quasar | 1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58

Analysis

max time kernel
299s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (101) - Copy - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral16/memory/668-1-0x00000000003D0000-0x000000000043C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 13 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1612	Client.exe
2532	Client.exe
3212	Client.exe
1528	Client.exe
1924	Client.exe
2176	Client.exe
2508	Client.exe
2324	Client.exe
3216	Client.exe
1524	Client.exe
2740	Client.exe
4324	Client.exe
2104	Client.exe

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
9	api.ipify.org
13	ip-api.com
19	ip-api.com
33	ip-api.com
15	ip-api.com
17	ip-api.com
21	ip-api.com
29	ip-api.com
2	ip-api.com
27	ip-api.com
11	ip-api.com
23	ip-api.com
25	ip-api.com
31	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1200	1612	WerFault.exe	Client.exe
684	2532	WerFault.exe	Client.exe
3696	3212	WerFault.exe	Client.exe
2292	1528	WerFault.exe	Client.exe
752	1924	WerFault.exe	Client.exe
1048	2176	WerFault.exe	Client.exe
4464	2508	WerFault.exe	Client.exe
2184	2324	WerFault.exe	Client.exe
1596	3216	WerFault.exe	Client.exe
3692	1524	WerFault.exe	Client.exe
1600	2740	WerFault.exe	Client.exe
3276	4324	WerFault.exe	Client.exe
2560	2104	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3332	schtasks.exe
4344	schtasks.exe
3816	schtasks.exe
1648	schtasks.exe
3264	schtasks.exe
3436	schtasks.exe
4280	schtasks.exe
3756	SCHTASKS.exe
4460	schtasks.exe
468	schtasks.exe
1352	schtasks.exe
4368	schtasks.exe
4672	schtasks.exe
4260	schtasks.exe
2948	schtasks.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3176	PING.EXE
3296	PING.EXE
1048	PING.EXE
3752	PING.EXE
4484	PING.EXE
3252	PING.EXE
2540	PING.EXE
3396	PING.EXE
1996	PING.EXE
4688	PING.EXE
4516	PING.EXE
1396	PING.EXE
2088	PING.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

Uni - Copy (101) - Copy - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	668	Uni - Copy (101) - Copy - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	1612	Client.exe
Token: SeDebugPrivilege	2532	Client.exe
Token: SeDebugPrivilege	3212	Client.exe
Token: SeDebugPrivilege	1528	Client.exe
Token: SeDebugPrivilege	1924	Client.exe
Token: SeDebugPrivilege	2176	Client.exe
Token: SeDebugPrivilege	2508	Client.exe
Token: SeDebugPrivilege	2324	Client.exe
Token: SeDebugPrivilege	3216	Client.exe
Token: SeDebugPrivilege	1524	Client.exe
Token: SeDebugPrivilege	2740	Client.exe
Token: SeDebugPrivilege	4324	Client.exe
Token: SeDebugPrivilege	2104	Client.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1612	Client.exe
2532	Client.exe
3212	Client.exe
1528	Client.exe
1924	Client.exe
2176	Client.exe
2508	Client.exe
2324	Client.exe
3216	Client.exe
1524	Client.exe
2740	Client.exe
4324	Client.exe
2104	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (101) - Copy - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 668 wrote to memory of 4672	668	Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	schtasks.exe
PID 668 wrote to memory of 4672	668	Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	schtasks.exe
PID 668 wrote to memory of 4672	668	Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	schtasks.exe
PID 668 wrote to memory of 1612	668	Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	Client.exe
PID 668 wrote to memory of 1612	668	Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	Client.exe
PID 668 wrote to memory of 1612	668	Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	Client.exe
PID 668 wrote to memory of 3756	668	Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 668 wrote to memory of 3756	668	Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 668 wrote to memory of 3756	668	Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 1612 wrote to memory of 3332	1612	Client.exe	schtasks.exe
PID 1612 wrote to memory of 3332	1612	Client.exe	schtasks.exe
PID 1612 wrote to memory of 3332	1612	Client.exe	schtasks.exe
PID 1612 wrote to memory of 4444	1612	Client.exe	cmd.exe
PID 1612 wrote to memory of 4444	1612	Client.exe	cmd.exe
PID 1612 wrote to memory of 4444	1612	Client.exe	cmd.exe
PID 4444 wrote to memory of 4064	4444	cmd.exe	chcp.com
PID 4444 wrote to memory of 4064	4444	cmd.exe	chcp.com
PID 4444 wrote to memory of 4064	4444	cmd.exe	chcp.com
PID 4444 wrote to memory of 3752	4444	cmd.exe	PING.EXE
PID 4444 wrote to memory of 3752	4444	cmd.exe	PING.EXE
PID 4444 wrote to memory of 3752	4444	cmd.exe	PING.EXE
PID 4444 wrote to memory of 2532	4444	cmd.exe	Client.exe
PID 4444 wrote to memory of 2532	4444	cmd.exe	Client.exe
PID 4444 wrote to memory of 2532	4444	cmd.exe	Client.exe
PID 2532 wrote to memory of 4460	2532	Client.exe	schtasks.exe
PID 2532 wrote to memory of 4460	2532	Client.exe	schtasks.exe
PID 2532 wrote to memory of 4460	2532	Client.exe	schtasks.exe
PID 2532 wrote to memory of 4496	2532	Client.exe	cmd.exe
PID 2532 wrote to memory of 4496	2532	Client.exe	cmd.exe
PID 2532 wrote to memory of 4496	2532	Client.exe	cmd.exe
PID 4496 wrote to memory of 1436	4496	cmd.exe	chcp.com
PID 4496 wrote to memory of 1436	4496	cmd.exe	chcp.com
PID 4496 wrote to memory of 1436	4496	cmd.exe	chcp.com
PID 4496 wrote to memory of 4484	4496	cmd.exe	PING.EXE
PID 4496 wrote to memory of 4484	4496	cmd.exe	PING.EXE
PID 4496 wrote to memory of 4484	4496	cmd.exe	PING.EXE
PID 4496 wrote to memory of 3212	4496	cmd.exe	Client.exe
PID 4496 wrote to memory of 3212	4496	cmd.exe	Client.exe
PID 4496 wrote to memory of 3212	4496	cmd.exe	Client.exe
PID 3212 wrote to memory of 468	3212	Client.exe	schtasks.exe
PID 3212 wrote to memory of 468	3212	Client.exe	schtasks.exe
PID 3212 wrote to memory of 468	3212	Client.exe	schtasks.exe
PID 3212 wrote to memory of 696	3212	Client.exe	cmd.exe
PID 3212 wrote to memory of 696	3212	Client.exe	cmd.exe
PID 3212 wrote to memory of 696	3212	Client.exe	cmd.exe
PID 696 wrote to memory of 964	696	cmd.exe	chcp.com
PID 696 wrote to memory of 964	696	cmd.exe	chcp.com
PID 696 wrote to memory of 964	696	cmd.exe	chcp.com
PID 696 wrote to memory of 3176	696	cmd.exe	PING.EXE
PID 696 wrote to memory of 3176	696	cmd.exe	PING.EXE
PID 696 wrote to memory of 3176	696	cmd.exe	PING.EXE
PID 696 wrote to memory of 1528	696	cmd.exe	Client.exe
PID 696 wrote to memory of 1528	696	cmd.exe	Client.exe
PID 696 wrote to memory of 1528	696	cmd.exe	Client.exe
PID 1528 wrote to memory of 4344	1528	Client.exe	schtasks.exe
PID 1528 wrote to memory of 4344	1528	Client.exe	schtasks.exe
PID 1528 wrote to memory of 4344	1528	Client.exe	schtasks.exe
PID 1528 wrote to memory of 4308	1528	Client.exe	cmd.exe
PID 1528 wrote to memory of 4308	1528	Client.exe	cmd.exe
PID 1528 wrote to memory of 4308	1528	Client.exe	cmd.exe
PID 4308 wrote to memory of 2020	4308	cmd.exe	chcp.com
PID 4308 wrote to memory of 2020	4308	cmd.exe	chcp.com
PID 4308 wrote to memory of 2020	4308	cmd.exe	chcp.com
PID 4308 wrote to memory of 4516	4308	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4672

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0x5joxHlCqVV.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4064

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3752

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XJPraGapisO6.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:1436

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4484

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n6MFRNeXTjbA.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:964

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:3176

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ypFTtt9KRmMp.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:2020

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4516

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1924

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:3264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B3IW5cGC5m0Q.bat" "
11⤵
PID:1480

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:1088

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:2540

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkZIxeQM0CNH.bat" "
13⤵
PID:1064

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4496

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:3296

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2508

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwgE2TzSFfqE.bat" "
15⤵
PID:1224

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:232

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3396

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2324

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:3816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zwmagWzaBBQc.bat" "
17⤵
PID:620

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:2292

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1396

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3216

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m1PBzWVn4PNS.bat" "
19⤵
PID:4708

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:3336

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1996

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DPsM4WqzyjWo.bat" "
21⤵
PID:2624

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:4496

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1048

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2740

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:1352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQlRVJ0RR4n6.bat" "
23⤵
PID:5044

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:4200

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3252

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4324

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECioMR49Cv0A.bat" "
25⤵
PID:1264

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:932

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4688

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2104

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icyjECafc3rQ.bat" "
27⤵
PID:4648

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:4064

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 2236
27⤵
- Program crash
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1092
25⤵
- Program crash
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1672
23⤵
- Program crash
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 2232
21⤵
- Program crash
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 2224
19⤵
- Program crash
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1092
17⤵
- Program crash
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 1092
15⤵
- Program crash
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 1092
13⤵
- Program crash
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1716
11⤵
- Program crash
PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 2248
9⤵
- Program crash
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1092
7⤵
- Program crash
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1712
5⤵
- Program crash
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 2168
3⤵
- Program crash
PID:1200

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (101) - Copy - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1612 -ip 1612
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2532 -ip 2532
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3212 -ip 3212
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1528 -ip 1528
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1924 -ip 1924
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2176 -ip 2176
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2508 -ip 2508
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2324 -ip 2324
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3216 -ip 3216
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1524 -ip 1524
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2740 -ip 2740
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4324 -ip 4324
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2104 -ip 2104
1⤵
PID:620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0x5joxHlCqVV.bat
Filesize
207B

MD5
4beb6dee80ab1abc098e90b516ec08b9

SHA1
bab20e13a31bd316bf46b4756813e306e2650597

SHA256
cfc5058ee2d15867ee8901a5c9c9434cdbc5210fe923f4c9faaff743a65c386a

SHA512
38a12aa6129e1c5b9767d59f06c3030e7b546c28cc4feaa3d766817931cd07406151177f89e00e851fbaa7d74ec7844592b29e80ac1c6be07ee115acf9d6df94

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3IW5cGC5m0Q.bat
Filesize
207B

MD5
ec2ce785ef4ab3ad4451bbd2dcabdbd5

SHA1
768e1af55c4b61f63ff6f1321fa35fd43bcdad69

SHA256
7455cdce04496fa56179a418f06bf6d47d6e06678531536f8a9ea71181c04d1e

SHA512
aa7f70c508e162044547def239ccc9a430f6638bc6ba0051d54a6f6fc0e6216e6131472a70c9f07d7d47988b9c3c8eb91aa8aed8450558d20d7d1e7b915b17b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DPsM4WqzyjWo.bat
Filesize
207B

MD5
c756be32784b680e8b4ad79318721425

SHA1
a98a6ce6e19cc5c6614d51ddd8c848cffaa10289

SHA256
d87b2a27d666c2b387facbe69dc3eae3898121f661aefdb79d82a554468ea0ac

SHA512
998043321987fdb472fa100036991a1cf76e1f4561f374073ea99963fcbaeeb8b0bb147819d1922f96a8d2dc8a03ef71316d9fa3ea6c367d28df885f42081025

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECioMR49Cv0A.bat
Filesize
207B

MD5
4f4b605ac3f2c26d5dcaf12a7aaff4e8

SHA1
c7d6a8feb232ad241cb04c89eb79cfd283c78713

SHA256
53540f9fe5dc61513cb06420a76672ffe28df690d25c5776361b8b3997cadb42

SHA512
426376081e899822d5dba778a3f7751a04f5d724cc5e10ab7716031d6d505ee880daae1702f462c393193432a2bcfbee5e52e1cb2f71a895d576a33c44d313b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FkZIxeQM0CNH.bat
Filesize
207B

MD5
92cbaa9b8e8d663b121e2fac9f122370

SHA1
9c2ac770303033e423f28de882325981670dc4ba

SHA256
33caed065c269817ecbd55555e256b145aa4068baf09d0f31ec8ed1597afbfae

SHA512
01a448a40f1d7473203635925aea95e72d1c8e60e799d6d5509beabc7b3f43e71c9b8399bb7d18ea8f2d6803f8592e6e04bf60706ec9b8a76c31725c852c4947

Download Submit
C:\Users\Admin\AppData\Local\Temp\HwgE2TzSFfqE.bat
Filesize
207B

MD5
78edd38cb38f65b435c271cb698e2e74

SHA1
29bd5a5fe8f3e091c89463931b17a395a1deda7c

SHA256
0e26338d3e7f40bcd5a058d52a64a0b7694a91c531f125f6ab49f755e31fd408

SHA512
5b350f0c12f14830c9bbd2ed0c575c6c36c922d0074868bb47198464f19058ea0a84b051cf5f95aeb04a8eac6ada6593cfc82abba07c2b560b879488d29bcad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XJPraGapisO6.bat
Filesize
207B

MD5
f2dd482bae72240ee0dc674cf17cd086

SHA1
b410b37ead2465a39432635d478600daeb4572bf

SHA256
940b38e2911b3defe0720ec19c017e62ba42c4f68d84e438e9f1f6e8b7560dc6

SHA512
3ee9d2b1c774636382adca64db4648c502ff4f933aef7d27f40b62eec398433e7662358904969e400b10e5260b2c7ca298d413e80231b21748c3be4cafc04710

Download Submit
C:\Users\Admin\AppData\Local\Temp\icyjECafc3rQ.bat
Filesize
207B

MD5
01fdaf7fb57a5763e4949f67d8f686a7

SHA1
9272402704cfa0188352786da9a70aba849437db

SHA256
5acbcae6975aaa8cb22bbaabae73a8b1b199a4518f0e2808198e906338238c81

SHA512
32d14f55a67d90286d818067a2866f09f3bbd540fc3233e1e4d35e1ce10785ba9f091ffcdebc4b8479340041384764621dfb70b17408a98161c9a96bfc0f9433

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1PBzWVn4PNS.bat
Filesize
207B

MD5
f042b2cb8c61b250a4379e400fc53e16

SHA1
532241a0a3940247a6b0ed21af11d85f86959b20

SHA256
eaf20787c96e6b6a0cba53a21016de9beee8360ea0f6dfacbecb7ce1524e847e

SHA512
51ecd965465e8507a52b618b8bb199db81011abfb1163d846f8db7025eac3352e92ab8fdcba95d091d41c3ae1e23ec0e88e84d3dfc42af331da95a38fcbf9de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\n6MFRNeXTjbA.bat
Filesize
207B

MD5
307f60da95d85b0fb9e6f10729560e59

SHA1
e9bf601e0c48435d0d19c71b4bfca3cfa3dab3ef

SHA256
e1a2e4bcb69fd5519afde67135538192e5a1b9d4219353a82bb6f3336c4657bb

SHA512
e112b0cfb377eb527bd66b1d3af3b4331006d7ffcb96078ea547be2fea97548244275cf47d6e10ffb392f1e6143c020037b998127504af9e4c28afdc8720bcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQlRVJ0RR4n6.bat
Filesize
207B

MD5
1578f08e2076eb282cbafc0fb915f6ff

SHA1
d8a3d8bb3043d82c4167ea79fd598a8118393d4a

SHA256
e2e4118314bd1aaa7d9b15fc0bbb14030c96850e677e30bd0e88d81d1e298911

SHA512
42e434b3f228ac6e252054c92007fad96240c92d1ac9ffa146a315e6493488918864e434735470b8ce6f9fe8c631492c18313369ef3f8baab8b315f81d417533

Download Submit
C:\Users\Admin\AppData\Local\Temp\ypFTtt9KRmMp.bat
Filesize
207B

MD5
8eaaa9f6c07631f24ea66a1556857fdf

SHA1
fd3638ef176622dd8a90d6f39723e9041455f265

SHA256
61eb34a9a08fa694685c3c162dc167d1472967f8877242fc26a324b8c68ac301

SHA512
f7c6f8634b126e5a6f74108a5acca305d31f55b1c259c4bd0eb7ac22470d59e8d12344014c014dc3a95228e368d6ba5d8a89ed64cad1517bee90577cfe33abe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwmagWzaBBQc.bat
Filesize
207B

MD5
1fd373f384a065341381881a6d4c3174

SHA1
c544d17338c036fce830c96069708da41182d961

SHA256
04bbbcc607a97561ffb5df4a60ed3bdb752051e628c4866eaf0b8368abaf1318

SHA512
4fa875ed0676c2ed7553bbb3db124d726900129db5f652e48da315089c2d2bafcb0efb4971afaaf7b1371a543ca7411b94a747b0456aed9a1e59a5e877324747

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
ecb2fa9c54a822f3015c0b60b5b8ae24

SHA1
40d65e45866867d96ff15f8cc50c16ae5f4f6cfe

SHA256
a13f8cd3919e85eab682a0a4f57748c38d1ba37fd283db05aab8f41c3de88006

SHA512
af3cc52d6a4705c834915d9f46ac02c8e51bfa575e52af952aecf6785de9f2052912930b165233f4c8e48c28e973a94f2108aab4864ffb98e07a755a8445d38e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
68387b8096e87d234ad55a61fd404163

SHA1
6421a198e8c331684bca6a735d579df45ad11dbe

SHA256
04b139c7f3e8a3c0d71c596d949441a81b4bbe450aa930fca3dfb572a84d2b1a

SHA512
8b5244aa0a200b8e909e25e48b3a8d343bdee3b644b67c7a2becb9cb958fcbe852010ac16b600eaabd4d57bb7b957d3e039ddf4032ccb0bed47b3a96a9d3a522

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/668-6-0x0000000005B10000-0x0000000005B22000-memory.dmp

Filesize
72KB

Download
memory/668-1-0x00000000003D0000-0x000000000043C000-memory.dmp

Filesize
432KB

Download
memory/668-4-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/668-3-0x0000000004E10000-0x0000000004EA2000-memory.dmp

Filesize
584KB

Download
memory/668-0-0x000000007518E000-0x000000007518F000-memory.dmp

Filesize
4KB

Download
memory/668-16-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/668-5-0x0000000004EB0000-0x0000000004F16000-memory.dmp

Filesize
408KB

Download
memory/668-2-0x0000000005310000-0x00000000058B4000-memory.dmp

Filesize
5.6MB

Download
memory/668-8-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/668-7-0x000000007518E000-0x000000007518F000-memory.dmp

Filesize
4KB

Download
memory/1612-17-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/1612-15-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/1612-19-0x0000000005F20000-0x0000000005F2A000-memory.dmp

Filesize
40KB

Download
memory/1612-24-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download