHA256 | de7da9c5f7247b6be82de9368d237122bfac94939da1a0f561d0a47a50351c92 |
| SHA512 | 60a3ce0482706aaa6aee8b810b02f7f286f1413b9f1301df7d750b3fec6df2dd395a2a1ac79f74da1953570626192f93747def7eaf6522ff2413299f077a8f3c |
C:\Users\Admin\AppData\Local\Temp\2BJKpKzu1YYu.bat
| MD5 | c099f2c9942d1cccc4e8dc096de7ae51 |
| SHA1 | ebd41d40b54be58bffa2b26db9e0c16d98b73a79 |
| SHA256 | b1b9705a5a9e4562882ad261647e5bb653254becc248a6603a6c46b4c4e9ad06 |
| SHA512 | 97c506b845a3b0f41e90869dc9478034189dd0ab01113159a4bb25eb9d5a86b85b380f29381e51dddab41c24651fdb03bf23f9303fe37a101f20c5014ce5321f |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | cba84d2fe070e15bc4204a936593a744 |
| SHA1 | cb6272bec6c0bf3fa5ca964d5c4ad4c2ab49c298 |
| SHA256 | 103351739f25fa218baea0e44a5d161ad0f038547054ebcfa10ed0526821b26a |
| SHA512 | 50cccfcc4921a24b456a9ef054fc70f597de02ca5500ed92a795764ab97834dac1867be270b17d16d72a0b1116fff8d492cbda3e7eefa9940df8ede1d77f93db |
C:\Users\Admin\AppData\Local\Temp\c6XnG2GoeRzz.bat
| MD5 | 4cac880fe961ac3aafea3db729cf593e |
| SHA1 | e92f99bf5184207bf5357e59479c95246463f6bd |
| SHA256 | f974cc92ee3543937fac08d4fe26c849961f7712b874358b66de9e9a2582d9ff |
| SHA512 | ceb94334cb2058a41522d5a999c0772c1380e89719295bb82e9995d03c4f9fce4158e7fd3e26b5790f5eeba71067e7abbc95fd16bce0eb632e03155365085669 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\wuHuutUqv6tx.bat
| MD5 | 2524a16e36ba47db4552261a4f01ea4d |
| SHA1 | ddc95de4ec0306e2f5ae4456be1ac7072d9ccbb0 |
| SHA256 | ed18e6b7a398c27073d03975da40f83f6009095bade03ffe8f30a73b37539e3b |
| SHA512 | 8fcb0b972c4fcf67293d9f4f6c1b99bddb14f2689aa9b44e025a904e5e8560a75d326f7ba384a57650d1e8f16a4d4047a79f7bf3274c6b29db5637428f104688 |
C:\Users\Admin\AppData\Local\Temp\DlyneDtJ6rlb.bat
| MD5 | d9546c47621e7bbb2ab2efaf620ff7a3 |
| SHA1 | 40678431b317e9b5cc5407fffe6637e6e35bceb6 |
| SHA256 | a5dbfb0b3185405832f6ff479caec0f6b105813d198d5bce5e7c41322e977e97 |
| SHA512 | 2a1be6eec75e7842fa038ee30af217a1df291bfb6efe62fd82e0161c4a97ef9e5bd3a50e3006eceeb4c6a3b33c5dd323bde4bff3270a15eb0e43d76faa74cf09 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 93db40510a99d7148b1dcf250b8a7417 |
| SHA1 | 8d30f4563c17659a45f93b9c1e098db5efaa4433 |
| SHA256 | 2080277e23b06aed5e6cc66156b749e675b8b12231f0535b881b4f4828d2b7a0 |
| SHA512 | bd2be174250da7ed6454963f1c7d8c51184b6c3c13524bafb2f305f7fa89d9228087e956c66ab22153d9535d1cd8fbd1e13b43da9020e11190e21ad7cd4642a7 |
C:\Users\Admin\AppData\Local\Temp\LT3IIzEnX5pM.bat
| MD5 | 07f379467975a53e3a95e811e19da9b5 |
| SHA1 | 49ee779673e6514d378c45b6512006de2cf1b8bf |
| SHA256 | 91c8515f8f894631b724b9733a911da2ed43b92c2da7e48e9b2d2be799722df2 |
| SHA512 | cc4dd8a1edd817c752d04d991d2a95ab4a337c758d876b9acff9bd6e1d62f6a9b0bd71aec52e717dbae3b2bdb32782f67f27641c6242aa521f5b0a487daa54b1 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d546a4199fec1645b2c7f156479093bf |
| SHA1 | 5beb1d76ebecc86ca42047abd53ff90a37948930 |
| SHA256 | 29e4ab50303564a3be39263c1cfc3e949d995469821b79490a78736112b20546 |
| SHA512 | a9370f9c2ac0d24487cfe8939d1d24838a22b29891e7706a2eba3ec161a0bfe129fe8175286f50b6fd1d2f1027bc42207b68fb13572ae73812e5dbc60bf29107 |
C:\Users\Admin\AppData\Local\Temp\SB8nwlZHzKt8.bat
| MD5 | 5932e07d8ecc0520c0ec4c90762a9eda |
| SHA1 | a041fb2ad30db20a329dbfed2c30e888827012e3 |
| SHA256 | d24ac44f7b2832c49e63897c809522909831d405682e9b94fe77869a8e32f11f |
| SHA512 | e9ccf8a3d5d137ccd1e0db818f563e599519fb0488e76b499b842726b19bcc1df5f71f8d03fa4596a1db73d10bff71cbc912d844804bb2ef86d622f2424ae735 |
C:\Users\Admin\AppData\Local\Temp\cOM7MjVp7Wqo.bat
| MD5 | 1456c62bf5c44c20d4de5706090a9d9d |
| SHA1 | d943f38044c3da606056b1255f4047f22399333e |
| SHA256 | 97fd236371659559e78663e283f08a32b24f6f3a85e4937a4453f29017a4183d |
| SHA512 | c68e73bb978b5f2abf3fcf265367c56aded8711c90311174d92eec1b8f5e204c5fbf5253232e7ef64d48a59f2123c31bea0f1c84d180fb3e945a8211f8113d37 |
C:\Users\Admin\AppData\Local\Temp\uhxPEP7mhDrs.bat
| MD5 | 21e9d274f80206aa4fc898cb54a35434 |
| SHA1 | f14344bf1e243265913796eb94c0c90fd5e9713b |
| SHA256 | ab1daef8d03dbacbcf150f1389f2ec6cbc8ad5bc162051af0b4ce8b80aafafdd |
| SHA512 | eb74126327045cfdd2f99f5a4d3061f5a62be3699698c140dd8da914c11bb7ff0fed1c40dbe73a18023a827f372d103ee5bcf5caa5e7d98fb25c71f072fdf4ee |
C:\Users\Admin\AppData\Local\Temp\roX7fHBmzyyM.bat
| MD5 | f9c7f60c57fdba0d4bb984bc35e148c3 |
| SHA1 | 046ff970246865e8716e8762e4eaf1e93705c78c |
| SHA256 | 96fbad0dd39fce4121401b5e32587a42b9e055387a26dc82ac18d351d293b5cc |
| SHA512 | 5c17204a04935bcfef5459c78c7708d659ff9192396f38be16de6f06b9fbb1bfec57742e18a8aeaafcde598341867391f746b08be0161ecba1050717b1f9fc5b |
C:\Users\Admin\AppData\Local\Temp\Fd5x5tZ8mRZE.bat
| MD5 | fff35a67ef4c790ade824acbed0e2ba7 |
| SHA1 | a9bed9601397004394d424c4c4c12361cb564090 |
| SHA256 | ad0cc1135254f96d2b9e77a6c0e123a91e5c39b3f5113ede0fbd286c1c9d0e49 |
| SHA512 | 28ca5f1981e9b57819751f402b6b4d5fc3f1492fd6ff6bf00830da800d0ec84f62c4a6a54ffc50d65dacd7211494c4da6288c12c4d897b704419323943c1e8a7 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:37
Platform
win10v2004-20240508-en
Max time kernel
298s
Max time network
307s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQo0CU2Yqv6k.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2996 -ip 2996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1656
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Iuhx1Jui1HjX.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1300 -ip 1300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 1628
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jbv9qJZyrV1j.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4736 -ip 4736
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 2200
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmI9RVpKOgDq.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2540 -ip 2540
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 1664
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCWIiFqaxVYP.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2668 -ip 2668
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1652
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JubnM1B4OjcA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4868 -ip 4868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ka4oRJCunLI8.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4856 -ip 4856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1712
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JlN1kOagW04B.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4336 -ip 4336
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7LARoaiy6Ctw.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3900 -ip 3900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1688
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQo27ZECyPqn.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3224 -ip 3224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQtNlcEKvwQA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4684 -ip 4684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1708
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ec1KrSnPAPt7.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1096 -ip 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ptz99d5jiUWN.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3032 -ip 3032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yxp0gsQd5ulK.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3316 -ip 3316
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEnqy3ixdzNa.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2716 -ip 2716
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/3652-0-0x00000000747BE000-0x00000000747BF000-memory.dmp
memory/3652-1-0x0000000000520000-0x000000000058C000-memory.dmp
memory/3652-2-0x0000000005440000-0x00000000059E4000-memory.dmp
memory/3652-3-0x0000000004FA0000-0x0000000005032000-memory.dmp
memory/3652-4-0x00000000747B0000-0x0000000074F60000-memory.dmp
memory/3652-5-0x0000000005040000-0x00000000050A6000-memory.dmp
memory/3652-6-0x0000000005DB0000-0x0000000005DC2000-memory.dmp
memory/3652-7-0x00000000747BE000-0x00000000747BF000-memory.dmp
memory/3652-8-0x00000000747B0000-0x0000000074F60000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2996-15-0x00000000747B0000-0x0000000074F60000-memory.dmp
memory/3652-16-0x00000000747B0000-0x0000000074F60000-memory.dmp
memory/2996-17-0x00000000747B0000-0x0000000074F60000-memory.dmp
memory/2996-19-0x0000000006DC0000-0x0000000006DCA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fQo0CU2Yqv6k.bat
| MD5 | 8e625eff4db10bc5ef2c25b04074176a |
| SHA1 | 638cf3492ce1480b3c160a238cc02585207cfb59 |
| SHA256 | 4dd9e2df51a02cfb1c2c60e2654e2569d7942a8cac9138416e37b2323ea8af58 |
| SHA512 | 8cc2e3f554347728913483ef8a4063f356e5b314b0e40b25fdab4dcf19be0ebf6808e1a72533d5d5f9de5e3a3f105ec33f0f823925ee3ce035051982f24c5473 |
memory/2996-24-0x00000000747B0000-0x0000000074F60000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | f10315954164e33ff28ac1e6e503dd6a |
| SHA1 | 21a7f4af58aacc1ba34629c948031ba20f0f6512 |
| SHA256 | 3761441c8f225218945f1c52d3b7d95663b495bf5d87485f1d5ca3931ad63d9d |
| SHA512 | b692ee64e511bc7d647ed1e31dd31008cfa24a32c6992b8309ea5e61f8d265d4aeba2393070b83947457a8f1fde87829ce5f15987ae9561572db91f3a7c67177 |
C:\Users\Admin\AppData\Local\Temp\Iuhx1Jui1HjX.bat
| MD5 | eed92844f6d17270d647db181ef167e5 |
| SHA1 | 5e673a2976ddf2d3bd7def72f536c98926f653c1 |
| SHA256 | ca7c97b6fa5f3531d6ad8d0cbdce693a1810357deeae23d130c2d134faae25b8 |
| SHA512 | cd3098e5dd68d3eb46242c5890d6ca20796122773403491405908b3e1efe1c3a3b2bbc4095cb6b13887887c6033864f9030f2d80efa3c56cf4109dd22ea987df |
C:\Users\Admin\AppData\Local\Temp\Jbv9qJZyrV1j.bat
| MD5 | c3915fc86d7af7c16e92b10c6e77a8de |
| SHA1 | 743b56a88c9dc291a7d8359f9ab6b65ea756a1c9 |
| SHA256 | 2ab9cf89475db6060a1f14c9bdc242e8d0cb36f71129e1fbbda1972730dd2b27 |
| SHA512 | 171f5ec351ea6b6bb9e864182be02bf338e16370165e4bd3d20591c053973f05908b1acd390e831bc9d5156993c1fe95057fbe8b5617406f2fbe76046fcf59aa |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | ba8fbbd90179ba34058c17d0ea6eb031 |
| SHA1 | 705658e7f0d86268d593b2ef43d9c40eed1d6768 |
| SHA256 | e8e309aba71b66c6561ba5ea144c45af56e7e9e473494ca1c3f58d88db594449 |
| SHA512 | 3970c166639366e06b7c3df13266e26c109ff3fe4eea932ad2b2b02e28ac2aa57d837338ae6821a218c5ce0b3e756b0a9b46bc8670d0913040861cee903965b7 |
C:\Users\Admin\AppData\Local\Temp\NmI9RVpKOgDq.bat
| MD5 | e3624711081051da2284010b72d00426 |
| SHA1 | 16960b911b64c749f8bd30a172b42af2c069cc72 |
| SHA256 | e18201428bd2eb602637d87fd5ec1803f9350040c713e44a7c4cc4f65b59b613 |
| SHA512 | e274edf2390c07c07b46c3bf5bd64094f4e034e005a44a2ed75865421bea5682e416afb1e3f4ea77cef38559975f7cd99e4fa9b0ca37ecf0f68a621a42b0fd27 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | af71ebc475e1db6c12039d7631f53963 |
| SHA1 | 832eb3588303c619a9ae51004aa1ae49f00d7b9a |
| SHA256 | 30747aa6d6315cd3079ab5f665dc985ba5869defd8dcc2f9181d45a8e573a708 |
| SHA512 | 9c9b9077da744baaaa203663b2ec462b67602723a5dd584401d1d9507589703791bc3bc02a0c407e978316d714fbe210eb28b3cd77e912aa17b64f79b23c15cb |
C:\Users\Admin\AppData\Local\Temp\BCWIiFqaxVYP.bat
| MD5 | f735f0b2b62ad8115a70b3ee8b718d65 |
| SHA1 | 40a1263641f0e8c827c5c61b1cde3313bf8dfbb7 |
| SHA256 | 87641ad833f79cbe6a727812393329ba171e03f2de8a8fa1deb2082ef891f147 |
| SHA512 | fb23e197c76da43d4023d2d487da3652b5f5f92bd86e042dd88babb9b8af883ece37e75608db6dcef417e14715bd7797b0912d7ae8248e57102e6a03a0d9bb60 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 4d7a7e4d18a1c727f0e257b9c12ba20f |
| SHA1 | 87b04d885cafd73f6112d6be8d6c226e83ece535 |
| SHA256 | c46281ad6076eb3e04341982b606bae1db25c5b9535cefe314c59acb172cc511 |
| SHA512 | 400faab1e6efeec138ef766f0e3ea4ac5638161469f2101a723abce2df14a904d697943a07cc201c0d29eba9f1e7a1840e2a3ec9c611735813df932e2fc6068f |
C:\Users\Admin\AppData\Local\Temp\JubnM1B4OjcA.bat
| MD5 | c737724353bddeb014df1f99cdb54952 |
| SHA1 | 977ada055801d7fe16ddce12941358021d4f75b0 |
| SHA256 | 68e175c8c3fea624a271ab38359d448896b219b0654335b66a4601320f593637 |
| SHA512 | 897fd53393d59e1a7b9c1da4819decae5a6ad732af7c2c1f43e0d7a68b0395dfc2913ac6a22c91b85d8d157e0ad5dbbdc57312fc4dca349aeafe5c82909d1588 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\Ka4oRJCunLI8.bat
| MD5 | 3080c05fe615658d7d7f63f173ff450b |
| SHA1 | 88e93e4e561aac953b7b08d46d34694e439b82a4 |
| SHA256 | f6d9f1dd69aa4b2cacd7675115e4b48f34013684c1f291402ca8da0590363096 |
| SHA512 | 1dea602a407d3519997667a94c21433742494e879a012cdf456e03f488831ca671ea4fcc1c96a91f65b6e7a101cd806c82bae1a17f070610de7b4f06477aa6ca |
C:\Users\Admin\AppData\Local\Temp\JlN1kOagW04B.bat
| MD5 | 7952d11a6fcb0d2d8ba132ffab96d625 |
| SHA1 | abab38dc57a04b64c54d59b4b5852d29a8deba91 |
| SHA256 | d5b7ec5368e5a5f340bdbaee40957b3f23f032c1c927335b420337838aa6a14c |
| SHA512 | a7896eb5e7b51ef7843f6f12aa9995bf7bc64421938506e2947d5ea750b0a1fbb6f449638b29b053ecc8f368b23919ebbe9ba2b26f45ff110ef490c970176c85 |
C:\Users\Admin\AppData\Local\Temp\7LARoaiy6Ctw.bat
| MD5 | fd1a87581a0ebf086515d4f028135bfe |
| SHA1 | 028959796b33652bca736adb22140cfee470e007 |
| SHA256 | 477f73b9d4a2fb9e63cb3d66b6d9b0f3899a9da29054c319b4799bcdc7fc7d58 |
| SHA512 | 91fe2eabecee0343065c0fb50536543cf4ea5a587b1db2aa06565303dc5013e74954845a3417e4d2fd8fc3f3d7c7d8a801db2326dbd3178f1e0120122383f480 |
C:\Users\Admin\AppData\Local\Temp\uQo27ZECyPqn.bat
| MD5 | 4db88161ff2c134958727aea27019272 |
| SHA1 | cfba5a62fc78e1ebde0b93dfadf787334d934fe5 |
| SHA256 | 29894da49495260b220316db2410b5e9927518eb86c0c5944aadce732ee209bb |
| SHA512 | 24287c25b0cb00f2197102a78e5d1289d0139d8831dcc2ec5b54aaab432577b20d45ffcd3c902939ad7d602dae2da78538a7bc61006d54ef3fd4cf33eb5e37f5 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | ea0531e6508211236284b98997fd5185 |
| SHA1 | 4d3e67d079339f8168184b547a14cf604e96c295 |
| SHA256 | aec28d9e01aacc535034706dd2b16daa11f82026333794a09dec01c5e492aad0 |
| SHA512 | e6ca8cc62dc13592343c216d73a253d4d3bee924f6bd33bbd72fb3ac6105b250ef902f7f943b7c6d59f9f27e706c3591547a1e4321c495aa2820e934efd3d76a |
C:\Users\Admin\AppData\Local\Temp\cQtNlcEKvwQA.bat
| MD5 | 6bd29cada855e5d856f5847bcbed620d |
| SHA1 | 74a11510d0857c609086f31f31603f98a1c2b4d8 |
| SHA256 | 72193f8023522be5918db17e02902ddd3e15f5050739dfd4cfced4ecc3a05a07 |
| SHA512 | f97e1f022e29f8341c6461a0b41cf91a3e49452ea473542f2e764e3d239e27d0c2700a1009b6eb8f4394d706a653693f25348ef0026bb99f33638c77dfc8b7dc |
C:\Users\Admin\AppData\Local\Temp\ec1KrSnPAPt7.bat
| MD5 | af0ed9833949bd2c7fe6280dab98e1b5 |
| SHA1 | 0d3b39c67c8b2c9305cad702bb10f69f5399bf89 |
| SHA256 | 6235e51ba397129f56cb893b6ba1e1395b8a4337ebf875ad1132e58ca5cb97ce |
| SHA512 | d4d79a6a555d066ecd93d064bb989e0f689a80fddf72a21dd49038b9bdf076b5d9bb30a374c6dfd6b198aa0cc6b2cfc748076b7096ef0fff98dd14ebc01e64e3 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 757a1d896064f0fdf4331315d7f23d90 |
| SHA1 | eff563f28d22a148d938d6f58d1d282a6e7587e0 |
| SHA256 | 8d9752c01c34d81cedc40c1aee899a5bee0ef560bcc613193599517a8327126f |
| SHA512 | 51264186c0eb17b4b75ae1b452d71fb55cd04fe09ceb8377408c83e61bf4824e64a3a62f415b6dadd0ccd9ffbca7b81e25b7b1549266ace358d0421234c71c9d |
C:\Users\Admin\AppData\Local\Temp\ptz99d5jiUWN.bat
| MD5 | 17eda3994ea830a72c6bb5e7be869fe8 |
| SHA1 | cfd4816654c8648b03b086a707e874613eb710b0 |
| SHA256 | 093665282be7618fb199ae9f752a17f9bafebea161eef373482cc39c60b3869c |
| SHA512 | 40b7f26e07c8a5bccfeff3d0759ac3986a6eeb32ba30420902aa41ada61cc4171efc05e2e93d480379446bce09fcea288170f7055d76b88244e2aa927cb235b2 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 3bc045b949dab398b8831d881db0812c |
| SHA1 | abd3e78031d827c75560e134d995c6ae29d81a8d |
| SHA256 | 1de304d59d1408a0f3ffea378a36861e488c610b71ce1b357bc01393be6a3e6e |
| SHA512 | b52186738666a38f3484b0ee65b9829e37c76d213c70593e2cdf584dab5afc903d25ba008f2c0570f18194733891bae0318fea7b376cc92a9c6026bd669474b7 |
C:\Users\Admin\AppData\Local\Temp\Yxp0gsQd5ulK.bat
| MD5 | 78d1f0ff56aaeaaf5928d52d679ed7ce |
| SHA1 | 7d909852ba90f5aaac3aa48c7d7405171087246b |
| SHA256 | ecd2e0fdb245c841f3ec746508bb45065f91b8b2a659eda71d4cf904ffa5386e |
| SHA512 | ccd1a15405dad3c265e6427243642796b420f3e16fc3abd64b57cb1d6853846906772eb348fe3a31cebbae10cdd73bc8b2afa633a781c0ab728127746099cf4c |
C:\Users\Admin\AppData\Local\Temp\jEnqy3ixdzNa.bat
| MD5 | 8c7b6149bae2b3f5fbd59126fa50b3b1 |
| SHA1 | b7fb2b1e3f6034de6ed4861e1fd7b68c2a4cf40e |
| SHA256 | 22900737fff821b80b9ce7665adf62864b19e4efd6fc2294e5a93063edfdecd5 |
| SHA512 | 2de1980e29139814b353b94a5843764c4797f6a31ca81f747bc10394560716282731c45ce0ecfccaccc5324c3c2c5445775adeb2a4c214d914d678bec5f1b238 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win7-20240221-en
Max time kernel
235s
Max time network
291s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1712-0-0x00000000744FE000-0x00000000744FF000-memory.dmp
memory/1712-1-0x0000000000B30000-0x0000000000B9C000-memory.dmp
memory/1712-2-0x00000000744F0000-0x0000000074BDE000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2748-10-0x00000000011B0000-0x000000000121C000-memory.dmp
memory/2748-11-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/2748-12-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/1712-14-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/2748-15-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/2748-16-0x00000000744F0000-0x0000000074BDE000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:37
Platform
win10v2004-20240611-en
Max time kernel
238s
Max time network
295s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/3488-0-0x00000000746CE000-0x00000000746CF000-memory.dmp
memory/3488-1-0x0000000000D50000-0x0000000000DBC000-memory.dmp
memory/3488-2-0x0000000005E20000-0x00000000063C4000-memory.dmp
memory/3488-3-0x0000000005870000-0x0000000005902000-memory.dmp
memory/3488-4-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/3488-5-0x00000000057B0000-0x0000000005816000-memory.dmp
memory/3488-6-0x00000000064F0000-0x0000000006502000-memory.dmp
memory/3488-7-0x0000000006A30000-0x0000000006A6C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4636-13-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/4636-14-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/3488-16-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/4636-18-0x0000000006510000-0x000000000651A000-memory.dmp
memory/4636-19-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/4636-20-0x00000000746C0000-0x0000000074E70000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:37
Platform
win7-20240611-en
Max time kernel
235s
Max time network
292s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1716-0-0x00000000741BE000-0x00000000741BF000-memory.dmp
memory/1716-1-0x0000000000970000-0x00000000009DC000-memory.dmp
memory/1716-2-0x00000000741B0000-0x000000007489E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2776-11-0x00000000741B0000-0x000000007489E000-memory.dmp
memory/2776-10-0x00000000010C0000-0x000000000112C000-memory.dmp
memory/2776-12-0x00000000741B0000-0x000000007489E000-memory.dmp
memory/1716-13-0x00000000741B0000-0x000000007489E000-memory.dmp
memory/2776-15-0x00000000741B0000-0x000000007489E000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win7-20240611-en
Max time kernel
236s
Max time network
288s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2204-0-0x0000000074A2E000-0x0000000074A2F000-memory.dmp
memory/2204-1-0x00000000001A0000-0x000000000020C000-memory.dmp
memory/2204-2-0x0000000074A20000-0x000000007510E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2972-10-0x00000000002A0000-0x000000000030C000-memory.dmp
memory/2972-11-0x0000000074A20000-0x000000007510E000-memory.dmp
memory/2972-12-0x0000000074A20000-0x000000007510E000-memory.dmp
memory/2204-13-0x0000000074A20000-0x000000007510E000-memory.dmp
memory/2972-15-0x0000000074A20000-0x000000007510E000-memory.dmp
memory/2972-16-0x0000000074A20000-0x000000007510E000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:37
Platform
win7-20240611-en
Max time kernel
235s
Max time network
292s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1672-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp
memory/1672-1-0x0000000000860000-0x00000000008CC000-memory.dmp
memory/1672-2-0x0000000074D90000-0x000000007547E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2648-11-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/2648-10-0x0000000000F90000-0x0000000000FFC000-memory.dmp
memory/1672-13-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/2648-12-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/2648-15-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/2648-16-0x0000000074D90000-0x000000007547E000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:37
Platform
win10v2004-20240611-en
Max time kernel
237s
Max time network
296s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4700-0-0x0000000074C3E000-0x0000000074C3F000-memory.dmp
memory/4700-1-0x00000000006C0000-0x000000000072C000-memory.dmp
memory/4700-2-0x0000000005610000-0x0000000005BB4000-memory.dmp
memory/4700-3-0x0000000005150000-0x00000000051E2000-memory.dmp
memory/4700-4-0x0000000074C30000-0x00000000753E0000-memory.dmp
memory/4700-5-0x00000000051F0000-0x0000000005256000-memory.dmp
memory/4700-6-0x0000000005E40000-0x0000000005E52000-memory.dmp
memory/4700-7-0x0000000006380000-0x00000000063BC000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4380-13-0x0000000074C30000-0x00000000753E0000-memory.dmp
memory/4380-14-0x0000000074C30000-0x00000000753E0000-memory.dmp
memory/4700-16-0x0000000074C30000-0x00000000753E0000-memory.dmp
memory/4380-18-0x0000000006880000-0x000000000688A000-memory.dmp
memory/4380-19-0x0000000074C30000-0x00000000753E0000-memory.dmp
memory/4380-20-0x0000000074C30000-0x00000000753E0000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win7-20240508-en
Max time kernel
296s
Max time network
296s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\C101uY7YVhan.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Eey2peKRn1tc.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5gRGXqGrvrE8.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VVkWS7Gqs3DL.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/1716-0-0x0000000074A2E000-0x0000000074A2F000-memory.dmp
memory/1716-1-0x00000000012E0000-0x000000000134C000-memory.dmp
memory/1716-2-0x0000000074A20000-0x000000007510E000-memory.dmp
memory/1716-3-0x0000000074A2E000-0x0000000074A2F000-memory.dmp
memory/1716-4-0x0000000074A20000-0x000000007510E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3000-13-0x0000000074A20000-0x000000007510E000-memory.dmp
memory/3000-12-0x00000000008D0000-0x000000000093C000-memory.dmp
memory/3000-14-0x0000000074A20000-0x000000007510E000-memory.dmp
memory/1716-15-0x0000000074A20000-0x000000007510E000-memory.dmp
memory/3000-16-0x0000000074A20000-0x000000007510E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C101uY7YVhan.bat
| MD5 | 24a27471386de5a8d44e2364821bff6c |
| SHA1 | e64d903ed088e153e31b36c7e0a431ad89a48546 |
| SHA256 | 2f6c07ee54bb86e45bddfb1c794be10e55ed600241e7752ced8852659cf00b4a |
| SHA512 | 4c51991f88987d9711323d391afb778bfa08f0eb4e1e4b9ff2534c71dd140c4802fa4144cf72bc333030163f00976316c0f7f4584526aee02b56d78c71deee44 |
memory/3000-25-0x0000000074A20000-0x000000007510E000-memory.dmp
memory/2112-29-0x00000000008D0000-0x000000000093C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Eey2peKRn1tc.bat
| MD5 | b578c1a2adf65a4f0d17d2d07a27870a |
| SHA1 | 95ab2dc419df6d2df83386845c19baf685fe2049 |
| SHA256 | 5b87f25434c929d2bbe4ce404c48a0312e55bdf6243d6682263e6af82262eac1 |
| SHA512 | 465711dc11a69748027f547016fc2c3416ef95e2bac80a896b97a57bf84bec9ade6cdf1beb600cbdda3e5a84b0e9efac3a213e00cd1e3d85702571d84abbcf28 |
memory/112-41-0x00000000001A0000-0x000000000020C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5gRGXqGrvrE8.bat
| MD5 | 3f284a66b77442ebd86af36751347ebd |
| SHA1 | b82702802a2cd98e901ccb1afb75a4f06da2ddd4 |
| SHA256 | ac179e251b7e418304e894377ab56ffcdd30192ce03caa76683dd28cd20ab0b3 |
| SHA512 | f83d3a7d3a677569badc1809d1f10d7e57dee7aded7751906928a8b768b687d35e06b941c8201cb987591b72b9e230147211509b28005ceba1753d19e304edb1 |
memory/2836-53-0x0000000001060000-0x00000000010CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VVkWS7Gqs3DL.bat
| MD5 | c8e361b50a194f9c96b3523100730aab |
| SHA1 | 26c8ef409f7eea129fb3b3d4a66bcfa2216f1854 |
| SHA256 | 085b1869ec64c915fbbbd270d0d02acf293af24ca63fcfaac80358ca9a78d9b2 |
| SHA512 | 256c4ea7202baab74bb446829016464ad1c7db11474176c247fb36c92259a1f640c23ab04ba70cf6feee19ed1bce72272bb15cf36d8c070b65c98b0cfa6c677a |
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win7-20240508-en
Max time kernel
297s
Max time network
297s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\74cDYAeB5dSk.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\t8CTZ4bjcl52.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CvtFurH6WKfS.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mLjI31YZczax.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/108-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp
memory/108-1-0x00000000010B0000-0x000000000111C000-memory.dmp
memory/108-2-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/108-3-0x0000000074CAE000-0x0000000074CAF000-memory.dmp
memory/108-4-0x0000000074CA0000-0x000000007538E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2904-12-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/2904-13-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/108-14-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/2904-15-0x0000000074CA0000-0x000000007538E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\74cDYAeB5dSk.bat
| MD5 | 8e224ba1d43f65d40f4372c0b66078f0 |
| SHA1 | b0d6d87be60505ddfa0e1367a75eff975d44eaaf |
| SHA256 | 81daba5d9982d7054fd1f6c5fc372baef57b27dc58d34860299f11774ffbe74d |
| SHA512 | deeccea9deaa1a6d03ddd24732236d6741caa4eee63efbdf039c1060626ee99979440acffa9a14c779e5f560c7871eb9f821a4e5989d38ea38b5a892854578b1 |
memory/2904-25-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/672-28-0x0000000001260000-0x00000000012CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\t8CTZ4bjcl52.bat
| MD5 | 8684f15775bf60c2f7b50a6c1c8884e0 |
| SHA1 | 290a2b23edacb492d9e4aeb41b7deefa4a176d4e |
| SHA256 | 81e79aebfbd7120088f9d071471ef47176655f14b82aafda1700b41da5179230 |
| SHA512 | 6b8ba1d21019e63676f61c3a28a99ff0ee52814d6ebe64d5cc08b0a1dd585520c42ef240b797bd10e0667daf71a4118a7d2aaf65bd2147f89c5ba0d62e98dc3a |
memory/1452-40-0x0000000001260000-0x00000000012CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CvtFurH6WKfS.bat
| MD5 | 4dd5e64d09c6e76e4067db83f56ca86c |
| SHA1 | 7ddfd15f52564a4a7bff62e8a07f700a0cf79649 |
| SHA256 | 051d704b172e438277eba4fb3568b61d6e2ec0a1224bc28e0a1ed95ad30a5775 |
| SHA512 | 16ed73e1d8c1382733f1ec83c5314817f8e972ca669820545d2b3e1b0a4f85a057670e055fc10f8afff7fcaae1eb30e65d67ebed860ad9bda85bba2c667dd14d |
memory/2452-52-0x0000000001260000-0x00000000012CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mLjI31YZczax.bat
| MD5 | 2be9e42319d703ac8ddf3b70f64f6abe |
| SHA1 | eb9b3c9ef052b0c5dfcefe27d2a4bbfb9bad7b5f |
| SHA256 | 70bcc8c9c1d48ab2a51bdf4e095e29eaac7799a10a61b4572b1e842b4264e4d1 |
| SHA512 | b3a6babf41bec0d46ac2141b92d5041e2a9fe83148a561827fb63c8f65058b74fa50491057c48f64ce4c81552fd59febc57577a3379375248269e3e076390342 |
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win10v2004-20240611-en
Max time kernel
237s
Max time network
291s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.131.50.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4348-0-0x000000007502E000-0x000000007502F000-memory.dmp
memory/4348-1-0x0000000000D50000-0x0000000000DBC000-memory.dmp
memory/4348-2-0x0000000005EB0000-0x0000000006454000-memory.dmp
memory/4348-3-0x0000000005900000-0x0000000005992000-memory.dmp
memory/4348-4-0x0000000075020000-0x00000000757D0000-memory.dmp
memory/4348-5-0x0000000005790000-0x00000000057F6000-memory.dmp
memory/4348-6-0x0000000005E40000-0x0000000005E52000-memory.dmp
memory/4348-7-0x0000000006B40000-0x0000000006B7C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3312-13-0x0000000075020000-0x00000000757D0000-memory.dmp
memory/3312-14-0x0000000075020000-0x00000000757D0000-memory.dmp
memory/4348-16-0x0000000075020000-0x00000000757D0000-memory.dmp
memory/3312-18-0x00000000067C0000-0x00000000067CA000-memory.dmp
memory/3312-19-0x0000000075020000-0x00000000757D0000-memory.dmp
memory/3312-20-0x0000000075020000-0x00000000757D0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:37
Platform
win7-20240508-en
Max time kernel
297s
Max time network
300s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6T2EkNtUzOUj.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pyiA6stCPfYX.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CmEgFPjsq3qq.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\T4leozn94eXL.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/2908-0-0x000000007420E000-0x000000007420F000-memory.dmp
memory/2908-1-0x0000000000140000-0x00000000001AC000-memory.dmp
memory/2908-2-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/2908-3-0x000000007420E000-0x000000007420F000-memory.dmp
memory/2908-4-0x0000000074200000-0x00000000748EE000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/468-12-0x0000000000B20000-0x0000000000B8C000-memory.dmp
memory/468-13-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/468-14-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/2908-15-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/468-16-0x0000000074200000-0x00000000748EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6T2EkNtUzOUj.bat
| MD5 | 5ec3fbd2c6aac6cf9f5fc745c9ae2b9e |
| SHA1 | 669bb4e63d107cbe91b9022743f6d145b7321fac |
| SHA256 | 7b8bfd22562fc9ded9e9d5ddc7230048475845067d49a9d1366eef4431361ee5 |
| SHA512 | 9c22716d22c65691d5d5224d0d933fa8bd45baa77f45053e4e90d84d227e61eeb32e5ef52d51a04a20ea5b72edf480287527983d5848e84331662ea09184420d |
memory/468-26-0x0000000074200000-0x00000000748EE000-memory.dmp
memory/1316-29-0x0000000000250000-0x00000000002BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pyiA6stCPfYX.bat
| MD5 | 8098ba56d72222f8e28379eec0a1a19a |
| SHA1 | d1cf0531a3d6dd72ebaaa26b66048731f5c2161a |
| SHA256 | 87d0bf9cf7b417cd12eea26fc7e756739fb265327c6e5f29a5cbf752bf212c7b |
| SHA512 | 5db5ad11d197884a8e06598e220600a64953b39ce03990b8ef854c032776aa642b7b5c54d49471e8619f53348495d6ddeeafcc8f548169d9a3b31f073c36c926 |
memory/1736-41-0x00000000012E0000-0x000000000134C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CmEgFPjsq3qq.bat
| MD5 | fdfc67bedec0dbad7660438161c303a8 |
| SHA1 | 88e866a3c4820ce482322ac0dd2518f33fef0d41 |
| SHA256 | 33723c6e0ddef8c60fa0ece25a1388cf75f619eea3c2d7a131d445f379cb9321 |
| SHA512 | 6a9e311d7dc3f79ff0e9d501406a8d871f696a45ff0b8f2bc8d8ac10399eaffdec4ce94e288e366246dc81088b746e08da8ee402905fc892adcd51bad1fbd800 |
memory/2744-53-0x00000000012E0000-0x000000000134C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\T4leozn94eXL.bat
| MD5 | 4f52c6a4dc66d74c137202182e0c6b13 |
| SHA1 | 6b66646f79f80e91fc02a35edfb5cf317fc3835e |
| SHA256 | cf8f09edc904e6e4e4af23037d7d1c38b07199ab04746f7971a7b17cc1cd304b |
| SHA512 | 027a6ddc485048a597302706f2ec84178ca065bac3b39cca882296e3d90ca19efd390aff539e6bf50e1836e048cd7352d596df53c7fc862fdfccbd745555abbc |
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:37
Platform
win10v2004-20240508-en
Max time kernel
298s
Max time network
306s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (15) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uTyc8K8de1O5.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1504 -ip 1504
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 1084
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vu734we2OULJ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2768 -ip 2768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 2200
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sDm9Ej8YnikQ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 532 -ip 532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 1660
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dnXyHtjxHhWV.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 404 -ip 404
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 2176
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F2LzfLWuaBMI.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1796 -ip 1796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\03F468gM2VdZ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4916 -ip 4916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 932
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dXMsBEv6mGc8.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2260 -ip 2260
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1724
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qlPvNw1yQGGi.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2612 -ip 2612
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgeOoeIs3Ain.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3164 -ip 3164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kY81LisfkiHK.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3704 -ip 3704
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rT3zhSJPj2hV.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 632 -ip 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 1696
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqhQzjVH7Y9x.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4824 -ip 4824
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C10dIot3pDw1.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4264 -ip 4264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 2236
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cLjJUctTJdQn.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4324 -ip 4324
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQMtocPgCrMe.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2448 -ip 2448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1668
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/3656-0-0x00000000746EE000-0x00000000746EF000-memory.dmp
memory/3656-1-0x0000000000940000-0x00000000009AC000-memory.dmp
memory/3656-2-0x0000000005860000-0x0000000005E04000-memory.dmp
memory/3656-3-0x0000000005410000-0x00000000054A2000-memory.dmp
memory/3656-4-0x00000000746E0000-0x0000000074E90000-memory.dmp
memory/3656-5-0x00000000054B0000-0x0000000005516000-memory.dmp
memory/3656-6-0x00000000060C0000-0x00000000060D2000-memory.dmp
memory/3656-7-0x00000000746EE000-0x00000000746EF000-memory.dmp
memory/3656-8-0x00000000746E0000-0x0000000074E90000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1504-15-0x00000000746E0000-0x0000000074E90000-memory.dmp
memory/3656-16-0x00000000746E0000-0x0000000074E90000-memory.dmp
memory/1504-17-0x00000000746E0000-0x0000000074E90000-memory.dmp
memory/1504-19-0x00000000067D0000-0x00000000067DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uTyc8K8de1O5.bat
| MD5 | dc4ca94fa542b97280dace221b2811f0 |
| SHA1 | fba67e2b9d8c8a9e5cbb91163c53a6e3f4434c10 |
| SHA256 | 5de21686bf88c8c6a4159aa37a025196e693e8a640287419830ba647ea4f5027 |
| SHA512 | 750dafcfc077d1e7ac437c0a9012f709862197330c2571b073ee7805823da137c85c33a1b8cb7ef48f4a759cdebb42b7128bbf530d080946a0ec040dadca4000 |
memory/1504-24-0x00000000746E0000-0x0000000074E90000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 7cda1a4132f1b9a1444d03ed038b65f4 |
| SHA1 | d7cb6f28ec41a7fc7c8c5c8b51c8ad5301a8d1cb |
| SHA256 | 6b03048c9069917cca07f8d7a257feda63143cd772cbbfcf6a547c82c7ba7b1d |
| SHA512 | e40156e0877cfcae3ff24cbb67dbc02bdf90e340855101908dfcdaa8360d854419843f80266c38494d95978321bb501fab5580da324f6e010177939246c4d595 |
C:\Users\Admin\AppData\Local\Temp\Vu734we2OULJ.bat
| MD5 | 35f55b2fde4a22bb9b9885b27606cccf |
| SHA1 | 8fe9e796d1116fd3f227a29f1a8d796e730e26ec |
| SHA256 | 01a7aea4af0e4b3cedd093ea4d8403bd02b8ee88455e7d9edbee15b8fd262bc7 |
| SHA512 | 3d9fa5eb9f967cc002a8a235274d2a4448b1a0353a579226ddb580ac71c5ed74ef8a4324df7efc397ab455e12265b1c342edd697ee62d4bb70cfa814e67b55a0 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 4bc719dcc4eb9a33bb779a4c033fee8d |
| SHA1 | 9237db80354955e57a970f7728ab50efd6f52db6 |
| SHA256 | 7a6924eb9d51b42ea5e995107566d5389ccbdc9d7c601089bd23cd37cbc2d8db |
| SHA512 | 0adea360a984c2680d3d623fee59c1ba3a0c4296e346c329fc0e6b98368d704ce06ca05775cf9e359fe4230a8c836982b61a6aba1c943de79944bc530256dc02 |
C:\Users\Admin\AppData\Local\Temp\sDm9Ej8YnikQ.bat
| MD5 | 66267290cb422a26a33bc42008b3762b |
| SHA1 | 4f0d51b174373c57717545771084a420182e1f10 |
| SHA256 | 867c933fbde947498b58d7dafa15f3e4fd2f8e00235966d9753686b6200d0f8a |
| SHA512 | 107df198de641043f4c1ea173199ea6cf254b6de5edf9173656a442ad07608f782217945c78e5788d16fb72afa29897f94204caf725affe4ba1872ff784df147 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | bcb647e23984480e51d33ecb60d48760 |
| SHA1 | cc1fcfd5c3a1a00f53f309ae518f179ff13cba43 |
| SHA256 | e150190541f637f1a9e2b208a8c027752780d78205343ab353da65d14c172686 |
| SHA512 | 268c7ce40549feea17187044bc837d317db8c20770b7ba81fbc93d04dda686782cb7339acc4063d7eb4bc6b4a1d34abc5ed9b0fe9600cb3db85ec7be208ab893 |
C:\Users\Admin\AppData\Local\Temp\dnXyHtjxHhWV.bat
| MD5 | 9bbfe2bfa61841fefb8cf7870bfae6ec |
| SHA1 | 1446296d58018348c039275a1ebc3724dd2155e3 |
| SHA256 | b7ee3ff1d4d05458f664ebfa019c80cef85c5073e2cd1c5ce9ab4f2fd00324c5 |
| SHA512 | 6eef082c66b5a7cea8158525618a1ee8afb6451ab93ef7266e15a07c9a6888a0afdfbf1ee7120a3c5169da6f63b9d54c7ff5bc3af590095cdcbbced3a3967a02 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 04c501c10f6b5c0e6fe012511facfb64 |
| SHA1 | 01a42980c7bba3abc916ce7fec0842f298b00104 |
| SHA256 | 082ae9fc6a4f70c83ac3784aba5319684abfa4bb20783c5b6592be97e421c570 |
| SHA512 | 1b8bd87a2e6770b14cd6f58d4381311b79979ebb26f8af1cdcb55f634154726bf1b7c4cec39e8c5e631f7b18a80590d2f434b9671437d476c5687278789cdf96 |
C:\Users\Admin\AppData\Local\Temp\F2LzfLWuaBMI.bat
| MD5 | 6329db82b2578af13dbadc9f949093c9 |
| SHA1 | feda314bb39e5a9e3a5deb452c292f3a41388632 |
| SHA256 | 12b3757f4ce4b8d04cd836b7c9f1d4730b8c58bdbe517453ab597ae564535681 |
| SHA512 | ba8e2b2e2b24cffc06dbc4a211b115e4e66642bbfe0de46477d636495ce8e1de5334096c8c82db53a062fcf3bc260f83cc9c1f0a25733deef9f1384c0ab55ad8 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\03F468gM2VdZ.bat
| MD5 | cec81c3157400fe26761e69a7bec0e8b |
| SHA1 | a55ad907c965764598c467d334b3482126fcabdf |
| SHA256 | 85d65492b7995a200cbe8e3e500b8204b47bed9638f1bf22eddd5c40f3729fb9 |
| SHA512 | fb81a137e610913c9b17149d0c5f6a912dbd280c6e772abf8497c8dedb17f2b23d912bcabd37b00dacef9aa4194364924ccbbe1ec58bd750ca251cb9e1413149 |
C:\Users\Admin\AppData\Local\Temp\dXMsBEv6mGc8.bat
| MD5 | fd96643471b88b85a1262db0877bd254 |
| SHA1 | 0a1f472d5aa7b808850bb7e1873b0929df8d9fc6 |
| SHA256 | 6810a71ef0c0db7436570db1d84e29afac2e1cca4a1a98eef473b987f390312f |
| SHA512 | 2170fbdba956ff14bf2b59fe8cd0fe06d270f32f88749149bc9846870a50efb22fbe9078b3e6633f38d3ab99419d4e27b1211db8aaa89633788723fbaa5c87bd |
C:\Users\Admin\AppData\Local\Temp\qlPvNw1yQGGi.bat
| MD5 | 37b70b997ab152ce2423dceee19b930f |
| SHA1 | 583ea1ab3f30ae90b71720ba8a63708afb7fe07b |
| SHA256 | 0984af9a771d544787c8799b74b78c5594cd01fe304a26c186e18323eee5c4cb |
| SHA512 | 83858ab66f0f6ab0946674091bc8960ef4c86034a708b59441173179f748f7dc4576cbd43ade868050b96106e0fcf69a402bb72c8b3b4c3db72ffc5179ac702c |
C:\Users\Admin\AppData\Local\Temp\PgeOoeIs3Ain.bat
| MD5 | 9c0832090df812dc9ec1701d434d5a2e |
| SHA1 | 2b05d379aad7f76a596364df5555772b9de55535 |
| SHA256 | ffaecf4f54c001fab517e4b4e84978d64d544b9dace251866066ab70027ab4c9 |
| SHA512 | c8bdbfc4aacaa44dd2c91d9c32f884a162bf23d7f2f37df78736225dc8b77a3edb6b25a3bcd472013b2e6eba1da3717aa9df3b9b048ef060f0f5c1e45fb097ac |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 4b60bef05702790d6f3e7184c198eebb |
| SHA1 | 2d4c2b53b3b5d611953bdfc2e34d947987dc257f |
| SHA256 | 096ee60fb83b14b934ec270baf4080bb1b51d597a051b30206349dc5dfc19962 |
| SHA512 | c18c0fbf85bf31af9512e98b41d287b8f2da9c2c1558c73ce7f1a9915737bc2966d962ef2ef6f2edfcfb2f153a6db50e311bce2de9716718f69dcc38694a629b |
C:\Users\Admin\AppData\Local\Temp\kY81LisfkiHK.bat
| MD5 | 0a7994c019f79cb3f99e94bd35257fdd |
| SHA1 | 59ca92d6026c5596290eeb5e4c7d389da751d603 |
| SHA256 | 8c03a8fcb41612a38668af4854612a0348a884d5c29822ea66147cf6a190d213 |
| SHA512 | 92e11b65dbd85cbf7b5c6cae4a543e81c21e5ab0bb6c18416b6a80f146bf1c7a465226662acafafa33ee1735ae64945123f97b46287888c4921da9189f32bbaa |
C:\Users\Admin\AppData\Local\Temp\rT3zhSJPj2hV.bat
| MD5 | 0d5b0833b36922b58e462359c6663232 |
| SHA1 | a67c17fc82d38706ed5526e346d198db7901a410 |
| SHA256 | e6b328f8897261ff408301cda70c956293921016e71b60babc17014cf6e5c1e6 |
| SHA512 | d5ec896c0c2d5de1b0ebaf2d3e38661beac17dc234d9e4e2d5d89473fd646b6c41ad8700131e6c0a7a00b085550f1b85ce8fbc4c3f592f590a4ee76ad5ff400d |
C:\Users\Admin\AppData\Local\Temp\EqhQzjVH7Y9x.bat
| MD5 | 4c7842ee8ef5732238037ce417981b51 |
| SHA1 | 9f58a0ca2522eca46e049e721f697b25b8a37766 |
| SHA256 | 6ab0b88ea7f2c0c17e2a932e531ffc86c41ac8300965190631ae441acf0d63f8 |
| SHA512 | bb508cc9a0601fddac257847ef7f9958ebf02f8246e6217833b72c0161665a6beae3d5d2cfd76daa8c1ef7202148e868135119405df249144ff8c1b340d41c07 |
C:\Users\Admin\AppData\Local\Temp\C10dIot3pDw1.bat
| MD5 | 9e24168f92cd55f52fc5edcec4fd311b |
| SHA1 | 3fff04fa7a45e090bb0f2bfa68ff8c01bcb81087 |
| SHA256 | 11d3d3d947b0065b968c82beef13acc348939fd404291b7832681fd93f435a47 |
| SHA512 | a0ba50d9228d7399c7e9218599c71a9567b677dc96352b1e51ca54bdcb9ba7e492dcc52a3937e4249399ab0ffbea41f4e2d0e89e53b1a522efc63154c1eb2490 |
C:\Users\Admin\AppData\Local\Temp\cLjJUctTJdQn.bat
| MD5 | 4ea63391c833e766d6b3e218d0b37ff4 |
| SHA1 | 96169943dd982a7e571972ed4ce41858b9922b58 |
| SHA256 | 00ffef590e52badd6e36f741eb8ec4ae574ea40aebbcafd5556633df89ed8530 |
| SHA512 | 4adefaa7324594d93c5b4429e10b4ec22ded7d8f84183d10ab63ea30cbc6b8a6a76e2c5d56855abf96dac8e01900d4b679a0b781cd70b07d47954abf1a714a60 |
C:\Users\Admin\AppData\Local\Temp\OQMtocPgCrMe.bat
| MD5 | b4014a81569222bed93735146abf98b9 |
| SHA1 | d7a9357101da51c4dda0ed67874e1999c5bc5210 |
| SHA256 | bde81f68c6f40cad65f162b42f739e67c1140f2288a3493877889c3dea445cbf |
| SHA512 | 1946bf609639b6256c318e91419b42184d00ed7c62ffc9c7c9a4f17c207f2614b6b0dfc1663b7d115b86d4b148498df2e3c743fbad21855c03fdc44a68574ce5 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win10v2004-20240508-en
Max time kernel
296s
Max time network
301s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ev46vwCSl3OZ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1928 -ip 1928
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1928
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QdEOrpPV0orO.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1736 -ip 1736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 1640
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYPHFVAVYVEn.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2236 -ip 2236
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1640
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fZGmdGo3vdQP.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1192 -ip 1192
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 1076
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DnG4ExQhiJZH.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2292 -ip 2292
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1644
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q1J7RgXZMJDr.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4540 -ip 4540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1716
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rPlIWhskGdNE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2200 -ip 2200
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m1BABNKgrRbn.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4880 -ip 4880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 2252
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCUNUSiSa5Nq.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4544 -ip 4544
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CawYZT4dUQXC.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2464 -ip 2464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1672
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PM5Cdqx2jT2M.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3260 -ip 3260
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W4AhIcIWBh68.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2188 -ip 2188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J9nIbcoj4v3z.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4504 -ip 4504
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 2236
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pn8HMBnR5GRB.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3976 -ip 3976
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FtacSvTyTI5w.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4812 -ip 4812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/2616-0-0x00000000753CE000-0x00000000753CF000-memory.dmp
memory/2616-1-0x00000000001A0000-0x000000000020C000-memory.dmp
memory/2616-2-0x00000000051E0000-0x0000000005784000-memory.dmp
memory/2616-3-0x0000000004C30000-0x0000000004CC2000-memory.dmp
memory/2616-4-0x00000000753C0000-0x0000000075B70000-memory.dmp
memory/2616-5-0x0000000004CD0000-0x0000000004D36000-memory.dmp
memory/2616-6-0x0000000005A30000-0x0000000005A42000-memory.dmp
memory/2616-7-0x00000000753CE000-0x00000000753CF000-memory.dmp
memory/2616-8-0x00000000753C0000-0x0000000075B70000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1928-15-0x00000000753C0000-0x0000000075B70000-memory.dmp
memory/2616-16-0x00000000753C0000-0x0000000075B70000-memory.dmp
memory/1928-17-0x00000000753C0000-0x0000000075B70000-memory.dmp
memory/1928-19-0x0000000006530000-0x000000000653A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Ev46vwCSl3OZ.bat
| MD5 | c9cb59bae10332471b4979ea1d918eb9 |
| SHA1 | 562d0b341e0ce2a04880470f6d6c7b4f185b45d5 |
| SHA256 | 27f809a1b96389b5f847f40eea7c6a2ee8d8d7b06ebb3f5db10097f6f53be179 |
| SHA512 | e8dff31712495f191ae56c9bca7b5517bd232e7b0dfa38bf2130aaf968fb5a51fdfd14251ea6abdb2ea9dfabe39316e9dd178bb9a67ca9c81b14bdb16cde98a9 |
memory/1928-24-0x00000000753C0000-0x0000000075B70000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 120d5fde54e149594f42ff5f2370f7ae |
| SHA1 | e2d9ecbf125ff126f112c56075ad94fa682d0480 |
| SHA256 | b27c5cc683d2d1ba1060df93eacb29526282f469781e9492518ba12033d74186 |
| SHA512 | 60b721c2e00dfc1417865014bc1b11ea10958f2e2ee25630b5f1e9921666da9079621a56bb392f503a12b621d2865e2100f5f733d5ca522daa031bdf17dbde41 |
C:\Users\Admin\AppData\Local\Temp\QdEOrpPV0orO.bat
| MD5 | b9ee43e0f6e5ac38e81e8ee9ef5c20d1 |
| SHA1 | f2036222e8bc3c927f5dd075fae78abbf40f055f |
| SHA256 | bfbb808af6e0d0e51b9b83828c4683b8cd9f9013fe22687b9603da6ad30ef356 |
| SHA512 | dde5c2c1ae68bb96b72a9c28ccc9ea61a275a885e7e5dea4b5c217a02ef0b3c49c69eea263d822b60fd98b738e345a02e346dcab828a27a8b9f46df54f2e68f4 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 551b5f302c872094cab3a4637219ad55 |
| SHA1 | 4b007859d44a1702fc03f75b57db827aa0f738ef |
| SHA256 | 008d6ca6013ffd3f4fbc2b3df343776d78b4075f05dc56a3ffc4c9a90e7fca54 |
| SHA512 | 0092b9c7404e7496b6ee1ddce8633f31e245bfd5b9a193f3f9e3fb57f0022bfcf70597f3f290f1e0bcf95ac6aaa534ecdd635034de931117f9af3cc4d39a16ae |
C:\Users\Admin\AppData\Local\Temp\xYPHFVAVYVEn.bat
| MD5 | b6358184aa81836da7ddcc4527bc458f |
| SHA1 | 9ab5662a4bd9977052567fc2a664182460597074 |
| SHA256 | 0c2ba669c0ff9d9eb5d2b85c9f02f882448273357bb755d187cdc09a8771c8cb |
| SHA512 | 50ef66befbf5880af0c60af34f3b0cf126c83463435e85cc54b50adc2830e2f3e8032b25ed5f49e0cd4e877f61b6eafa6212d1f98373e0c7421fa25a1b9008b2 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | c9e549f42d62e470d224592062ab9c51 |
| SHA1 | 2d84340c6b23dd4789da1ee94556331437326222 |
| SHA256 | e830545c508fe69a34668f86346767ddb2916079b324d24fb271a0f2403e5547 |
| SHA512 | 07d71f7b25d6bd8b0c62cd5e99034d7616d260e26faac266cbd781d4059774128c8fe6242513027d3073eded86993fab61c62629bbe508246017516e098e97a4 |
C:\Users\Admin\AppData\Local\Temp\fZGmdGo3vdQP.bat
| MD5 | cf42879132fd22b5eb6bd13c8523c901 |
| SHA1 | 4d6963da376f5bfe24ea965668c66e6bea0311f7 |
| SHA256 | 155717a6496a3018aab4809116cedf79067dcd0f229c4a41f45d7eafa337ee31 |
| SHA512 | c661c660130e242c8986c532580d7b1e31bab81ecc363abe3e7d5729239f1f001a41b8225c3575f46645a7a6d6316f721bbfa18a7ed60072a79c64a378d096f9 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 225965326676f1783638bdde79753be4 |
| SHA1 | c01960dd97e0ae5bb3800bf97c848f3766fe2729 |
| SHA256 | 7e981fdd454bd4f06e19ddea85b7f7bbe03a56be87fe57b3bb5ad1c0206ea322 |
| SHA512 | f3adeec676fd0f730a656f7a85814079905434a6099a5f94dedc6a6e5c79d27fc4de4598f52b549385b818e235d78aad76f8f3f48aebddc74b253a9f0da10c67 |
C:\Users\Admin\AppData\Local\Temp\DnG4ExQhiJZH.bat
| MD5 | d6b078e9ae4f8898f171f186144713d5 |
| SHA1 | ec55e1801112c66b7c3ab2794c252b431c85424b |
| SHA256 | e1144fd6cf611281e27ce2e4a4383d3013ca1901d7f97dad2b54d49b40cf09f2 |
| SHA512 | f656c1d4ae18f56e1b36e020b78a88d40eba8d57fa76c013a371b95fda96f6a11ae02c6702f282ceb2ee1937ee101f61b7b382c194ad9953fb3e55792252497e |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\Q1J7RgXZMJDr.bat
| MD5 | c1c1ecb166582202faf6e6702bf6b5a8 |
| SHA1 | 37575731bc74eba804dbecb5d0eb56dc451e6fbc |
| SHA256 | 724435cfe57985168799112d513ec3d3da9a9759df24afb3cda7df2e1873ce60 |
| SHA512 | f93c902989dd649203612f790df933ac181b32ff96aeeaec1606364bdcf84fbc0d876a9ddd79e97df6fb5e0f09eb9f42a7ab7010d45e5883632c334fe84817bc |
C:\Users\Admin\AppData\Local\Temp\rPlIWhskGdNE.bat
| MD5 | 502bae9de742a0d47d3accc85b438492 |
| SHA1 | 652a51d9dccf8c0161f484755055e838b6f7d4b2 |
| SHA256 | bf6400fb959f04c7dcd4449807d31c0d8e7997e2e4cc410101021e8af3a44be5 |
| SHA512 | b2bedb267ce2ca28549c85b54363eb366c1869cbc92b3a86812db0c53ebdf29ad8848df92457ad109b49301addfd2e6862b6d95671afe84f0510764561fa2746 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 026056fd0bd47573aee601cacbfdfe74 |
| SHA1 | e85a48ea7573bb31571c9f6a5b36ae28217d5d33 |
| SHA256 | cc3f0487f7a0fab2ecc817004f836aa6a9db172252d79ace10a2a7952fa63d5c |
| SHA512 | 04c5842468cf90b2c499f2f17504ed1d79f9edced048c0bf1dd931ad133eb07d7bec6d577162e30004c626f515874bfd3e125ebfb3a3fd742285b91e3cda1cd9 |
C:\Users\Admin\AppData\Local\Temp\m1BABNKgrRbn.bat
| MD5 | 4d37a097aa19f57ad7f93189ce0b6aa2 |
| SHA1 | 8226d0de61fa86a0ade6dcaae95128d3dcf271b8 |
| SHA256 | 5a557c1f645e5b7ac0745b22de4546371cc5305e9ae6d0a8597806b6dc05987e |
| SHA512 | 3e1687df06562e9ec0936b50064fd664a9917e7e94a6f6c589ad23040755bf125864bd664cc33f322da2ceebad83d5616801fb09cc36462eb7e5401560bfebf3 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 50065001e97aa54fb1bfa955479487a8 |
| SHA1 | edf90d2635533f5dbd3507e0e0171f9afd4be6ac |
| SHA256 | d9b32d99fb1299f11e6e7000099efc510ce4848796d631a5deb3237263923e06 |
| SHA512 | eb5db5f0ff41d006efe3ab8a30edca20d10d5b87621af4daf8fa019f84d5d6f6b09b25ea2045687dbab24d21bc4c394849d291156cf963b94d84f8af49d9adea |
C:\Users\Admin\AppData\Local\Temp\lCUNUSiSa5Nq.bat
| MD5 | 3975a5882b85420e716039a753db1457 |
| SHA1 | 45bfcd37869206fbfd6fe6a83a483ba987d60be1 |
| SHA256 | 32cc6c617c5472db698bfeb7d4bd96547628fc41f6dc71f58ec163248bfe3873 |
| SHA512 | 531b49ca8ff95ef9948e4d3138e95293921c1e6a9e43782b83cb9ae779dd129a80eadea86113b4259e22d19dea97d1d8a890e3d659e3e12f41506e9263142621 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | a0fb150283a74650df3c6a68ac1cf6b5 |
| SHA1 | 726b9332d297c9038552bcfed15ff1fb1d04b8f5 |
| SHA256 | 8ba6ffade9affe693775acaeb05687c04cfdbd33b5d8663e63862022c2a5206e |
| SHA512 | 127747721be8a323cc31449ce2cb75e08f3e00fee2da94be02a4c6daee9b3aad50eacd71640dc7452faef029b3f1896948819f99737bddfca78e12e3431a5599 |
C:\Users\Admin\AppData\Local\Temp\CawYZT4dUQXC.bat
| MD5 | 01d206178c10ea3b670c019a8b3c63aa |
| SHA1 | ba22695981a2cc9478c0c2d90a1b92b11e1740dd |
| SHA256 | e095382c15771182e5fd6b7e9a19b041f97e9a8d198072e2301f040f85e8da7d |
| SHA512 | 2bf0e363a66c688adf17ebc909bb8643f2aaa767b572933275ff300382d26e4d4fcd2333d4d55e4f01207a49488b181bbd7048eaeb415ed3cfc4bf2e26daf6c7 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 05e521909ee37deea2260670fb9ee719 |
| SHA1 | 1b04116fd1af18c07cc13c0ef391e5ca340d07c5 |
| SHA256 | b15149859c842b8a55c29234e9cd440958585c77b6f1e1795a601367ddf58872 |
| SHA512 | 358010b8e292405b54e03d7ffac9edb4a6a20f6200c836427f0ee8ec8d60bedbc74aee17fca931c3ba10cf1517350f91d3c85d06a1edb0088c81f2eea11d145e |
C:\Users\Admin\AppData\Local\Temp\PM5Cdqx2jT2M.bat
| MD5 | 2a5f51d481ba0dfc8ec117ed4f0f7036 |
| SHA1 | 8b24c10cc983f6cde9d1c5f8f23ee84d35c690ce |
| SHA256 | 9862e64f2653028db887b3a9d32675cf02f8b4a34abccb3129a6a82e56c3dd9e |
| SHA512 | 8cc7165b8207568ea84a6bbfb71dfba2bd1ab114742ccf17eca5593def755cce0fde3643c407f3d035ee09e61e3f5078e14820ae4456f17b6631a49dfb19dd01 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 0f5ac7803705d9a9c68749172864a3b3 |
| SHA1 | 3aa01302f5d55b7d323aeec7c970b0253fd7f6cd |
| SHA256 | 435f3ab715dfa59f99e001f7d648436639d51a64dbd53a933cd75dd094401ec1 |
| SHA512 | ccacd25a34a0affaa75c432fbceded2f4780f344169ab1aa866e2afa2ce2a0c8e6802d23d8913811550df36e2249f871afb2da5605c0d63e17d05a1475eaa326 |
C:\Users\Admin\AppData\Local\Temp\W4AhIcIWBh68.bat
| MD5 | a4d7c53f5732ed171f73a597280c7810 |
| SHA1 | 9e77fb5752d6b749e62572898b031dd96f8dd456 |
| SHA256 | 7d59f3ccd0bb6f7ea8f7b9e9ce1490fe6aee4310a9022c63524d80f6aeb95c61 |
| SHA512 | d00732f5eed5f419f2dd378f3828634b3a3674fd076bca667d94eb4eb52b9310d2ac08ca33942d8ab085a3a0582dd22f2aa03c344d41bce026271a51bbea8f9e |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | db6f9dce3b9798aa090b17311729bb1d |
| SHA1 | 36e4398eaff7fd93d60c85b3eaa034d5a7edb294 |
| SHA256 | e6c911203e14576638b6a365273000c64fabd97ac36d6cf65e8e693ccafbbaba |
| SHA512 | 9e4a84adfa8fc2e8042c8ed5c10dbeecf0f1ac002766cf51729c5a67beec2ea5da5953aaffc25f4fd31400481d6b9c1b4ab06977a0d87ab7980c03f78c0cda55 |
C:\Users\Admin\AppData\Local\Temp\J9nIbcoj4v3z.bat
| MD5 | cc7fe1c309a129e4698255253383083f |
| SHA1 | b5138673bb64bcfbfbb3ed2cb183656ee94bf166 |
| SHA256 | 20fdc4841c869b0e796b7f9369892e9a8935316ca8a9e9cb37e0afc292ff69f1 |
| SHA512 | cbed1aa4040f1f8633ec4fc67f53d9d66362e938d77e58c5680150ba27b018ef02c52c06ff8b9130c51e0daf665fefab037530bfe9f4e649491985f16e8cc4b6 |
C:\Users\Admin\AppData\Local\Temp\Pn8HMBnR5GRB.bat
| MD5 | f154e1494add1d24961c5b54532c17a0 |
| SHA1 | 149b9d060efaaac7d3db2efd4c07ed9691847b20 |
| SHA256 | 51755a661788314019e36f575e4ee74758f203c947cf67f548806422f7eda542 |
| SHA512 | 885c50c846763b23f77c1393e6ec91beed2bdfcbc2fc71e20b001b9d3fcd9aad8bc29e1811426bc555f8e9c260c0380115589c960a123cf26a80cf92c29163ae |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | e2e998f3f4ecb012188b4edeb78ba7e4 |
| SHA1 | 558120fd8a7ca5693e5c8135e4eb2081e913ca4c |
| SHA256 | ab1c77febb7777e2492ec0ed35e70c14b5d14bd6def435565a4287bbd863e53b |
| SHA512 | 16e9d23288bec7825b4e89adf4402cfbfe8b1d94c05332c52d5dd51c9e8e1cc24d3190658ff948e16566586bee4fa717c9ab66e7c1ced3cea8e577ed0e138d3c |
C:\Users\Admin\AppData\Local\Temp\FtacSvTyTI5w.bat
| MD5 | 6db644f4ac26c29c58ee7ea7cfb6f0de |
| SHA1 | 645c5e813976e8a98597159d5cbed85d7a0843ff |
| SHA256 | 95975dd7655dab8683a4525ede1a11f7390a2950480dd8281e335e9ab9436fd1 |
| SHA512 | 30342b5956292ed802d48ea33a273845f7329eedb751dc2b6bfd86432a4aa2fb02f1136aa36979a4983d15aa82350b7913c66c8206081da458a1beee1337cd4d |
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:37
Platform
win7-20240611-en
Max time kernel
236s
Max time network
292s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2092-0-0x000000007418E000-0x000000007418F000-memory.dmp
memory/2092-1-0x0000000000160000-0x00000000001CC000-memory.dmp
memory/2092-2-0x0000000074180000-0x000000007486E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1220-11-0x0000000074180000-0x000000007486E000-memory.dmp
memory/1220-12-0x0000000074180000-0x000000007486E000-memory.dmp
memory/1220-10-0x0000000000020000-0x000000000008C000-memory.dmp
memory/2092-13-0x0000000074180000-0x000000007486E000-memory.dmp
memory/1220-15-0x0000000074180000-0x000000007486E000-memory.dmp
memory/1220-16-0x0000000074180000-0x000000007486E000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:37
Platform
win7-20240611-en
Max time kernel
250s
Max time network
309s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\uni\\Uni - Copy (14) - Copy - Copy - Copy.exe\"" | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2960-0-0x000000007418E000-0x000000007418F000-memory.dmp
memory/2960-1-0x00000000011F0000-0x000000000125C000-memory.dmp
memory/2960-2-0x0000000074180000-0x000000007486E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2856-10-0x0000000000E60000-0x0000000000ECC000-memory.dmp
memory/2856-11-0x0000000074180000-0x000000007486E000-memory.dmp
memory/2856-12-0x0000000074180000-0x000000007486E000-memory.dmp
memory/2960-13-0x0000000074180000-0x000000007486E000-memory.dmp
memory/2856-15-0x0000000074180000-0x000000007486E000-memory.dmp
memory/2856-16-0x0000000074180000-0x000000007486E000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:37
Platform
win10v2004-20240226-en
Max time kernel
286s
Max time network
321s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.200.42:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4824-0-0x000000007528E000-0x000000007528F000-memory.dmp
memory/4824-1-0x00000000006E0000-0x000000000074C000-memory.dmp
memory/4824-2-0x0000000005660000-0x0000000005C04000-memory.dmp
memory/4824-3-0x0000000005180000-0x0000000005212000-memory.dmp
memory/4824-4-0x0000000075280000-0x0000000075A30000-memory.dmp
memory/4824-5-0x0000000005520000-0x0000000005586000-memory.dmp
memory/4824-6-0x0000000006170000-0x0000000006182000-memory.dmp
memory/4824-7-0x00000000065B0000-0x00000000065EC000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3648-13-0x0000000075280000-0x0000000075A30000-memory.dmp
memory/3648-14-0x0000000075280000-0x0000000075A30000-memory.dmp
memory/4824-15-0x000000007528E000-0x000000007528F000-memory.dmp
memory/4824-17-0x0000000075280000-0x0000000075A30000-memory.dmp
memory/3648-19-0x00000000068B0000-0x00000000068BA000-memory.dmp
memory/3648-20-0x0000000075280000-0x0000000075A30000-memory.dmp
memory/3648-21-0x0000000075280000-0x0000000075A30000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win7-20240221-en
Max time kernel
236s
Max time network
289s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1928-0-0x000000007439E000-0x000000007439F000-memory.dmp
memory/1928-1-0x0000000000080000-0x00000000000EC000-memory.dmp
memory/1928-2-0x0000000074390000-0x0000000074A7E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2508-10-0x0000000074390000-0x0000000074A7E000-memory.dmp
memory/2508-11-0x0000000000D90000-0x0000000000DFC000-memory.dmp
memory/2508-12-0x0000000074390000-0x0000000074A7E000-memory.dmp
memory/1928-14-0x0000000074390000-0x0000000074A7E000-memory.dmp
memory/2508-15-0x0000000074390000-0x0000000074A7E000-memory.dmp
memory/2508-16-0x0000000074390000-0x0000000074A7E000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win10v2004-20240611-en
Max time kernel
238s
Max time network
292s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.131.50.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.131.50.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4512-0-0x00000000750AE000-0x00000000750AF000-memory.dmp
memory/4512-1-0x00000000008D0000-0x000000000093C000-memory.dmp
memory/4512-2-0x0000000005A30000-0x0000000005FD4000-memory.dmp
memory/4512-3-0x0000000005480000-0x0000000005512000-memory.dmp
memory/4512-4-0x00000000750A0000-0x0000000075850000-memory.dmp
memory/4512-5-0x0000000005390000-0x00000000053F6000-memory.dmp
memory/4512-6-0x00000000059A0000-0x00000000059B2000-memory.dmp
memory/4512-7-0x00000000065A0000-0x00000000065DC000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1696-13-0x00000000750A0000-0x0000000075850000-memory.dmp
memory/1696-14-0x00000000750A0000-0x0000000075850000-memory.dmp
memory/4512-16-0x00000000750A0000-0x0000000075850000-memory.dmp
memory/1696-18-0x0000000006E50000-0x0000000006E5A000-memory.dmp
memory/1696-19-0x00000000750A0000-0x0000000075850000-memory.dmp
memory/1696-20-0x00000000750A0000-0x0000000075850000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:37
Platform
win10v2004-20240226-en
Max time kernel
273s
Max time network
310s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3704 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/3308-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp
memory/3308-1-0x0000000000BD0000-0x0000000000C3C000-memory.dmp
memory/3308-2-0x0000000005AF0000-0x0000000006094000-memory.dmp
memory/3308-3-0x0000000005680000-0x0000000005712000-memory.dmp
memory/3308-4-0x0000000074E70000-0x0000000075620000-memory.dmp
memory/3308-5-0x0000000005A20000-0x0000000005A86000-memory.dmp
memory/3308-6-0x0000000006620000-0x0000000006632000-memory.dmp
memory/3308-7-0x0000000006A60000-0x0000000006A9C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1248-13-0x0000000074E70000-0x0000000075620000-memory.dmp
memory/1248-14-0x0000000074E70000-0x0000000075620000-memory.dmp
memory/3308-15-0x0000000074E7E000-0x0000000074E7F000-memory.dmp
memory/3308-18-0x0000000074E70000-0x0000000075620000-memory.dmp
memory/1248-19-0x0000000006CC0000-0x0000000006CCA000-memory.dmp
memory/1248-20-0x0000000074E70000-0x0000000075620000-memory.dmp
memory/1248-21-0x0000000074E70000-0x0000000075620000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win7-20231129-en
Max time kernel
236s
Max time network
290s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2232-0-0x000000007415E000-0x000000007415F000-memory.dmp
memory/2232-1-0x0000000000F80000-0x0000000000FEC000-memory.dmp
memory/2232-2-0x0000000074150000-0x000000007483E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2672-10-0x0000000000900000-0x000000000096C000-memory.dmp
memory/2672-11-0x0000000074150000-0x000000007483E000-memory.dmp
memory/2672-12-0x0000000074150000-0x000000007483E000-memory.dmp
memory/2232-14-0x0000000074150000-0x000000007483E000-memory.dmp
memory/2672-15-0x0000000074150000-0x000000007483E000-memory.dmp
memory/2672-16-0x0000000074150000-0x000000007483E000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:37
Platform
win10v2004-20240508-en
Max time kernel
296s
Max time network
308s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j4rZfk9nDf4V.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5012 -ip 5012
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1632
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0sZ6HarvP7to.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1444 -ip 1444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1648
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeTu5gOk4l2C.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 2200
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USARhW6sGDrV.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4912 -ip 4912
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v6Tfr4bMQEkz.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2292 -ip 2292
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1648
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pe92dYiWb9Jz.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3300 -ip 3300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAtII9GtNVhM.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1616 -ip 1616
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WHSzi1JtfHop.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2252 -ip 2252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lZFYnwlWkA7z.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5032 -ip 5032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1712
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sHK3Si60BOBl.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4584 -ip 4584
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCYWsQNuoIcp.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4488 -ip 4488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bPnqIOKSwUZW.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 920 -ip 920
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U0OzAKb41U6B.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4896 -ip 4896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K6qJG4HbQWkv.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 528 -ip 528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 1088
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TJ5dg2EAYihc.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3912 -ip 3912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1704
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/3692-0-0x000000007523E000-0x000000007523F000-memory.dmp
memory/3692-1-0x00000000007C0000-0x000000000082C000-memory.dmp
memory/3692-2-0x0000000005710000-0x0000000005CB4000-memory.dmp
memory/3692-3-0x0000000005250000-0x00000000052E2000-memory.dmp
memory/3692-4-0x0000000075230000-0x00000000759E0000-memory.dmp
memory/3692-5-0x00000000052F0000-0x0000000005356000-memory.dmp
memory/3692-6-0x0000000005F40000-0x0000000005F52000-memory.dmp
memory/3692-7-0x000000007523E000-0x000000007523F000-memory.dmp
memory/3692-8-0x0000000075230000-0x00000000759E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/5012-15-0x0000000075230000-0x00000000759E0000-memory.dmp
memory/3692-16-0x0000000075230000-0x00000000759E0000-memory.dmp
memory/5012-17-0x0000000075230000-0x00000000759E0000-memory.dmp
memory/5012-19-0x0000000006AF0000-0x0000000006AFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\j4rZfk9nDf4V.bat
| MD5 | 6db1230155c759452255cdcde5def3b2 |
| SHA1 | a1bf060824973c67f2c84c34e032db3af52941d5 |
| SHA256 | 3bb9767dbcc8d6a7b7fc5b067ef3f8cfee5f0aeb40de03df233b317386fa6734 |
| SHA512 | e219a144e7aa9f4b790c73dfbc1a5cb4edfabd26a717c032627a79a3ad97eef70a9791ea50ff08b51dfb663c06c1b027f02a29a6b89c701f046fc05c54bc1997 |
memory/5012-24-0x0000000075230000-0x00000000759E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 3d5895da8987e1391a517c9a243e0d9f |
| SHA1 | 4bb3e9c513f4aa7ffc210a4b60a65a5d4e5a5534 |
| SHA256 | 1a22c976d068349baaae91f0fefe9e9bc802aa97cb1e7feb539512ab99ac4614 |
| SHA512 | 159a0bd1b6071d92be7dc3fe3493a0e8c08ae7c30ad6ef621e67986d4dd0c57b38453c00f32fa274d2c92d6064762662d1f1b2f51c4e0107afa3e0473cb5d421 |
C:\Users\Admin\AppData\Local\Temp\0sZ6HarvP7to.bat
| MD5 | 1dd5edff41a3df02e8fdb88cab4c175b |
| SHA1 | b88695ce5870c92b157b3bef4a022826a543d0a1 |
| SHA256 | 1afcaadd3cd04a91e31f36eede4357891a72ee02aa283d4839ea628394a10d16 |
| SHA512 | ec6921bbdc92ca75c277c02f696114fce2a5d9880d7014678e8678f5b3da26abb6d9ec4e7b27eb1c8c29bf1cc0fab01294530898e5a853c65c9eefb138ee7c83 |
C:\Users\Admin\AppData\Local\Temp\DeTu5gOk4l2C.bat
| MD5 | 3124e18e2cf0cd2857925a3f16853495 |
| SHA1 | 3debcbe665a682773a26ffbc4501f5f692d39f4c |
| SHA256 | 352409969554e03e2c942f1f3491351dc940a787dbe3274d0b00f72eb0ce9a90 |
| SHA512 | 1c1cc30c0d5006161a70a056232bda65dd24ccedfbacc37e1e396b981175028ba4227e0b38d3404b3ebb02851f727d3988485e03534438eb6e0b2f596320f9f5 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | e431b7b8d825d1d0236913492657f95c |
| SHA1 | 43f2580cfb34eb0ed9199e59b5868d60f4792fb9 |
| SHA256 | 8c5bc7f7041976c7dc6ce0915b72721b5a5801ce0daa53fe8cf5e4138053556c |
| SHA512 | b6a64f7c9a9e2caa7207916a030d84503541e60d395d7c8041af5ae6d7024d4082a2d8e3d14172d46bcbc10ac94958f0f2823edaded27d244e434df64f5fef66 |
C:\Users\Admin\AppData\Local\Temp\USARhW6sGDrV.bat
| MD5 | 201263f33b92bcf190bcbf62237375c4 |
| SHA1 | 6307d1dc699287d9598131374513e32fcd11c80b |
| SHA256 | 87e9f560ed4b1f34814131213fdc026a6c36bf4be4875a1a967205992c88f7b3 |
| SHA512 | 3550c0350f466ff3c65c7fe78158001c1f712bbb23a2fb154cdf6aec575a4bd5ea77841ea23920cbe85a468161fc8c527e7f3742e06a29ed1104dbd0e10b077e |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 566f50d0bb2a20685280268dd4fdc848 |
| SHA1 | 1ea9d0ab06b28a6ca07b7de29165f13c870cedc4 |
| SHA256 | eb0d28be737b40d56f86865213e5c2e767a662bae893be7713833d6eb30a35dd |
| SHA512 | 4759cb5cc2463783289a1d3ea1964555b5312d472622fd429f46e2ef054f379bb53d95b8842059b7ff0407c08330cd4b2fcb20394dfaae4dbd157cb5d57a4461 |
C:\Users\Admin\AppData\Local\Temp\v6Tfr4bMQEkz.bat
| MD5 | e4c6f084e072ce605a354e2175a83947 |
| SHA1 | 76d203fb63c8d0302517233d5ef3d9643a486a37 |
| SHA256 | 1f8fb06f599887f6cb6be6dfb849a99b1d9c310b9f8960043a787c1d8c11b831 |
| SHA512 | 15dace867cc129e3186ccb450c7923fd10fc6ffc90b6e4f8956886c41eceeeb4da770f2cd47957eefd01deade9ec4c3390c0ccfebd7c39a17cb3728ceaae0f22 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\pe92dYiWb9Jz.bat
| MD5 | 34898a6e6e9c16f93bbb24b72ca3018c |
| SHA1 | 99b01308bf18d0efbbbf56078a9e7c979ecaf041 |
| SHA256 | a047f7d6f8f3e90f0d16fb527421037fd75f3e2a98e6a18169068f655ccdbc64 |
| SHA512 | 791fe14e75c213dca75428161bbe7f38a19396ae0be792756f0df8ffd7498afac66d39d14d768b3c79568f44f7de99d4e0e16c723641d13df6e4d4eb1ecae03c |
C:\Users\Admin\AppData\Local\Temp\ZAtII9GtNVhM.bat
| MD5 | f1587153fbcd6204feaf95e60c12aafd |
| SHA1 | 584cb2eb7153f2821b6452263f696023c481e2ef |
| SHA256 | 733699f6b6bb6c0390c4a4332416a41ab9782bf632c4d225ac30b87b1c694779 |
| SHA512 | b3c95ceb31e298054e851f4433d975b81eabf4576ecefa78be0359f866ee5deeed08773a29f3efc27f72c2e552866e085cc90a5cfd7ff72cca4fea6d110f826b |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 23f9ea9da0915528a2b79c52018de00b |
| SHA1 | 2d6ed46a5d1381da6345e68d7f0ec9df7607a3e0 |
| SHA256 | 5301bddd4f3afaf52e456bb0aa7e783e06cde93d76973127b35e0e9de3e84af2 |
| SHA512 | 50739f59c1d4ddbf486cb6e7d9152acad86af3b53a1a465588fe6720272174ac90f282941536dace7b9a09fcba4e87f040f1eb1e103560bf1c1a044791076319 |
C:\Users\Admin\AppData\Local\Temp\WHSzi1JtfHop.bat
| MD5 | 5557825dfe3e51089fd2d4f0f241982d |
| SHA1 | 11f082b6d72e13f428f7f8672acc7cff139d63d5 |
| SHA256 | 83a2f129790dca87e855cb4343cd077aa58e4dc792040db01ff55f660386ad35 |
| SHA512 | a8b7b382651233216da518a1b9fe7704a3b77da3b75407b82e207339740423c283e54a9feff2908c3921c8d47bc2578eb8c6eca6cf8ed601dd41ae1725140cf2 |
C:\Users\Admin\AppData\Local\Temp\lZFYnwlWkA7z.bat
| MD5 | 31e12c1470c26ea735c8f549a795ed8b |
| SHA1 | 1ba55229150e37c1a5129e3dff839b7afff3fbf9 |
| SHA256 | fd67a2bd405078c50c27fafcb01fb67766ef6c2f930da621587b8b899123e0dd |
| SHA512 | bc78b710e0e3fd7a989c1eb19d4c6d2d288d4666ac4f1a5c709f8b7f03a086f2fae06c11a14474d32caae92216e9419048c4c05d358661545a4083c6cb90e2f2 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 2a09211c0eb539f201016fade56326bd |
| SHA1 | 7cf161f429ef63839934116885d010f4763b8c86 |
| SHA256 | 5dbe37cdb3acce345995d39b2dc1b36daf44605776502c4aa8164a8ad9a14cf5 |
| SHA512 | e00f5654418a06ee2d71ac0e61cfb92a470252cf15cd77f197063ef591238491ce98f3ebab192cdb009f9bdf67e88b6f26ffd74eb09dae3c2c52da221ef6fe47 |
C:\Users\Admin\AppData\Local\Temp\sHK3Si60BOBl.bat
| MD5 | 553237468e711496dd50c8652a1edbc5 |
| SHA1 | b5d188231ec40b37d549ec50825fc40f3f3e49c5 |
| SHA256 | 7756eedf55c40888d1e2eaeee81ebd9bb5ef731ba6a45860bfa5b9cd2c244c4c |
| SHA512 | 7272e8d8504e907ee7cc63d36625c4595e208715fcd5f1d4409c91bb00b79052f906f518ce268cec501010a27737d35fca3d96105608efba844308e035efe8e6 |
C:\Users\Admin\AppData\Local\Temp\SCYWsQNuoIcp.bat
| MD5 | f630836f6b995ea60c396f862c626618 |
| SHA1 | c016ec893c05db15c52eab58290604308f410097 |
| SHA256 | fcb38f4f5a41bad24631a63ffe44328806b215199bb3ff133dcae7d041e48de0 |
| SHA512 | 9618dbe6a11d36bcc7d02f0adbcd27189e55ea26f7f87c8579cb55464901f41deb9e2b5ecaa9f0adf5aa1fc5d700552bbe77d08ea9fb11e6a8e422c2631ac42f |
C:\Users\Admin\AppData\Local\Temp\bPnqIOKSwUZW.bat
| MD5 | f80f0106acb916b95f1b3b621b6d7a0b |
| SHA1 | 7e16a63923f780be39c06011c9e142a5ce286d29 |
| SHA256 | de901407aa268e907c213b65b4f3025d459c5ef632f1162de951f580d7d305a0 |
| SHA512 | d5c631692179fbc3335bbd5736b46483162e2c542408a3c2128d809168be9dd01329c7119c6285107a019a91b55c94e7d7c234b1b25d743e29c0e8b86185c2e3 |
C:\Users\Admin\AppData\Local\Temp\U0OzAKb41U6B.bat
| MD5 | a6e08ac5cba91dfb22a78bb90fb85792 |
| SHA1 | cb341b74128c204c80d366fc5025d809f28451c4 |
| SHA256 | 074dd37beb285db07889a74f6adae5fef7011f44716c1b45582c1146a4bd515e |
| SHA512 | 5b713941b3d07a7c37725ca2dffca147daec1bf2b6d0f628d4a6a7bb0613e7e3ac31ec770ac0bbed6581203c115a295dd29eda3687f3e97800f403ece7fa2026 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 5a583eb94dcbc0fe0bf8cb64d8238bf8 |
| SHA1 | b459e19c6ce862b645661cfb7833e73ff4fc4bb7 |
| SHA256 | 2b521d0cfd1ac3214cef0f2e7dd2875f8096fd869466f1984686350f094392e2 |
| SHA512 | 9577aa2cf6cd67431b31a0762763b9c3d4eee7a7a9ee701381c74434c561a8643d1545d1de55e9c003688308ec85f67843358eb704512021e9081090da8d22d2 |
C:\Users\Admin\AppData\Local\Temp\K6qJG4HbQWkv.bat
| MD5 | f1cb578283fecdf46338492fe3dbd295 |
| SHA1 | 66ddc80062e1ec9a225d2bfbee0e603d57498f6d |
| SHA256 | 13c5346ae1caea145df5d2a9f1ba26c49c9d637ecefe68229d25418d8e9b2b5e |
| SHA512 | e49696e41704936a71e04e0012c50c671a3820d2f329e90dbcfa5b7cc24965f9242eb2a644ac47aa851fe212d056bc374b380565af06a5ceeb83bc436a9b153e |
C:\Users\Admin\AppData\Local\Temp\TJ5dg2EAYihc.bat
| MD5 | fb0fef4348ab4f64b1b771076725ee3a |
| SHA1 | ab8752b3e79d581d681c056752110c67f246634e |
| SHA256 | 27606f454b63deea5d048ea0498f7b6e6a105d97e4f5cc3ecd86a0e57796e7aa |
| SHA512 | 81e86a3ba8d6d1b2d11bac362eedc7a28081c44bb061325f6e9821db230b3288858ccfce5579ffa50064521098c6828eef8cf6b09fc093ffb16034a029d5d6b9 |
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win10v2004-20240508-en
Max time kernel
297s
Max time network
301s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VNnZrSwaBGQq.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5108 -ip 5108
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1608
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyM8gNhIB3tq.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 992 -ip 992
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1652
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UBMcr3IGkqSk.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1700 -ip 1700
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 1088
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gl6RtEtfEpEq.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2968 -ip 2968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LiDFqnE7PwKq.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3224 -ip 3224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 2200
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1D9mhecAfV1J.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2384 -ip 2384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hi5JZU0Ev4hl.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1368 -ip 1368
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 2252
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ND1pRLPHAdOE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1392 -ip 1392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w8FIs2gBnWpJ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4596 -ip 4596
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gw0PWuuD4CjH.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4064 -ip 4064
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GHDKQVEnQqu4.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 824 -ip 824
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 2232
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d6mAr7c9DJVw.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4368 -ip 4368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1684
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ttiYiEgryAh0.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2356 -ip 2356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\67lbvwnjcAMa.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1460 -ip 1460
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aW2WnhIE2ICr.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3628 -ip 3628
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 2212
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/2296-0-0x000000007518E000-0x000000007518F000-memory.dmp
memory/2296-1-0x0000000000E30000-0x0000000000E9C000-memory.dmp
memory/2296-2-0x0000000005E00000-0x00000000063A4000-memory.dmp
memory/2296-3-0x0000000005760000-0x00000000057F2000-memory.dmp
memory/2296-4-0x0000000075180000-0x0000000075930000-memory.dmp
memory/2296-5-0x0000000005850000-0x00000000058B6000-memory.dmp
memory/2296-6-0x0000000005DC0000-0x0000000005DD2000-memory.dmp
memory/2296-7-0x000000007518E000-0x000000007518F000-memory.dmp
memory/2296-8-0x0000000075180000-0x0000000075930000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/5108-15-0x0000000075180000-0x0000000075930000-memory.dmp
memory/2296-16-0x0000000075180000-0x0000000075930000-memory.dmp
memory/5108-17-0x0000000075180000-0x0000000075930000-memory.dmp
memory/5108-19-0x00000000063A0000-0x00000000063AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VNnZrSwaBGQq.bat
| MD5 | b542c9076b36bbf2719da4691c1d08ad |
| SHA1 | 5ed03ea989a294aea36a8b7f0373e7ccf70299cb |
| SHA256 | b70425888fac027a3c77637e68aae36a407698c18de18931482fde1716b269a6 |
| SHA512 | 7c91b22368852f1208d6e63dfa4cbdbe96e0217ad46c79585839bdbaec92e4d79310551e01783bc2ecf379222bf7ad8d8757068ff761f5e5cda8dbf8fae12213 |
memory/5108-24-0x0000000075180000-0x0000000075930000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | e288cb14428cb243494b44db0f9a556f |
| SHA1 | 1274d9e2941a7560c92318f5bdde4abcec65a32d |
| SHA256 | 702c93e9ccc2d032c5c6c3161f58cd55000625e45886dd1d3bb93e1ba207f421 |
| SHA512 | a3d30f5ac48d938dcfacdca442615a93d40dc82a69b2755f541396290ad9ca687c695c74527157ca2da5477ea943d0b1fb0981fb581ba42bd922163db871fe87 |
C:\Users\Admin\AppData\Local\Temp\KyM8gNhIB3tq.bat
| MD5 | 5c1876b15a610acc45fd8fe1ca3f83ba |
| SHA1 | 6fa5bd40b43d61185e53990db266a6b4119187bb |
| SHA256 | 9371218023c47b44d9133bf4d1b6610bf74d2d954192fb94cf708d848badb838 |
| SHA512 | bbbce39d79940f5af5b2cb5eda4de967f226fae06d9923563a46142cc749ef46ff3f02e7ed9ce75bf110e9679322c9a1719b1c18e90aa84e735192333ec11313 |
C:\Users\Admin\AppData\Local\Temp\UBMcr3IGkqSk.bat
| MD5 | 57403dd27afbc22a43f75d1d3f995272 |
| SHA1 | 0333a2e9bcec329240d8ab461732688e49dcc327 |
| SHA256 | a6ba2ef4d4abe75f401c171c94bcc38ebff87294a1904288a9d81258c0677689 |
| SHA512 | 87d3c205e56861fb470505c0f7959379fb2c21d00089c445950d49816e4446b19ca95b2da8dce7caf460364aa04ebff55dd8bb6935b0c93f053508e174136ce3 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | f99fa902650c3a1130f387af4fcf495f |
| SHA1 | 0faac45773192b99ad62cacf31346a3b622a0a47 |
| SHA256 | e0cb9fe2a41abd8116ed3561bd122355f1992940e90f44f1a5efe2c170f5b613 |
| SHA512 | 6c61329531e8de8cf54323a81783118873cf280e659e1a9ec07637f05e19d926299a1d98a7e229eaffb409599e3ca40ace47aba56a64cc0e7242bdaffc6ceb32 |
C:\Users\Admin\AppData\Local\Temp\Gl6RtEtfEpEq.bat
| MD5 | 8f0d905b348d8d9238d1978cfcb58404 |
| SHA1 | 91d9d03a9b5e48a03c240543a3c6728b4c07fc05 |
| SHA256 | 97a03b99a161ddeba7b54bc054d802a8b76de4e6c4b95f20261b0ae2b6ebdb85 |
| SHA512 | 92d9069bcc47c954b7b08dc2fb6c49c95fee2b8e8e9b980eaebfcf74f6b0c4673b4d342d40f7453021b2bba00c448b7e0d22642965769d8c252b5e081e4b0a49 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 05e137434936097742c47f68ce0c32e2 |
| SHA1 | b054b86124f0195f344fdbe4fb7c4b0551ddaf67 |
| SHA256 | a5e693850b4ea8053b3fbef2c6b1708f6ed571834c8af0eb8a6fd05cf962d955 |
| SHA512 | a3ddc0ebe7b8fe5beb9421ac02dc10e60eafb2bf0ef0487a2a1990a943d5e9d97034cc9222389ae0712d2883856099cadd9dddf752afba7c76a1c3d68d4d8236 |
C:\Users\Admin\AppData\Local\Temp\LiDFqnE7PwKq.bat
| MD5 | 9599ba271893f7b29a38a7fe7e4f7bf6 |
| SHA1 | cbe7cb3f804e8a9fe933a1f273324570b842884e |
| SHA256 | f08508cfa462cf6e33f391cca9e54112dbd50ec3279459a611a8bc6bbe7cca73 |
| SHA512 | 116f97578303a59ebf8b5833f2e1b6982e30d61ba19bea3d540c965fcd390eee0e92855832d136263f098f3f86c8ddd15016e6dcd79183e8645b4950a0b2065c |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\1D9mhecAfV1J.bat
| MD5 | c694bad378b87890016ca860837dbc94 |
| SHA1 | d3bb4e95836947f91687619d606e43ea234e5f09 |
| SHA256 | a702c46dae03b4e377291cec536681186f66616473e7656bad2421d9d363e9b5 |
| SHA512 | 65a40ca876b11b07aa38623f8598876255e6e3c5e11af7756d6fea29b5e76b16464975fd3d6aca428d020c4ea5b597e0a6742631704e2e88dd0fe292e0f54258 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 7c8768539c3e4417810de9f852f03828 |
| SHA1 | 906e0f42a77786d40ccb7376351b1dcce95902e1 |
| SHA256 | 1821506b22e019e592049741d86b9f05508601d44b2cf2bb38d67683a6e58eb3 |
| SHA512 | 269f6010e123597604efcdb9f29e5ab0ff594a23345dc7a46c120ad6e441208a6f2513c5d71b1ef900fd5e5a7da46c8a2bc7c7f3efce8e6fa4c1f33baef00666 |
C:\Users\Admin\AppData\Local\Temp\hi5JZU0Ev4hl.bat
| MD5 | 9be405b0a0cfed3212b75f9930abe542 |
| SHA1 | 90d13ecd369dbf3a5a883b87604c5aab1239f543 |
| SHA256 | 030658135bf3b3e678378cbc9b029f63603eeee6cd69055c241a1a8345bd91db |
| SHA512 | 543bc0a751aa020333117209ccb5b46d2d630622a1c286baed659c5603efeb4e96dc996e83c465cb229ba66273830191eb5fc22e71b4407ce6974c9058600c00 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 74b84a028795b296644c7f1568133e8f |
| SHA1 | 9c2af89c3aa5d6489eb6e52770d5f27fde149522 |
| SHA256 | d315f193c5694e7eca05df5898c4f64d20e2682ac9f6067de19f4a18025ead02 |
| SHA512 | 0d325c075f202127003bef728c356a543813875e841c972dd31a703c274e1f1e994b11c9ff15bd0d5d8d6ddf71e94bd318614e3ee6d22ecab7d158ffa3ebf222 |
C:\Users\Admin\AppData\Local\Temp\ND1pRLPHAdOE.bat
| MD5 | bacee5f585327f7597e9c0c679f96163 |
| SHA1 | ad228fafedcbce8204b89f53863ba147ff646dab |
| SHA256 | 26631a38ba0e15b61c4fde4027a5785279c04d209897d5e58cf41887d6509bbc |
| SHA512 | 898abb304790ebe3ba02b1f6a81e9f2ee0ddbff215473c96a91cca0cfa074b676e6dbe2571bbd9ffc140ec4b7fc45dbd0d0146ee1f021f371f4c88504830bbfe |
C:\Users\Admin\AppData\Local\Temp\w8FIs2gBnWpJ.bat
| MD5 | bfcde9831a639cf94850856b94da945c |
| SHA1 | af6ec0aa09b60fdf3f79ce9b50830f1293b68ac7 |
| SHA256 | 932dcdc4060977d3bb5569258ac98045036fb87cea66bed811247e712312f468 |
| SHA512 | 43f38be28a5c3db25be4f59762779d5a4b85c1098b7d02f8af3c0776650d911b1437a60a0a265378f856cae7ef228cee91e80ea797e0a0a1c27729936d1a6e5d |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | c4b634fd977a9249e532178c1049c1e4 |
| SHA1 | ca36ad616b6063336a9983fb6d8282d042104184 |
| SHA256 | 072ad27aa7b3fb66bc554324e0ac0aacc7012cf9febc52c3975628fc53400fe8 |
| SHA512 | 901b4a221b76581984e1787dc1e2cf306a7ff9e3f20460b29b7ec82b1c32f24b96b8b476dc83d93faa3236c0fb361c5ef75d0c07b71faf323d4dd6f9fbea62c3 |
C:\Users\Admin\AppData\Local\Temp\Gw0PWuuD4CjH.bat
| MD5 | c773cbe6fcdc5ca489fa93441adebcc2 |
| SHA1 | e48793ca2e3af6ed0dae1ad218c4573b1171d41f |
| SHA256 | ffcbdf675497e2af052e607d399784e38eb6c44898cea789900e668e8913a622 |
| SHA512 | 25e9ca1ce5a18efeee7e6f91df61438a3576803e516411e1f69b19f44ada0dfa0b29ca90ab233e6c42f53a6514a0e4f192f66f4e9671af42d8fdd00ebb57b508 |
C:\Users\Admin\AppData\Local\Temp\GHDKQVEnQqu4.bat
| MD5 | 0593faa39e89952bd8c74cde7eee724f |
| SHA1 | 73e8e87138f5c94e1d93bde0c148167d3de42703 |
| SHA256 | 4941402fdba975cf62907076f94f34157d48351f0e81f9c350ce231b00afac75 |
| SHA512 | e1e3b06d4e5c2627683499533ee314515bf20fbdb24844dc98eee6596c009a293a7b96d2282035cff25ab83d28d4a74caf5716f1e42e43248ce42d07d77eb51d |
C:\Users\Admin\AppData\Local\Temp\d6mAr7c9DJVw.bat
| MD5 | c439691af33e13a83a9e447d72f28899 |
| SHA1 | b956915c746938274eb0a12d24cf4b9af9be9d31 |
| SHA256 | 57af5060ece6264951ad972db6750ca13525558e65018368297229517198b80f |
| SHA512 | 48d2a031ad02c3e067350403b15172ab5e4cad8653a3710a0b2535952e6d21d4655fb178c1df17a5280bdd5c6021e684bc75a6c6612944eb35f3f521343826a1 |
C:\Users\Admin\AppData\Local\Temp\ttiYiEgryAh0.bat
| MD5 | 91eed5fbc28485ba8b1afa34e4a863c5 |
| SHA1 | 1e53cb698aa5c5f096e05d19755d35af13bc39fd |
| SHA256 | 67f6ea5ad1f0a3d65288d9d98c6fb921bb1e6668e7fe469c98e0a5a0339a0722 |
| SHA512 | 8418aaddad8dda97b64ffb0a7d44e5fcc2d5d916e84b79ff4950dfa0ffa2702742214ce64bf832d9e1a25260549977e9026d418413f43c17a1e29a4fe1e392f3 |
C:\Users\Admin\AppData\Local\Temp\67lbvwnjcAMa.bat
| MD5 | 47d6020feef3c3d2e9a6edd192373fe0 |
| SHA1 | d66274f1c5e5579c27b1d0fc1bfd4a4c3a203350 |
| SHA256 | d29d5a79ce0906852691006d68962d6c63db948ae9917f665d3727a68c5b312e |
| SHA512 | e6c4e0e8a1943c2f321fbbca5f106da403d05bb3c2d0e011d82610d2a1e74c345056fce1f7fe4f1af959c83cc9e673198e617778578c026bcc03338f1202496f |
C:\Users\Admin\AppData\Local\Temp\aW2WnhIE2ICr.bat
| MD5 | 6814b979ad5aaf54947b4f962709e7cd |
| SHA1 | 80da3282906e902ee7287d9cb50f52a2693d57e7 |
| SHA256 | 198f8583cdd14132482ad7f2614e2b8e7785b0420bab7f5841ea3dbeab7739b6 |
| SHA512 | 55ffd5a2d43f7f451e8a88d8cb73e9a037a3f1eedb56b6def5f61620413bdfff268972f371d4776f1935cb2f68774a469f7166be0351630603e8c9eecf1678e7 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win7-20240508-en
Max time kernel
296s
Max time network
299s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lAbHXfnYWsdk.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BzuWSwnYT3bx.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\21Nk98jxbuxT.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ewMc4VcVOWmt.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/2596-0-0x000000007440E000-0x000000007440F000-memory.dmp
memory/2596-1-0x00000000003E0000-0x000000000044C000-memory.dmp
memory/2596-2-0x0000000074400000-0x0000000074AEE000-memory.dmp
memory/2596-3-0x000000007440E000-0x000000007440F000-memory.dmp
memory/2596-4-0x0000000074400000-0x0000000074AEE000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2968-12-0x0000000000130000-0x000000000019C000-memory.dmp
memory/2968-13-0x0000000074400000-0x0000000074AEE000-memory.dmp
memory/2968-14-0x0000000074400000-0x0000000074AEE000-memory.dmp
memory/2596-15-0x0000000074400000-0x0000000074AEE000-memory.dmp
memory/2968-16-0x0000000074400000-0x0000000074AEE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lAbHXfnYWsdk.bat
| MD5 | d54347591da8913b485a3618f8c2fb5c |
| SHA1 | 328c80544107a70ee30796dfbc0548bc895addb9 |
| SHA256 | 0236691709d47da4680c4afb5ece1c45c8e0c2a94b4d0a44cecf3225146cb1ba |
| SHA512 | 5f688f8bf46dfa910e83f7dedecec0803472713feb8a04edc494dbb7c25f9ef4a25e0dc4fa8a814577ace7bfa289950e25a1db0fd1b6a406a7c3de503e3f1dea |
memory/2968-26-0x0000000074400000-0x0000000074AEE000-memory.dmp
memory/2124-29-0x00000000010D0000-0x000000000113C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BzuWSwnYT3bx.bat
| MD5 | d03d4df13ef004c7dea80f7b500d2730 |
| SHA1 | df3c15d6471f9454e0f3bdb9fc7d882760821b45 |
| SHA256 | 30ef6a408585b31a0f3d4e7f49b8a5cb047f039fef6131a17bcb47744697f1ed |
| SHA512 | e60e0e71361695e31e5bdc4e84eec15540c25cfcc4048bdd0fa230c5f28a2216f52e38cf75d0d0b2762c61c540de3d53dcc988aabdec4064950fe2ff3dd419e2 |
memory/1740-41-0x00000000010D0000-0x000000000113C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\21Nk98jxbuxT.bat
| MD5 | fafe9f4e19f9ca6ac7d069bf5e7f7c43 |
| SHA1 | e5509c78dc9730def371dc41ab7f326b6513d53a |
| SHA256 | 1752c7dc1a00d772bf3a218249b8c359c49c4bec43ec3b81b5293d37e1710522 |
| SHA512 | 37f06908ffd3b7aa12f15d4d81da4f128ba61ec121dd255d02613eae6ae24c16c089e33b615d871c1ef9638e0067459f2f2f10f4017a380e5f03b426870f14a9 |
memory/2552-53-0x0000000001360000-0x00000000013CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ewMc4VcVOWmt.bat
| MD5 | 78da848d298ab17f8a0fe38554e282c1 |
| SHA1 | 80a998fba81f8271425165364f59c4f3fe9a68d6 |
| SHA256 | 549fe0521be9bd60974d7fafc2ea8c3edfe8eeeca1684961aa01e508a35e2dde |
| SHA512 | 5e7b9a2d2ba6ffa48268bc7a0957233be9cd2b83fd85244a6331a7b6461a836e794ba77617faff5822b9699b6f4429d8d137513e806d7ee5b1de028fc3ce9047 |
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-15 07:30
Reported
2024-06-15 07:36
Platform
win10v2004-20240611-en
Max time kernel
299s
Max time network
289s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | udp | |
| N/A | 13.89.178.27:443 | tcp |
Files
memory/3172-0-0x0000000074FEE000-0x0000000074FEF000-memory.dmp
memory/3172-1-0x00000000000D0000-0x000000000013C000-memory.dmp
memory/3172-2-0x0000000005150000-0x00000000056F4000-memory.dmp
memory/3172-3-0x0000000004BA0000-0x0000000004C32000-memory.dmp
memory/3172-4-0x0000000074FE0000-0x0000000075790000-memory.dmp
memory/3172-5-0x0000000004AF0000-0x0000000004B56000-memory.dmp
memory/3172-6-0x0000000005840000-0x0000000005852000-memory.dmp
memory/3172-7-0x0000000005D80000-0x0000000005DBC000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1088-13-0x0000000074FE0000-0x0000000075790000-memory.dmp
memory/1088-14-0x0000000074FE0000-0x0000000075790000-memory.dmp
memory/3172-16-0x0000000074FE0000-0x0000000075790000-memory.dmp
memory/1088-18-0x0000000007240000-0x000000000724A000-memory.dmp
memory/1088-19-0x0000000074FE0000-0x0000000075790000-memory.dmp
memory/1088-20-0x0000000074FE0000-0x0000000075790000-memory.dmp