Analysis Overview
SHA256
1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58
Threat Level: Known bad
The file uni.zip was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar RAT
Quasar payload
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Program crash
Enumerates physical storage devices
Unsigned PE
Runs ping.exe
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 07:34
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win7-20240611-en
Max time kernel
297s
Max time network
320s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2332-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp
memory/2332-1-0x0000000000DD0000-0x0000000000E3C000-memory.dmp
memory/2332-2-0x0000000074D60000-0x000000007544E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2532-10-0x0000000000C10000-0x0000000000C7C000-memory.dmp
memory/2532-11-0x0000000074D60000-0x000000007544E000-memory.dmp
memory/2532-12-0x0000000074D60000-0x000000007544E000-memory.dmp
memory/2332-13-0x0000000074D60000-0x000000007544E000-memory.dmp
memory/2532-15-0x0000000074D60000-0x000000007544E000-memory.dmp
memory/2532-16-0x0000000074D60000-0x000000007544E000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win10v2004-20240226-en
Max time kernel
258s
Max time network
316s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (101) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.42:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1140-0-0x0000000074E6E000-0x0000000074E6F000-memory.dmp
memory/1140-1-0x0000000000100000-0x000000000016C000-memory.dmp
memory/1140-2-0x00000000051F0000-0x0000000005794000-memory.dmp
memory/1140-3-0x0000000004B90000-0x0000000004C22000-memory.dmp
memory/1140-4-0x0000000074E60000-0x0000000075610000-memory.dmp
memory/1140-5-0x0000000004E40000-0x0000000004EA6000-memory.dmp
memory/1140-6-0x0000000005BC0000-0x0000000005BD2000-memory.dmp
memory/1140-7-0x0000000006000000-0x000000000603C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2920-13-0x0000000074E60000-0x0000000075610000-memory.dmp
memory/2920-14-0x0000000074E60000-0x0000000075610000-memory.dmp
memory/1140-16-0x0000000074E60000-0x0000000075610000-memory.dmp
memory/2920-18-0x0000000006EC0000-0x0000000006ECA000-memory.dmp
memory/2920-19-0x0000000074E60000-0x0000000075610000-memory.dmp
memory/2920-20-0x0000000074E60000-0x0000000075610000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win10v2004-20240226-en
Max time kernel
263s
Max time network
325s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1412-0-0x00000000745CE000-0x00000000745CF000-memory.dmp
memory/1412-1-0x0000000000A90000-0x0000000000AFC000-memory.dmp
memory/1412-2-0x0000000005B60000-0x0000000006104000-memory.dmp
memory/1412-3-0x00000000055B0000-0x0000000005642000-memory.dmp
memory/1412-4-0x00000000745C0000-0x0000000074D70000-memory.dmp
memory/1412-5-0x0000000005750000-0x00000000057B6000-memory.dmp
memory/1412-6-0x0000000006310000-0x0000000006322000-memory.dmp
memory/1412-7-0x0000000006750000-0x000000000678C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/412-13-0x00000000745C0000-0x0000000074D70000-memory.dmp
memory/412-14-0x00000000745C0000-0x0000000074D70000-memory.dmp
memory/1412-16-0x00000000745C0000-0x0000000074D70000-memory.dmp
memory/412-18-0x0000000006800000-0x000000000680A000-memory.dmp
memory/412-19-0x00000000745C0000-0x0000000074D70000-memory.dmp
memory/412-20-0x00000000745C0000-0x0000000074D70000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win7-20240220-en
Max time kernel
235s
Max time network
298s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (100) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1684-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp
memory/1684-1-0x00000000002A0000-0x000000000030C000-memory.dmp
memory/1684-2-0x0000000074D90000-0x000000007547E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2668-11-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/2668-10-0x0000000001360000-0x00000000013CC000-memory.dmp
memory/2668-12-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/1684-14-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/2668-15-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/2668-16-0x0000000074D90000-0x000000007547E000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win10v2004-20240508-en
Max time kernel
297s
Max time network
313s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (103) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vu734we2OULJ.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1344 -ip 1344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 1680
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yFdS4VolOjWz.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1108 -ip 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 2236
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E1aqvcsU9aj4.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4904 -ip 4904
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iRqknNNzZiaK.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1556 -ip 1556
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1720
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LNtx0poCiPiI.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4520 -ip 4520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 2240
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyU6sl6onPFx.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1900 -ip 1900
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zyOBIYGGGkWF.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1984 -ip 1984
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 1700
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OI6qVMGhkA01.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3812 -ip 3812
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 1724
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwaCQjDre3Qg.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2412 -ip 2412
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 2180
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dpCBHwA7FKTx.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1156 -ip 1156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1748
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VQnK8sRjLK0c.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2832 -ip 2832
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8MqXMKswU28b.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4232 -ip 4232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1732
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LataZ2zo82mB.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1728 -ip 1728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 1708
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
Files
memory/4592-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp
memory/4592-1-0x0000000000C80000-0x0000000000CEC000-memory.dmp
memory/4592-2-0x0000000005C20000-0x00000000061C4000-memory.dmp
memory/4592-3-0x0000000005710000-0x00000000057A2000-memory.dmp
memory/4592-4-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/4592-5-0x00000000057B0000-0x0000000005816000-memory.dmp
memory/4592-6-0x0000000006510000-0x0000000006522000-memory.dmp
memory/4592-7-0x0000000074D3E000-0x0000000074D3F000-memory.dmp
memory/4592-8-0x0000000074D30000-0x00000000754E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1344-14-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/4592-16-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/1344-17-0x0000000074D30000-0x00000000754E0000-memory.dmp
memory/1344-19-0x00000000065C0000-0x00000000065CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Vu734we2OULJ.bat
| MD5 | 35f55b2fde4a22bb9b9885b27606cccf |
| SHA1 | 8fe9e796d1116fd3f227a29f1a8d796e730e26ec |
| SHA256 | 01a7aea4af0e4b3cedd093ea4d8403bd02b8ee88455e7d9edbee15b8fd262bc7 |
| SHA512 | 3d9fa5eb9f967cc002a8a235274d2a4448b1a0353a579226ddb580ac71c5ed74ef8a4324df7efc397ab455e12265b1c342edd697ee62d4bb70cfa814e67b55a0 |
memory/1344-24-0x0000000074D30000-0x00000000754E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\yFdS4VolOjWz.bat
| MD5 | b29929c71bf66aff827d5f1a0912b15c |
| SHA1 | facdb738f21b6bdd6cbe04e16d444bded9a783c6 |
| SHA256 | 01bf86b535ef0fd76e74543c15b081bdd204dd02482457f248866ab85dc414d2 |
| SHA512 | 92c0ab288bd355a0096c9c5e629930ad1b2564330fe0bae79901b156c623f918753b122402a3b7ccd8c6fcdfc3af4f636ecd1e5264e8e9af8dc0395002194d60 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 0f22b3e9adc37eca2e3f4e4421c90584 |
| SHA1 | 3c98f7d4921d456e1fef0536bab075b7dd6802a9 |
| SHA256 | bfd09b125977f800373eaffe18c8a5700c3fb3a652be082cb1daeb6da3e1bca9 |
| SHA512 | e9d6c666c14345b83d6ae25af69e3a9d92c90920815db2c1a0e09983b675339cfcad4e631f17a98ce171cff614b335061579f4c879812d50480a5ae71e638b83 |
C:\Users\Admin\AppData\Local\Temp\E1aqvcsU9aj4.bat
| MD5 | 2f2d3da11850ac74a01410fd124fb3ae |
| SHA1 | 63bd04fe4507d00a44b8b2474c0c986ebcdf91dd |
| SHA256 | 673d75050e942a7e7a068a9f641217a202aa3b0fbe3a88866117d8d425d9e694 |
| SHA512 | 4461abbbac0dac733b563d199f130aaf6490372365879724f14cc7a441862363c151501b7afb16da522429fe8ef6ef38f90f40c19d378261fdf15416d5e07b80 |
C:\Users\Admin\AppData\Local\Temp\iRqknNNzZiaK.bat
| MD5 | f296d7ad0562a3c997f8e2ec0e2fabdd |
| SHA1 | 2e97122f1ceb990757e56dd282b34830ddcba0d0 |
| SHA256 | 22d39e6a9954fe3459e954d0eae5976a65b5feaede5eaf89b258e32a71991f16 |
| SHA512 | dc62c9f47bdb35dc711f8c3d733c84605fb428ed2c936f27d822284dc850b435f5e5f8710ba4b6ea47f3e3f909dbb682c8574e2679f7389827768a6eb2f4bf30 |
C:\Users\Admin\AppData\Local\Temp\LNtx0poCiPiI.bat
| MD5 | 6897926074c9900ad7e423c4507b5d74 |
| SHA1 | c3c100dbf7aa6b3a025a8a15a94d0b11c3ead5f2 |
| SHA256 | 86a838d8f1474c8de577497693458545ea0ceff50b990c1f2b52dcd3142d8467 |
| SHA512 | dfea7cce6aae59950130bb9ab73fa89462e0b879d2eb5eb7db92dd021cf67a28f2fd2e28a506200507e9d6dd928d3998901f2040b7dcf88b3fa1677211f02897 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 1ddc66fc9c73db07581bd838d85fcf4d |
| SHA1 | f5ab114008a4594c7ea72a7b24d1aec4e0e79536 |
| SHA256 | e9d22af378ed71e9cff342c63f9fdc65c9fc49988fe8fd6b47c640d873627184 |
| SHA512 | de1626a99b3087555011921f4721c1dea8757a3b914731120889198ca8dc6e6ec5db85884a31e730d799ca5caa8439b8b4554914fcad08f13105487550e5b8c1 |
C:\Users\Admin\AppData\Local\Temp\DyU6sl6onPFx.bat
| MD5 | dd9de4defc21e2dc54dd565a217eded3 |
| SHA1 | a68b5bdbe87ddbcb259b05e5efe45e26395b6c2b |
| SHA256 | aa298c99ded14fdc81a44f7ab731ffdb295b9dc54bbaea4abe8822d248ac9139 |
| SHA512 | 41a933595f78d7d4234ffac445b5c566fde60b43c6b7bc5b08920d027fd07cedcfec00f2ba6fecf4e9ac47452fdc3cf75358fca555503f6a34d098e002e0f7e0 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d9e5369dbff16d693563dffaf11a2ce7 |
| SHA1 | fde9c7420a2ab7efc6d80d802102df9e6867168d |
| SHA256 | c61e9e9290eb86f1c422ea60465cded7065f935691a0be30837fb62abe2a14a3 |
| SHA512 | 4bc4afdd7ec2031e79babc7bc0b6bdb8ad8fa684e3198a21b029488545141093a61447d5553d973f740885fdb84ebf7e214c91c6672ebbbbae129916033146ed |
C:\Users\Admin\AppData\Local\Temp\zyOBIYGGGkWF.bat
| MD5 | b7d9d8d3c33e5ffd26d646d8e7572dcb |
| SHA1 | d92234fdd7f1d343a2357ed1f09c7f293c12f7c7 |
| SHA256 | a1809f6c7acddc05f0d44316bc31cd83fbf7b19694aac1e3cb4c3cc460d4d295 |
| SHA512 | c4d9778333278b05b8eab0ec2b1cff2e404df707ecd45efa58a506b3bf45c2ce1f579bc57061a606c028a7b25ef2efd776ba0980f4f767acf23480a844a6db4a |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 9262161f4352c63a61e1df9130ed2a86 |
| SHA1 | 2de05636d466f82be615d507f284964ab185f796 |
| SHA256 | 49e65fb881d6b6fe6851d10b325fa325fc0fb5a4ec47c7e8c11f2f3fcd4ee1f5 |
| SHA512 | 84c5ba0dcc6318be42a5ca41f3c8dc6db616caac8a57de6bdac8a83c69a7f148c623ccc68e60ac439c8bb48446dd5f9482c0fb06e2f6a7be0a306525042139a4 |
C:\Users\Admin\AppData\Local\Temp\OI6qVMGhkA01.bat
| MD5 | 737cce646781fef14dcce90bf2787a6d |
| SHA1 | 0bdbabc9ed5deebccecdfa45fd028faca4f741f4 |
| SHA256 | c51e33d65b88e749a69a9d9135af8e582f58f9e88f28adbb6bd82f8259607964 |
| SHA512 | 60de1cdca3cd67477d8a132710af6bee6d7a52a8b6fc44105029b252845bfcf5c48520a183999425fe5531c4935aa580f5fc3f2471292142e491be18609596dc |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 9e04868ba28b2548ca5652e484ac3bfc |
| SHA1 | bdc3919339f96aaca110cf4bcab5636950be89ae |
| SHA256 | 6d620485d3a3a46086a2c378062fb51110bed9594c42fca35bf52acacfaa7066 |
| SHA512 | 952c0dfef770dc430e9f3a617c9c3fa8aa634591b50054b55e87c73d045adcbc6b24760b6ee8f46c8e765dc3eda2992d7f364188f961d67e339ecac876ae79aa |
C:\Users\Admin\AppData\Local\Temp\BwaCQjDre3Qg.bat
| MD5 | ada6f7246bbc70ebf02c0d2c267e7c69 |
| SHA1 | b3078767a06eb5b98f1aeef8ab1699a788d7cccb |
| SHA256 | 0d3fd1cbce9888f364bd14fc72a4fedbc3ea630286e6650ccd24eb9e34505189 |
| SHA512 | 14e226c54518140f22576282a4c3220e992d6fa5fc8b9ef9ca49ffde764ad91fd07a67e7a34a6aa6ed00ea005cd348595da58277c7beaec8551baaca143f288b |
C:\Users\Admin\AppData\Local\Temp\dpCBHwA7FKTx.bat
| MD5 | 3dfbba1ccf4dcf6e8a5d26820dd39cb3 |
| SHA1 | 1c3a0bded719df9f021a99c0514df6aede6d7f8f |
| SHA256 | 41a9d3eeb199aa12e2d838092e4e0577fa594d988d0c9ce55db45b3056831e20 |
| SHA512 | e82f1ea11cbba1830fc2311f5eafb11d0f2fc2a4b79f35038a330f5e02dce97a3ba2990a979d6d474c2004629da54504f520f4803cc29c25d00621fc14b13eb1 |
C:\Users\Admin\AppData\Local\Temp\VQnK8sRjLK0c.bat
| MD5 | 0a5e2fdb1e83bce45557ef844436cdc7 |
| SHA1 | 4898d8b88b2d3e539de3dceccb554212f99b00fc |
| SHA256 | 09aca1a4c57b9c20b1587edb0a8152511d4f30ad42c79663fe3eccb96777edc7 |
| SHA512 | fdc3dd3ad6c6a0134041419f4d7b2e5bdab73f1df350af95ccf05dedb950d9db4e5e4397fb5f9341aeb8a6f9d4d1d519833dd6998cdbafd1927ce25f0afb71b6 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 732f0ed09de35d97cf8252a737f43b96 |
| SHA1 | 6305f8435bca3550912417f7be6e766c7ebf6b32 |
| SHA256 | e087cb24144e75ab1c50dccd34493a2c7064f5aa1445f4d35d9620dea140373e |
| SHA512 | 0b981baa9f5156349b150dc7e3e2da73eda3a69e660eb2e81933ebaa2dc8af205ee21b8cc464bab09bd6cc3e13c06b06464db89a36c79b7e49155c349eb7e3e6 |
C:\Users\Admin\AppData\Local\Temp\8MqXMKswU28b.bat
| MD5 | 9e4c99f8d8294c8505b6e246de85a9f5 |
| SHA1 | c7516450fc9e4ad4825e41f54d5cdc11975f2bbd |
| SHA256 | 048b5589cbbbb96b4e924183de80b834cb55f9d99839866148c373df423ba7fe |
| SHA512 | 1ae8c48a12deab858e38375a3bcab57510e476336cce9b0928a25ad240c488170684677bce77549a97cef8858e9bf33e47a57165f11f11d2380d29517d9067a1 |
C:\Users\Admin\AppData\Local\Temp\LataZ2zo82mB.bat
| MD5 | a75835aab28ec7f5ca674eff57324150 |
| SHA1 | cfd3848d353f6d9b304ff7fc8e3eeefa01a93cc7 |
| SHA256 | b638b7b32d0b205df732b8f7cd196ec9363969b7699dc6ea7902fb61114cb246 |
| SHA512 | 688926df92d00126e2f9babc517f3fddafbca345dd2e03e71fec722aee5bd6292c1a7c83c42896aff968824e43320c5159d6b48aff89e4ea4235acade64e53d6 |
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:39
Platform
win10v2004-20240508-en
Max time kernel
296s
Max time network
307s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (104) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hfswdr8lintl.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1192 -ip 1192
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 1644
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ShXBnNwdbjnG.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3336 -ip 3336
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 1652
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cLhuMg5f8stM.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3836 -ip 3836
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t8dHDo9Nuj5R.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 448 -ip 448
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 1088
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GxC8eQXjhChJ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2496 -ip 2496
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1y6D4DhB9Wya.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5004 -ip 5004
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUqTjoFYvtMx.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3208 -ip 3208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1660
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DNSTa1DoWBOD.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3988 -ip 3988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3TungksLvD2y.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4904 -ip 4904
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZNKXJizw2Jm9.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4768 -ip 4768
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 1672
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d4aIBjA6xj90.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 892 -ip 892
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYi5GqOqhU8Z.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4688 -ip 4688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2BRHRUhaBlw0.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3736 -ip 3736
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
Files
memory/4988-0-0x000000007515E000-0x000000007515F000-memory.dmp
memory/4988-1-0x0000000000EB0000-0x0000000000F1C000-memory.dmp
memory/4988-2-0x0000000006060000-0x0000000006604000-memory.dmp
memory/4988-3-0x0000000005AB0000-0x0000000005B42000-memory.dmp
memory/4988-4-0x0000000075150000-0x0000000075900000-memory.dmp
memory/4988-5-0x0000000005B50000-0x0000000005BB6000-memory.dmp
memory/4988-6-0x0000000006730000-0x0000000006742000-memory.dmp
memory/4988-7-0x000000007515E000-0x000000007515F000-memory.dmp
memory/4988-8-0x0000000075150000-0x0000000075900000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1192-15-0x0000000075150000-0x0000000075900000-memory.dmp
memory/4988-16-0x0000000075150000-0x0000000075900000-memory.dmp
memory/1192-17-0x0000000075150000-0x0000000075900000-memory.dmp
memory/1192-19-0x0000000006140000-0x000000000614A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hfswdr8lintl.bat
| MD5 | 8ab8454f4439004647873fe79bd5b8a1 |
| SHA1 | efa005206e8afe4530e09525ebeb27cdd42d93a0 |
| SHA256 | 0da9f292c811dcd90e984eec5242e20077c6eb5b7ea49590671c349a3f618c3d |
| SHA512 | 048c95345396396ebd2cf3097333ae1c157783e963c8909cac3f112db770ae409ca8c628301ae61d6244156ba91d710bdc08c20cf2ccc3eb9e16adc50d0ddb1b |
memory/1192-24-0x0000000075150000-0x0000000075900000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 07d3d1c7ac0a87409a0ad826dd71a775 |
| SHA1 | 39b001a1bb418373fb47986d8a8f3fc3502693f1 |
| SHA256 | 048c390a4466f59e3910b2f101c3b8f9861cb6ea9b917158fca21db646bd882e |
| SHA512 | d733924aec5e78246bc0930a354c74dc7617efa6b52cd5896cec241ece538ad1013e01ae3353de4012a5fe93e35203efcf270420d6bf17a398481954651b28d3 |
C:\Users\Admin\AppData\Local\Temp\ShXBnNwdbjnG.bat
| MD5 | 9b75503c062bf22ef32fd5847581e1c4 |
| SHA1 | c129c570de9aaa4e87a76048979d34e1d13a762d |
| SHA256 | 5e05c47b99982cde12d3c4a05effe913e4898b57fa890b9ae19071ae01277ca1 |
| SHA512 | 7c6bbf6791b610cbe89f4b673f766551d1fbf42c16d032cfd9ab81cad02e06888959467859d434914aae1be897df1d3dbc5467637eaaeeec563893311c1dcd00 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 4ba24431cf69983cbd9fc5a9976299e3 |
| SHA1 | 3827778c7e1a87fe36f7a3c373033620c987e168 |
| SHA256 | 7cac4be057154f4e4bc60a3e0cdbd35845212bb6c01cf851382dbb35e169d0ab |
| SHA512 | 6031443eca6b2fb902d64cfd7af363be8a591576602358d3556dd6cbbd2d684e30d6a1790aa37b8c071455e1d9466638f0a174c63ff76b2143ced97701ce0ca8 |
C:\Users\Admin\AppData\Local\Temp\cLhuMg5f8stM.bat
| MD5 | 96971dbea60f25ea580b23cdbc3d34c1 |
| SHA1 | ab349c6806b97fc7c1967de0842768e65b84e4f7 |
| SHA256 | e267d97ee1e3a64efd08b458c020d85bed2c038ce3f3d3d9ecca0277b7c7b3b3 |
| SHA512 | abc529d8c138d136de1647ef62f44ffc9032948102117fe9a4a33243e893474113a77f7e3b0a6fd08c267e871ffd13d4ee2b1f9ba18f1647036d5dc48808f3ef |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\t8dHDo9Nuj5R.bat
| MD5 | dc425f6c5306531a47d127a06fb0dd93 |
| SHA1 | 96299edf2b10df827e177488a0902226d47765a0 |
| SHA256 | 38034c982ecabbbeaae7a63a5165ee531fa6208d59dcb8871109861d430fdd8a |
| SHA512 | 31edead38e8b8406f3b523902bd74bc039840f6745ebcfa4edb0cfa77828eb339ad61ca1518201fcc0cba74c4c8377c1d0cfa53644081b0f374541a7d4500c77 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | dfd28260c15cc7b8a32f19e8518aac28 |
| SHA1 | 19cee6d9a5f6094a7802810ca76f9a62330f993a |
| SHA256 | 492c6dd013f313b1f8aa598d6a9d84203cf1ab9f7bb77dd948d838e4f16b0b0a |
| SHA512 | b5bb93946d58bab2e06137d9531ea572576c796292fb5e5e84e3a8a31f9c0e0cc157b7796a308b518e10f396687a9aade4b3a27fbca18726c9b996f9504f259b |
C:\Users\Admin\AppData\Local\Temp\GxC8eQXjhChJ.bat
| MD5 | b15eeb769a63bc5840cbfdf92b0fbdba |
| SHA1 | ac15cdf20dd40b28d14cd847935f2883981faf1e |
| SHA256 | f33349e85054b07ae46b0c5e57f2312e724531682faa224b207ecd7e17bf0f04 |
| SHA512 | 17ab7aec2b3882bf536f7a7a22af91f9e788e41ca8c32c65ea2e3e4d38309653f0b0a5ec99f7a78c16f2418bdd2c9d0379eb1b0326ea36a46086211307e66c93 |
C:\Users\Admin\AppData\Local\Temp\1y6D4DhB9Wya.bat
| MD5 | ff729cd4b8471aef7c5de6b5ac383654 |
| SHA1 | 21b7cc88b12156e71a51751b8bd3b350cbfd58c9 |
| SHA256 | 341be5e8e589d6bcf786b2b924330100325adbff3c38aa5069f49953b736fa15 |
| SHA512 | 2bd49449b4195737a112e15c1a580d1c8294ac7ae878f35ea117f4aaa520b2f5431f08b81aef8fb41389c880ba917279595c786f069f30d7520865d1d8e2ef7d |
C:\Users\Admin\AppData\Local\Temp\lUqTjoFYvtMx.bat
| MD5 | ee65f909a42320cd25facb7a774f7b13 |
| SHA1 | eb8f099fe540582ab7a7114d83693c671fc7657f |
| SHA256 | 891bd923207d673c8447a8734adef8a7338c86e41d9f88f80e4a993b38d6cdfc |
| SHA512 | e1d47ed1074322ba12fb8699a22155c3a5e019fd5634d8303ee9e4ab4354887ed830dd0752765e27d03fe1eac0c9d2e25af4ec4978b2fd3a78683812a8c4857f |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 8c86ef7dbad72c7a9792aeebff894224 |
| SHA1 | abea55edc73e8b34947fc78a6982065aa0f98c92 |
| SHA256 | 3ccd67e71b853db40a9ed33a9ef761819b5e681787a9541117dd84ceb25aea52 |
| SHA512 | 069a6edcfc2e500684a856ad851bc0788ceb260a9727277541291d384ce35824495ea6648dfdf86df9da4a79ea43f7e8b3d7abfe8352a3c5dd212f64a957978a |
C:\Users\Admin\AppData\Local\Temp\DNSTa1DoWBOD.bat
| MD5 | 3170597a48d980d8fadca5dca674a3e8 |
| SHA1 | cd68a5705fb7509efddcb481949d0a97c059b525 |
| SHA256 | 445e38b58db04b493c5d1d7a037a7d9d49205e8b9d928c10647978bede7d43ec |
| SHA512 | 401695aa768def9417b8e162374a8ac96518fd2bb9f32bdaeb27c4d95db8e7c8fb94fbaf6c270c7992848414060ea340be649f80b6948db104fe232a80d88846 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | b201c19d8b06664a6e682924b3650d42 |
| SHA1 | f139fb97489348430518e0f84265fc138513c928 |
| SHA256 | 650867ad52631b1163c977868204825a5e80ffad5c2846b55d5ff9705be77c2c |
| SHA512 | 1c34294c941a4e8b864526f69fec95dab00e7ab6b2e4ec6d55ceae3cb26ac6798b15a04cd283b8ee0d7ae7eb41c284c1a421e225fe1fb898fc70b225f3a353ac |
C:\Users\Admin\AppData\Local\Temp\3TungksLvD2y.bat
| MD5 | ad048752146a3890564ad69b73c7eacb |
| SHA1 | afef07c55e671cd38cb94bf46cd23d69c0ef7f5a |
| SHA256 | aeaf3a30864721209eadd431efb339e16afa48bb44ed134d76466d4d655c9f6f |
| SHA512 | d902a63d5f7a273aff8ca56e8547bec45ce2c77ff041f4bed849ef8a77bb0cae58aed062c68ba44f932403722a94412322617dbfd089e38fea4bec0c19bb4493 |
C:\Users\Admin\AppData\Local\Temp\ZNKXJizw2Jm9.bat
| MD5 | f80a65c5d9b3111815d8ed2325d3d5c0 |
| SHA1 | 1a6c22ca77ea30d60ee95b3664d4f5230ca2d8f6 |
| SHA256 | b3c059506fa0ced9265a69fccf389bbc2e81bd59905a5df98991a8de10d09796 |
| SHA512 | 1d042c1e48f14f3c6485400a126247c4bd06eea281b9a168014608a9bc2e60ca759ecfc50d0bdb3ec21db3c33130cfce29c3ad2e4c59e719d52a1a6f36d8e334 |
C:\Users\Admin\AppData\Local\Temp\d4aIBjA6xj90.bat
| MD5 | 969650477f980766a10621d7756a9653 |
| SHA1 | 777111f22eebc32202c8115145034bb5535df703 |
| SHA256 | 4603ff1457eaa2832d7575ce5404bf1da512491bc0c428d1e7d0c741dac5332e |
| SHA512 | 74deb5d0dc9efe6d3fd581bfbe5aa8d58374c0df86f4e9020c1bad25f250dae23557632b8ff5a0c1c0672210f6170c7549f6b4655b27acc43e12d94ab6ca60a9 |
C:\Users\Admin\AppData\Local\Temp\GYi5GqOqhU8Z.bat
| MD5 | 8e5db6be7d372871a5846cffe8b892b0 |
| SHA1 | 1630b3550bcd281e52c040a8359528572f195369 |
| SHA256 | 290fac87c767f3c6b7c19b0e56faed831e0a06b9556da9f70e9aaae4ac05f8dc |
| SHA512 | 7e168c315ef6ba462aa6255a88fef7f8a435ecb8b65f2ba6e0fb792a6059913dc306c26a87f0ab7aa15a6255359e38a0c3914b4ebc9a5d8852d220a30a76d304 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 9ca8a70037a925935b2377221e99e9d2 |
| SHA1 | 8883c54085c297cc53a80e2dc8dd89518805afda |
| SHA256 | daccb1d03623c53c5cb0484161f6fa3986cff9c51dba771b2be515393e67281d |
| SHA512 | 194628fbd44568d98fc266f9d5994f4d9671c7e8d5d8dbe8f513d2157f6a28f0c8c66d480872750abf9da6033fb55260325e77de2938fda0d029171f70ff4ea6 |
C:\Users\Admin\AppData\Local\Temp\2BRHRUhaBlw0.bat
| MD5 | 2544442d4630b2ac34b9e17b3cab0b1e |
| SHA1 | 8463cbfd865eefd13dc657f1e41a33b1ac8268c7 |
| SHA256 | 5e4537c2efc1bac2f08785e292a0c9cb63c7ffa0f0786d6d26370392d5464cbc |
| SHA512 | 26114eefe7ac68faf502633f44d00e6f3d18a10aa27f07fe3d01009da1f5b553aaea0a5b8e597b7201805b8304587df74379d866852f2c076f2fb2986a0bd81d |
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:39
Platform
win10v2004-20240611-en
Max time kernel
237s
Max time network
297s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (104) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| BE | 2.17.107.203:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 88.221.83.178:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4100-0-0x000000007482E000-0x000000007482F000-memory.dmp
memory/4100-1-0x0000000000EC0000-0x0000000000F2C000-memory.dmp
memory/4100-2-0x0000000005E50000-0x00000000063F4000-memory.dmp
memory/4100-3-0x0000000005940000-0x00000000059D2000-memory.dmp
memory/4100-4-0x0000000074820000-0x0000000074FD0000-memory.dmp
memory/4100-5-0x00000000059E0000-0x0000000005A46000-memory.dmp
memory/4100-6-0x0000000006640000-0x0000000006652000-memory.dmp
memory/4100-7-0x0000000006B80000-0x0000000006BBC000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4864-13-0x0000000074820000-0x0000000074FD0000-memory.dmp
memory/4864-14-0x0000000074820000-0x0000000074FD0000-memory.dmp
memory/4100-16-0x0000000074820000-0x0000000074FD0000-memory.dmp
memory/4864-18-0x0000000006C00000-0x0000000006C0A000-memory.dmp
memory/4864-19-0x0000000074820000-0x0000000074FD0000-memory.dmp
memory/4864-20-0x0000000074820000-0x0000000074FD0000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:39
Platform
win7-20240221-en
Max time kernel
236s
Max time network
294s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (103) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1312-0-0x000000007436E000-0x000000007436F000-memory.dmp
memory/1312-1-0x0000000000A10000-0x0000000000A7C000-memory.dmp
memory/1312-2-0x0000000074360000-0x0000000074A4E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2596-11-0x0000000074360000-0x0000000074A4E000-memory.dmp
memory/2596-10-0x0000000001000000-0x000000000106C000-memory.dmp
memory/2596-12-0x0000000074360000-0x0000000074A4E000-memory.dmp
memory/1312-14-0x0000000074360000-0x0000000074A4E000-memory.dmp
memory/2596-15-0x0000000074360000-0x0000000074A4E000-memory.dmp
memory/2596-16-0x0000000074360000-0x0000000074A4E000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win10v2004-20240508-en
Max time kernel
300s
Max time network
314s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (103) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGHKR4SQvlgD.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5028 -ip 5028
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1628
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w2B8G9zFbPpc.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1088 -ip 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 2168
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SK7BxJnKIBwA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2416 -ip 2416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 2196
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reprA7nklcQx.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aieigN9e82ft.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 372 -ip 372
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 1732
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xXDY7zXzvVGl.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4256 -ip 4256
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 1084
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d295zpv3B4xE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3984 -ip 3984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hjQrqr6D7UK6.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3124 -ip 3124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkKwGeGfZobN.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 332 -ip 332
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkD1hRQ729se.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3056 -ip 3056
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 1668
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uF9YZIpAIiZ7.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4496 -ip 4496
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9Yw6eDHoMbsG.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1852 -ip 1852
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yremr1GEq2M3.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 228 -ip 228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1688
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dcf3bFmABMPU.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3280 -ip 3280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1528
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/1128-0-0x0000000074D2E000-0x0000000074D2F000-memory.dmp
memory/1128-1-0x0000000000230000-0x000000000029C000-memory.dmp
memory/1128-2-0x00000000051E0000-0x0000000005784000-memory.dmp
memory/1128-3-0x0000000004CD0000-0x0000000004D62000-memory.dmp
memory/1128-4-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/1128-5-0x0000000004DD0000-0x0000000004E36000-memory.dmp
memory/1128-6-0x00000000059D0000-0x00000000059E2000-memory.dmp
memory/1128-7-0x0000000074D2E000-0x0000000074D2F000-memory.dmp
memory/1128-8-0x0000000074D20000-0x00000000754D0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/5028-15-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/1128-16-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/5028-17-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/5028-19-0x0000000006EA0000-0x0000000006EAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iGHKR4SQvlgD.bat
| MD5 | 720e3780dfb673ed03dd8d68cf108be1 |
| SHA1 | 017a1a16ace203ef7b500aa5b932d70c8426ac0e |
| SHA256 | 915ecf91ee41c02d6a636432c0b78c832b8d4a954d215b4237dcea1101ef2435 |
| SHA512 | 8b83f387cac7ab13e5688a21d0da58f2b56ce3c34c4e4cff363f640a3fdf737077dcb57ff3990144aa44ec76c5573078750845cb2c584a2f0257789ff96c04a4 |
memory/5028-24-0x0000000074D20000-0x00000000754D0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | fe0b11d8ca857d2d5cd86e6b83806882 |
| SHA1 | 8d2315942619d562dca81a5df1247f8d78b343bf |
| SHA256 | 9be5ace470637e441f3619264b739707ed9a407863c8ebdc28ad0ed129a1efd6 |
| SHA512 | b4328ff2e884f72ba0f763917c8fa48667d6802b017d4e8ef173f8bac7d99af02fcdd6cf0ef60ee7552b1946d8df4be9942da30671a2946d5077ebdf6b8c1465 |
C:\Users\Admin\AppData\Local\Temp\w2B8G9zFbPpc.bat
| MD5 | ab05b51e592fdaa7c5240299707b4fc6 |
| SHA1 | e569070c3f296d66da4469a41aabd3757f0efaac |
| SHA256 | 50128514f7e691f466b5fa48b1df9fbd5657128f133b2e20527723ccdad2d0c1 |
| SHA512 | a2cc1f5181d76c24e42189ce486bc6570385692fcfeb420af0faa12e881fe1255f76794b38d533f22abb4773720991d23ed0a2e9affdccb08edde321e0554c5b |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | caee8548865a5425542896bc04b927ad |
| SHA1 | e85cedae7a891294a832d2bb25489369a74dfe0b |
| SHA256 | c24cf148fecdac8ea9a4bb7b19431d6ea99ec919c7e1ad2e4b3077646a8b031f |
| SHA512 | 60f146fff145f04c91b36230eb6b804c0a0d88115a8277bf4d75f96b2d57add1cf2e1ff01f06804057bf58166c3a131b6136cfbabf934f3def78a81bf4274d3d |
C:\Users\Admin\AppData\Local\Temp\SK7BxJnKIBwA.bat
| MD5 | ad63b405eff6e8b250938ed45074d8f8 |
| SHA1 | 98471d535143a67cb920301fa9ac6f32bea08518 |
| SHA256 | ac66587c84e47644880236e8661c06cc55278d07f13214e07a2bd62b83a4e507 |
| SHA512 | a8ad659c438591c21135fbf68b05a124ae5e4bf5a8cb47de280e037c019a8a33c9b069adfc3d0228036383df8c6315efba8f1389d0de1052038b1c12bc1a8b79 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 3ce08434d995b85e607e3c740158c231 |
| SHA1 | cc1ed8f45b47b090c63b3d621dc6d9e85dd864bc |
| SHA256 | 9272e39465fe3e451685abdd023af5ffc082695fd7b27d854c2a9e47549b0c55 |
| SHA512 | c5fb2607db79d933444a46f36aa9d5740e21669803c448d0b03fa027510bdbb4366a86516b7f7c478dc1a809e499e6ac2712eb45474b9dc6b98d163c1aceca80 |
C:\Users\Admin\AppData\Local\Temp\reprA7nklcQx.bat
| MD5 | 729fbfd877f58d15e31dfdcfd9535255 |
| SHA1 | b87250d46157e775d9455173aa49245036929927 |
| SHA256 | f6cbc91ebff29d95ddc1363c23ececcf3d2687d12b0ce6619b4092556835ac9c |
| SHA512 | 05d469086653615ea1ea158f915b55cf43aba702d10c9f7669e807eb7c4f58cb13ae9ab93c3f3ed2d1e152bb10bc764dd125d87e1b8f760fe5f9cf98e22d50f2 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | e43709ee5efb4505827605b5bfbbd919 |
| SHA1 | dcc4407bc0bf7453511cc647c2ee330f4a4278b2 |
| SHA256 | 122c3e037e6b77ca47c3c4e48b4c736f2c0b12f87fb946a2ef9f0631d426ac6b |
| SHA512 | fda7e1b6c364f7e32ab218bbfb5609a5a0331c4d5aa7d21049f9831c25d9b929b7d0597cc3e580e6483587c4a6fc3b56735477b53cc8c9474be35c14fe844739 |
C:\Users\Admin\AppData\Local\Temp\aieigN9e82ft.bat
| MD5 | 19aa63db2e02a14c3711b93d0d9e57ef |
| SHA1 | 40ba7d7f0a77814e8eefaca5b0f2082b28f2a4f6 |
| SHA256 | 70f680f4336a1ff6f3cbe41ce4bfc2a08d44bbc1ddece8d9f684da82f407943f |
| SHA512 | 2e606402ab33e9c45882af22975fac1f5a6c61738ea4ee115d29a63867f262f94a0a0238bbbfe3ac8697ccdec5455204246ab0365034697dd8be7c34f70af01b |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\xXDY7zXzvVGl.bat
| MD5 | c4b825dc7fd1262b69c12fe7dd185275 |
| SHA1 | 590094e80a15ab455c149135d0627eb866167c08 |
| SHA256 | 4446b4b12a458a2f1d6c3b8f197849b9de707008965c31ce3c251746bb9e4f58 |
| SHA512 | 3a2f2af0393e8527a8fb9d9b9c582721ba62474723caa39f17a376cd95b509bbb7fbf1de5d1e94300319777c18ed2c03991802498300c48824d9113dfd8899b0 |
C:\Users\Admin\AppData\Local\Temp\d295zpv3B4xE.bat
| MD5 | bba948fc2d7f939b7ce9e563c9ca9a44 |
| SHA1 | 013fdaabc586ffc10f39f73c4ced374f1446d23c |
| SHA256 | 6da351031f27b33edb60fa1ff1d76f4400d0d9c3d53fe652a66a02178b440c88 |
| SHA512 | 76c13047b1e2f604113c0b036b5cc4b20ee302c7f449dcb4cf506211ad4a6fedda0854fb2c7ea02ac1789c9b5363f7654ba86875cecef0c6cfbb5761abe89071 |
C:\Users\Admin\AppData\Local\Temp\hjQrqr6D7UK6.bat
| MD5 | 4e51d49b7a26d7dcf1b2e38ac85a730f |
| SHA1 | acd150f86c862b1d5413627619458baabfd89de7 |
| SHA256 | 75686d1f2657092d4500ab19f16d4e84f6a81ff085ec2554ec9e23752a995c2f |
| SHA512 | 6a5450f6f0f13f163460de69d7486be6f52fcc1a36653ad844c3c891a6bc453f9f722de33b46d11ddcba2c6d8178780ae3ddbfff990641f4ff94f14c9655c4de |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 0eaf184c6803cde8c3b7f191a2ea4a79 |
| SHA1 | a8058c330f9a88b060f2ca12d5c0f203352af096 |
| SHA256 | 7205d46f9a5a77cc7293d676d1a688683edfa065bddc44fde727df7981825048 |
| SHA512 | e39c0f21e8ca0317171ace8095e2c493f1c0a6129bb565973efc290a797f0f9abe613ca8a510c0f3c7e3e023fe340cdd4b6e8de256cd71ddf9810a75fd88caa7 |
C:\Users\Admin\AppData\Local\Temp\TkKwGeGfZobN.bat
| MD5 | 54d682b8263b22050e41c68b9bba95db |
| SHA1 | 51a72de50262a73c5f90f4f74cb1a49e2eb9ee29 |
| SHA256 | d8956ee92cc61e7851142b11a2d1141fdd49f82f342f584ca14368b4d3179171 |
| SHA512 | 221b60cb7469eef7e9552d31a1a29affd223530cd82d3fbd0a12fb84a3f9c76135aa4cc3333f7f7a01606ad6c6dbbee5de60590d7a92663a3e699ebf4776104a |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 890bd6bdcef936ccd28aea7cbfa99e29 |
| SHA1 | a150f21958ea61cc429b3c3bb88c8a4ef46f9347 |
| SHA256 | 6531a1f589543a5a032b8b0d307771609fa480b1f510dd6f6de7ceb43a5a1922 |
| SHA512 | eeeacf7c1f8da70ac8afecb8d9b162f24bc002bc5a422a9aae0b7f7f7f0fd426ae3da59ac249f0104215818dd9ebbdff46fcb46e16109b015cf27435c4f41752 |
C:\Users\Admin\AppData\Local\Temp\EkD1hRQ729se.bat
| MD5 | 878900805b5f75f8e6d67a7d9dd0b012 |
| SHA1 | 49453b0f6b49d8d1bc31f6cc1fba5401ce26e1ae |
| SHA256 | d190d480b69769701d6bf459cd27e121d0c02f886d4aab2e206421fd9ab364f1 |
| SHA512 | f13baf98761f2e88ca8584a32df944873d6380451f119f4dc958ec898514250bc4456a546b7a61c76732fcb2e67611da23e6f6cce8b10602ae15f53bcc854dd1 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 77f44a0088eabd4bfd127299f6325980 |
| SHA1 | 66258bc025a3ee7bd3d3235398b5410d48c20e6a |
| SHA256 | c705e92c97715e1ff5d6ccb7b4af950ae2a46fec2a1e8755bbc4557aa6504003 |
| SHA512 | e0d40f955180605b0c52d7cb1b5657e50122056748911c18fe374bae76844aed557c39db8b15e3e9b113abe4f466643c1aebdcb64089207c3918f872cd3e6d23 |
C:\Users\Admin\AppData\Local\Temp\uF9YZIpAIiZ7.bat
| MD5 | 68661048988b29355e7aee7fdaf475d4 |
| SHA1 | fe6f1405c566616b357097c80318ad3597bb6f0b |
| SHA256 | d8f4a68e83895a10847d3415eafe5d1391054f1143271a2278fa8d5765f507f9 |
| SHA512 | 9c24efaa35cbb86bb5a5c18ca6d5b966e6f53d81a05c182a9855cf6e02401efc860d0ac0185bfb4eb6eeae7204e60ddc71d86378649f56eac31a4021de5f9d7d |
C:\Users\Admin\AppData\Local\Temp\9Yw6eDHoMbsG.bat
| MD5 | 8492071f2aa473c9aaaff92a088a7583 |
| SHA1 | c5fe1eb6fba623ad5b75e60b8e636b1e280e29e6 |
| SHA256 | e6d94dec8eb483ba2bd5653edf2497768edf03056380b73c20667d7f0a4940e4 |
| SHA512 | 1eec18ea28da8a257f4a60f4f1986b2b73764efc3ad3b776c674ea162532129cd119fb906c857f99826c3e56a00a453ded01ddf909dc81b51be1eaf18debf453 |
C:\Users\Admin\AppData\Local\Temp\Yremr1GEq2M3.bat
| MD5 | 2432e29df4d75101a94f490efb9f273f |
| SHA1 | 5e703bce83fec0f3acfd6d9e0a3849092b7eea1e |
| SHA256 | 659da8fd314f990fb72009759a2a84b36517a01471c182571192b7ea83ee6e46 |
| SHA512 | 04ff808b73f73107a9cf7dc7caf4f7012d08cca865c284bbab8bc375b31eb87bd12f5d16833d95c2015dd9db07458bb59f1b00b2ddf1628299f00a92d3e42469 |
C:\Users\Admin\AppData\Local\Temp\dcf3bFmABMPU.bat
| MD5 | 2123707212e96c82f8e35273ab50d4ac |
| SHA1 | 5bb5f0f3d83767d26dc64581b509697ec9702b02 |
| SHA256 | fe8fba3fdf97385a58cba7c6f228e4853566d8313f81861417c33ceb0b1fecfe |
| SHA512 | 1c93dc468ceb2e5eb8d5009b7630d05c85f1ee0cbac5094ea9a33b27604661a204972ee5a135c6da941c3d0ab00013e5018737e3f4bc6d52b42c7620dadd0459 |
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win7-20240221-en
Max time kernel
235s
Max time network
297s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (104) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/756-0-0x000000007482E000-0x000000007482F000-memory.dmp
memory/756-1-0x0000000000CF0000-0x0000000000D5C000-memory.dmp
memory/756-2-0x0000000074820000-0x0000000074F0E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2636-10-0x00000000012F0000-0x000000000135C000-memory.dmp
memory/2636-11-0x0000000074820000-0x0000000074F0E000-memory.dmp
memory/2636-12-0x0000000074820000-0x0000000074F0E000-memory.dmp
memory/756-14-0x0000000074820000-0x0000000074F0E000-memory.dmp
memory/2636-15-0x0000000074820000-0x0000000074F0E000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win7-20240508-en
Max time kernel
297s
Max time network
307s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1v4RbBfQT5Oe.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\So7CPf0BqA2R.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DoxxWNcywPz9.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RXbaSYjP3A8A.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/1960-0-0x000000007476E000-0x000000007476F000-memory.dmp
memory/1960-1-0x0000000000990000-0x00000000009FC000-memory.dmp
memory/1960-2-0x0000000074760000-0x0000000074E4E000-memory.dmp
memory/1960-3-0x000000007476E000-0x000000007476F000-memory.dmp
memory/1960-4-0x0000000074760000-0x0000000074E4E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2188-12-0x0000000074760000-0x0000000074E4E000-memory.dmp
memory/2188-13-0x0000000000D80000-0x0000000000DEC000-memory.dmp
memory/2188-14-0x0000000074760000-0x0000000074E4E000-memory.dmp
memory/1960-15-0x0000000074760000-0x0000000074E4E000-memory.dmp
memory/2188-16-0x0000000074760000-0x0000000074E4E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1v4RbBfQT5Oe.bat
| MD5 | db24efd58b9853703a91011ed246b6a3 |
| SHA1 | 71da8f8bcfeff49707b45a1f88a4bc1cb12fe812 |
| SHA256 | ad55c1bc89182fddff78d9186db257bc541ab74b6802908b866ee83ed74cc5d8 |
| SHA512 | 13bc425ac7e7c5734eecebdee8f3fa5b7595f3455facf2adbeb17201bc8260d1b8e24389f58edb01b51b13dfa3cf8337d445b016654957237e0269f7ad0b527c |
memory/2188-25-0x0000000074760000-0x0000000074E4E000-memory.dmp
memory/1560-29-0x0000000000D80000-0x0000000000DEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\So7CPf0BqA2R.bat
| MD5 | 60d823b3c008cedb9fae7396cbdccf41 |
| SHA1 | 0fcb9f6feef72baf3b69a6f33c983078c60725ff |
| SHA256 | 417e2619a92509fff1e35a18626627887728a5c4ceb5e4be0e9befd358ca6b13 |
| SHA512 | f0998e988dfcbf9c1b82e8a84ed2b642fb802fb67abe8ac036a9aed2d61eab5569c53b5f465d284ff891416b1465ccd271411513b133248d37ef07f5cfeed656 |
C:\Users\Admin\AppData\Local\Temp\DoxxWNcywPz9.bat
| MD5 | 4f6b583276a13cd067e6986cea85d6d0 |
| SHA1 | 86207f43867efcd2be57dc58a40c80979ff2b082 |
| SHA256 | 9421c127132df0f3cf176ff3e16ec57991d5d7c6458b0778fdab1cdcbdb6c4e8 |
| SHA512 | 591916fa4d377a8445173fde7d6bf7dee1a57fb88c9bfccd7482d479acbc75143e30edec7a9381f58db592baeef2ad0955fa8a44601983487262ffa526a789f6 |
C:\Users\Admin\AppData\Local\Temp\RXbaSYjP3A8A.bat
| MD5 | 78d4c2a464eca7dd54a1db6a17abff1d |
| SHA1 | 4197b7cf298f1f13d027dfb116d25fa8a97906ed |
| SHA256 | a6812f4e2b25f1f106220c9ddd52bab20ea9f81b196c76cababc6228700534eb |
| SHA512 | 38396bef3e8859061c088fbab1f572e51dbd7d1606c4d12059e1c883107bc4ad44cb49ea1503ac5683ddf1065613a9c5c1ff14be3759a038c20d0b1006414592 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:39
Platform
win7-20240508-en
Max time kernel
297s
Max time network
302s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (100) - Copy - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\et83YPKebshA.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\laADu67Sg0RN.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vIz73X3aHxsU.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GbLoPsHB1NHt.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/2056-0-0x000000007454E000-0x000000007454F000-memory.dmp
memory/2056-1-0x0000000000320000-0x000000000038C000-memory.dmp
memory/2056-2-0x0000000074540000-0x0000000074C2E000-memory.dmp
memory/2056-3-0x000000007454E000-0x000000007454F000-memory.dmp
memory/2056-4-0x0000000074540000-0x0000000074C2E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2104-12-0x0000000000DE0000-0x0000000000E4C000-memory.dmp
memory/2104-13-0x0000000074540000-0x0000000074C2E000-memory.dmp
memory/2104-14-0x0000000074540000-0x0000000074C2E000-memory.dmp
memory/2056-15-0x0000000074540000-0x0000000074C2E000-memory.dmp
memory/2104-16-0x0000000074540000-0x0000000074C2E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\et83YPKebshA.bat
| MD5 | f1ff1bc825ae51445891474896012a1a |
| SHA1 | 92a6e291e3fdb1ae0c0a67c6a03bf8ac5122bc69 |
| SHA256 | dfe2be6316e465b8be178db225030842c297bb81051cfa0bc999172bc8652b1c |
| SHA512 | ded6250e7f4e3f8197c779736bd36483239e87e2f66fdabf47a5992379acdd4b9a45ddf1220b7815f1e01a3193f25a40615680e4e54a2213d39c7db2ce187662 |
memory/2104-25-0x0000000074540000-0x0000000074C2E000-memory.dmp
memory/2860-29-0x0000000000DE0000-0x0000000000E4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\laADu67Sg0RN.bat
| MD5 | 0a07af8ea9b9f081e435ba5ab02e7070 |
| SHA1 | 5d06c5b3e8b70aa1e198087f2e24e15dba91187e |
| SHA256 | c308c168e30c69db53ef8b2014bd26cdffb0748f42b54fc56dbb03ae5dceb180 |
| SHA512 | f0d54eed628822a1f6f1ca7b5555e02016b79d72ed38071f245a7fd65fa80f0f8deafa829b5d0dd8662c246a67e424dd51e28108d93b219ac3e50219f80e80d7 |
memory/2980-41-0x00000000010C0000-0x000000000112C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vIz73X3aHxsU.bat
| MD5 | ce5e65839629707515be7dd233107991 |
| SHA1 | da44afe1699fd0a1d425ddf034f83d1c15ee4208 |
| SHA256 | 5884af5f76e4b89b11a0669c1705efe7d88b3ee730578aa3577d46907f3e6dda |
| SHA512 | ef2a6327bc239dd449b86b6557f9b1fcc4b79c7538d3b3e5c9f20e6e9f13156b3aff7d8ef4f55377361f2aad2751e2fd166a61af2622108f70023c61ca70835b |
memory/2788-53-0x00000000001B0000-0x000000000021C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GbLoPsHB1NHt.bat
| MD5 | 621f1eb3ce380783b23783d4b1a62802 |
| SHA1 | 78e1eee7887b965028fe00395f551ae362de38d8 |
| SHA256 | 868b4c58ed35f57a37e8c3b7e33ff7e370ddfa03594b22beb3f5248ab327fffa |
| SHA512 | ca5b9884a0ffaad48c90a3257b6a34f6fb70a08b1bdba5c406788cf42b2844ef02e23b9c485e5ab8731cfac361f2987022ced02cda1a6bfa10a7af758550db5c |
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win10v2004-20240508-en
Max time kernel
296s
Max time network
309s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (100) - Copy - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c2uiNkZicCSH.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4616 -ip 4616
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 2148
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYilKSzfC5Fh.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2092 -ip 2092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 2148
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rg6CW5Cz1f35.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2228 -ip 2228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1692
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5ExVUOmUBJiD.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4484 -ip 4484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xpZeMK46GJFs.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4892 -ip 4892
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1088
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQAnEGLiMIlX.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4560 -ip 4560
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1692
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aR4te3VAod2o.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2432 -ip 2432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 2236
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ihEyAUdAruyA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1704 -ip 1704
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1708
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmsZTT9Nk8u1.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5116 -ip 5116
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 2236
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f3qOleRhIDWG.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5064 -ip 5064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BxG8PbYHPJGR.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3332 -ip 3332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 1084
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSCfHSwLfsxu.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3420 -ip 3420
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LrTZ9DSq50oA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1008 -ip 1008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 1192
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
Files
memory/1092-0-0x000000007506E000-0x000000007506F000-memory.dmp
memory/1092-1-0x00000000009B0000-0x0000000000A1C000-memory.dmp
memory/1092-2-0x00000000058C0000-0x0000000005E64000-memory.dmp
memory/1092-3-0x0000000005310000-0x00000000053A2000-memory.dmp
memory/1092-4-0x0000000075060000-0x0000000075810000-memory.dmp
memory/1092-5-0x0000000005290000-0x00000000052F6000-memory.dmp
memory/1092-6-0x0000000005FB0000-0x0000000005FC2000-memory.dmp
memory/1092-7-0x000000007506E000-0x000000007506F000-memory.dmp
memory/1092-8-0x0000000075060000-0x0000000075810000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1092-15-0x0000000075060000-0x0000000075810000-memory.dmp
memory/4616-16-0x0000000075060000-0x0000000075810000-memory.dmp
memory/4616-17-0x0000000075060000-0x0000000075810000-memory.dmp
memory/4616-19-0x0000000006A20000-0x0000000006A2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c2uiNkZicCSH.bat
| MD5 | ce538f817a0f756a99bb9b18dc006ca7 |
| SHA1 | 19a3e469ea1e04a734be2025f34584414990e905 |
| SHA256 | 2f8510df5667646a4ca8fc674a3fd65fa672a05af99d725fbc8667b64bda4880 |
| SHA512 | f53bffb9b778073a761baf23ca355b4ca42aa0b3a9bb17b71bb134cebc8cf481d92ed478cefc8a550d6f25d166e89a217ca14e1af732c54c5f713adabff8b374 |
memory/4616-24-0x0000000075060000-0x0000000075810000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | fb50649750f90749ae3c2b38d9e81b38 |
| SHA1 | da2bb087b5d4b771449bc2d6e70d181d52e15cb5 |
| SHA256 | 6ca4bbdf13c64b94e8204992bad1555a02ab22d32c723a57b8f434ead1a70821 |
| SHA512 | ee2c7af3ac8327395bd79fbc0c8cbf7d04ee354f5eea02ed101021ae18fa852a16d907d8177b9a875b63bb3c1119f23461951f078c2131d1f2314f01fc29c7b9 |
C:\Users\Admin\AppData\Local\Temp\QYilKSzfC5Fh.bat
| MD5 | e64c2fc6367c56cdcaaf780162eee191 |
| SHA1 | a40a0d9b4315ec3c3dd61476dc8cf1ef4bd23ece |
| SHA256 | 98cc91c40e23be2ed25da5495f4faead4a19111bf6a9bf9a8b721cda833eb4cd |
| SHA512 | 77f6bbe612d857d1e380656b082a43258e63006f18ac5a762a57c34f0401dc597106e3f7bbb4e94c1690d38c118a645ba90cc6cd7f34b894e89685292d42bb6a |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | c0f9e4857d8205a03c0c0286a4759475 |
| SHA1 | c42575b17c5d4c6a7113e4fc2074cdc5ea248026 |
| SHA256 | b6b277deb0a8d0a2b61bb6c75f5f2f9c6ab788d89b0115f54697cbb4103dc713 |
| SHA512 | adf2b48736a1c6605d9630604f62696ccf26ae236722b563c559ec8f152098c8ec92f24763c46365040c07402e55f5877f21f556ba3b29555444cc4b3afe9835 |
C:\Users\Admin\AppData\Local\Temp\Rg6CW5Cz1f35.bat
| MD5 | c9810c2a277a4ff607a24bc40546afcb |
| SHA1 | bf76f8f756ca450449126c319fa666d6c1d59bc8 |
| SHA256 | 886da55cdc1e43fe32b30381c875c24395000ddedacfef7c2e0ae6577a921342 |
| SHA512 | dc50c7e0e6a13c86302a210f31e8297ef8f3c79ee368dbd34209b707a27960620e6fda43a018f628ef18ff0ac9cbc87fc26d8e79766bae9044486b631d5b1541 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 21ef274a7cb9e84c3912afb80da39402 |
| SHA1 | 84447760462a69ca13b8fd075065a8814ecbf339 |
| SHA256 | 6fe885e031d74a0a30a4959154b35fd7506319b574fe104f58ae72dfa80b9fba |
| SHA512 | a43bc0ef7d7b0d0e74a09f27403666e2955a1c059da48441637662ce25fd01d2d1143cc8b2d8ebe56a199857720d8cc78cc2358705d87026078bd27360c2fdbc |
C:\Users\Admin\AppData\Local\Temp\5ExVUOmUBJiD.bat
| MD5 | d7536fe6b96bae99540f71e2334550bb |
| SHA1 | 4cf240c675ae1b38b7773c9d55e397c247e08802 |
| SHA256 | 6f7e94600cea93a8e0370614b1acebbd2f7d39beae20bfe46b1f97e6367af6b0 |
| SHA512 | 5c42f1adfe44604936b3c119be2860c398407c2e226b86f67bc3f7e55098cf046d6a9bf6ea5447f6f3f09d959e60f78d91ac97ea67270dc3c51a91fdaecb897d |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\xpZeMK46GJFs.bat
| MD5 | 31e05b658e7d0da712159cbaec6b0fb9 |
| SHA1 | 86f01335e69064b4282e6df8ae5de513be8c849c |
| SHA256 | 6220c343c92859b88980a5161736eef70567630181658a1fd35992382b08aa1f |
| SHA512 | a1a762804e52133b12e7c8abdbb49aa88e4608e75b0aa603b44b99e1e168e93edeacc8b95c2a674fe711b7654c0b45cd232164f0eae91ef2d78b8200f16cca6c |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 7ef4af54ad8b144109af0c07a6c8921e |
| SHA1 | 80d45e00f4e29c10cce51b1036c82fdf7247b7fe |
| SHA256 | 8af9b2bbf0681ca2b7757a1edfac0ea97fa0787c7429ca68f0bafd753411e656 |
| SHA512 | 577c77f66b30c9395aa812617327f1bfd867576748d91e9ea260c1309725bbb4b14dd06cba6dae6cb1e53c6a4352338013ea66b691f20133c1004fde3d9a539d |
C:\Users\Admin\AppData\Local\Temp\pQAnEGLiMIlX.bat
| MD5 | 04124f40009713243618583c57db1c8d |
| SHA1 | aa2d500cd420ed443448991a08d90ed3be9eda7c |
| SHA256 | ad8ea5d1efad55bcd5158d6b38a223d1f6c508936573b45f22e309f679b9f983 |
| SHA512 | 11c021d296ba43ea887a7de423a44b2925cffee8a21114ae3ce0f01281bb75c13d5ad7c056e61345733b1fdd27468c626bc089baeca42a4b2e35718dddc54a5f |
C:\Users\Admin\AppData\Local\Temp\aR4te3VAod2o.bat
| MD5 | d75260ad11715b27ca1164c5d958d509 |
| SHA1 | d2a946a83a3fdda45fd6bc6e704a011fe0c3be5a |
| SHA256 | e16428758bc08078b984313bd386c102aadc7a12001b8f4131056353ea2e72a0 |
| SHA512 | 2133ee0b82a84fdce88cd8a4dd97d76012fa4fbd4ad8e67584640960523a8304db380e129d0a82fd00d1e0bd1bae9b55d1d7889e9c10f23b581e563a5bd39b79 |
C:\Users\Admin\AppData\Local\Temp\ihEyAUdAruyA.bat
| MD5 | 70b8b318d523583e1c05ade9bea6d0fd |
| SHA1 | efc97fd3c40ab39c76ec22e8313502490e2d369e |
| SHA256 | 2a5c0bc0348fd87d247915283d067b7da855c2478a5555ecab2d7354bd1464bb |
| SHA512 | d5627d1f8cce6ce6d531b4f76a239ab4bbcc7b219f5f50a9689ce69445c0f5e6dc638526b122241d1e02d78e029afbfcc2930faf099c3cf019b1344a2e83f5a9 |
C:\Users\Admin\AppData\Local\Temp\UmsZTT9Nk8u1.bat
| MD5 | edc29dad15496e840dfd6254b7e1e01a |
| SHA1 | c99ccc13d06d60702cce96ed7cc27aa768825515 |
| SHA256 | af8bebc2aa6daa8232cdda481e8278d2614219d1775142b52b66f6022362d6d5 |
| SHA512 | 7f4428b9da5558256f6ff0e294ba99cfd1f4729eaa5489e84d65b105868a5959d7ceab0b053d39326cbc6db32ec9b9f253087ade47806fdf628525af07b4537c |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | c13d47dfbc76ade349eac7f972a021b2 |
| SHA1 | 44c25cf26b926ce78fbc18f9f7fe54980fcb20a1 |
| SHA256 | 46b764d724dc66dbdc2127028c6fe340e42dda443d9b340d1f064a77ee6a18e2 |
| SHA512 | 1bcf17a698c88d4c46870bceb8ca4f2d7eb08449088e7fef6afe9a77bbcc016eaa00fe28f6e82e334c092e11e515d8ffda922796e75ff8078b35e6c07ee2a5b9 |
C:\Users\Admin\AppData\Local\Temp\f3qOleRhIDWG.bat
| MD5 | 02f8e30a115062df6ffa396364d393b9 |
| SHA1 | be4480166540941d9504438a943f64d5d837e383 |
| SHA256 | f26aee1b773f7ffc0a8dc08803cb44d86f57db386a7c41f23d766688f587cdf8 |
| SHA512 | f748ee47ddea9e7ec2ff4558ddcd4dac8b14f0f36bae318bd9f031c2ae25642b1ee583cc287389562abfe5936d14f6c99c27ac017fc3bfdc602494cfa9c3cf19 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 06325d55fdbc09d2b2a95a306f577d3d |
| SHA1 | ec65c147081cb47239b64f7028f31f7666f8233e |
| SHA256 | e00cd861c17dfe7576b29b92b0108d24a77ca6cc2e6341643697c825f62ede95 |
| SHA512 | 3aef1e41129ff99f21786ba8ab0832f9f707d7174f6725dc86786e3cb2b21d8b53faf6d5c6d339ab5527523698f091654f5986b5683e04b392279e5d74e6a90e |
C:\Users\Admin\AppData\Local\Temp\BxG8PbYHPJGR.bat
| MD5 | a5b907684bd2e6acacde90da2c31bb83 |
| SHA1 | 18da262170957a6cedcb829d923a04a316c2d996 |
| SHA256 | 466a4a4bcdf1579f8691333ac8d463190c6c5afa23cb99eabccc60c2b08f6e14 |
| SHA512 | 43794efdcfac6b4e6d6a99dad020f0179a86238621f12d9f50ec5298c3dc92e7a8eb76281f755a5489957931614ec3c1ac91bc88b0e4f61a5271934e7a942cb4 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 36c429e1598c6ddd3863da9e097b31e0 |
| SHA1 | 482d40fc0dc351c70606f29d6d622c05581bfe85 |
| SHA256 | ee0c657449f6f2e7baa1299510362d2dbc835d064ac112fbfa2e53191abdf01a |
| SHA512 | 4f6aaa9da296aea3bfd223f4b8797a3ae8967110e22e7d403fc2d16a3eedd132fff7072dec92ffc210ae35f7816eb3982a4ce3d9d096dc27c6f908e2d907b3e9 |
C:\Users\Admin\AppData\Local\Temp\rSCfHSwLfsxu.bat
| MD5 | f39691a250fc2cb9aa56e12ba8386ae1 |
| SHA1 | 19337d508613be97a0d18a39337a037761a5b7d8 |
| SHA256 | 3d2ab78515e93367f2f3b9376dead1dd80ca16577cd9c96c7758fe5c82af9476 |
| SHA512 | 7b332917e4dee5677ade7fea40350a0a6dc694580cbc5c89bc60e86249fe7eac7b1c549edc3850f9b9171332bda6e8506f7ad2f121290176881a9e96e9623081 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | c34b60566e4ff68f66d7d24905f69a00 |
| SHA1 | b9a7ebd8f0dc0a2086b46a5b1a614ecf17dc0195 |
| SHA256 | 803f7f146d9c8b9fd09efad0cb12c1bb3a7d02b2502a510644c39fa570888d49 |
| SHA512 | b820cac8b1dcfce89abfcb460263dfaa992cc4e12bed2c08e33430da9509d820740d5a3e6a9f4e63bdbd3fb572722550d3cc683ef65b65e5fd9eb9c2c36b9860 |
C:\Users\Admin\AppData\Local\Temp\LrTZ9DSq50oA.bat
| MD5 | 32195b1e18e53bd7749c13fcec064714 |
| SHA1 | 0f9b8c9a3f565a684bb70c12954cca93e7357403 |
| SHA256 | b9d4096bd6189ca28d3a9ec451f592200a045be8345ebabbbfc72a40d6e7cd40 |
| SHA512 | 38ca025cfbfb27fdce711e9b981d7a74f6c9395c9d95e9cafd70bc0f81cc2f05fc312de04b0fe910d94d140825178bc4b270c516469dfd724e682d7fc23706db |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:39
Platform
win7-20231129-en
Max time kernel
235s
Max time network
294s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (100) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1936-0-0x000000007499E000-0x000000007499F000-memory.dmp
memory/1936-1-0x0000000000C20000-0x0000000000C8C000-memory.dmp
memory/1936-2-0x0000000074990000-0x000000007507E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2664-10-0x0000000001390000-0x00000000013FC000-memory.dmp
memory/2664-11-0x0000000074990000-0x000000007507E000-memory.dmp
memory/2664-12-0x0000000074990000-0x000000007507E000-memory.dmp
memory/1936-14-0x0000000074990000-0x000000007507E000-memory.dmp
memory/2664-15-0x0000000074990000-0x000000007507E000-memory.dmp
memory/2664-16-0x0000000074990000-0x000000007507E000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:39
Platform
win7-20240221-en
Max time kernel
236s
Max time network
293s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (101) - Copy - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2716-12-0x0000000074790000-0x0000000074E7E000-memory.dmp
memory/2716-11-0x0000000074790000-0x0000000074E7E000-memory.dmp
memory/2716-10-0x00000000001D0000-0x000000000023C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1904-2-0x0000000074790000-0x0000000074E7E000-memory.dmp
memory/1904-1-0x0000000000880000-0x00000000008EC000-memory.dmp
memory/1904-0-0x000000007479E000-0x000000007479F000-memory.dmp
memory/1904-14-0x0000000074790000-0x0000000074E7E000-memory.dmp
memory/2716-15-0x0000000074790000-0x0000000074E7E000-memory.dmp
memory/2716-16-0x0000000074790000-0x0000000074E7E000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:39
Platform
win10v2004-20240508-en
Max time kernel
299s
Max time network
308s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (101) - Copy - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0x5joxHlCqVV.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1612 -ip 1612
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 2168
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XJPraGapisO6.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2532 -ip 2532
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1712
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n6MFRNeXTjbA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3212 -ip 3212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ypFTtt9KRmMp.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1528 -ip 1528
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B3IW5cGC5m0Q.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1924 -ip 1924
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1716
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkZIxeQM0CNH.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2176 -ip 2176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HwgE2TzSFfqE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2508 -ip 2508
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zwmagWzaBBQc.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2324 -ip 2324
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m1PBzWVn4PNS.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3216 -ip 3216
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 2224
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DPsM4WqzyjWo.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1524 -ip 1524
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yQlRVJ0RR4n6.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2740 -ip 2740
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1672
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECioMR49Cv0A.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4324 -ip 4324
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\icyjECafc3rQ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2104 -ip 2104
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 2236
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/668-0-0x000000007518E000-0x000000007518F000-memory.dmp
memory/668-1-0x00000000003D0000-0x000000000043C000-memory.dmp
memory/668-2-0x0000000005310000-0x00000000058B4000-memory.dmp
memory/668-3-0x0000000004E10000-0x0000000004EA2000-memory.dmp
memory/668-4-0x0000000075180000-0x0000000075930000-memory.dmp
memory/668-5-0x0000000004EB0000-0x0000000004F16000-memory.dmp
memory/668-6-0x0000000005B10000-0x0000000005B22000-memory.dmp
memory/668-7-0x000000007518E000-0x000000007518F000-memory.dmp
memory/668-8-0x0000000075180000-0x0000000075930000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1612-15-0x0000000075180000-0x0000000075930000-memory.dmp
memory/668-16-0x0000000075180000-0x0000000075930000-memory.dmp
memory/1612-17-0x0000000075180000-0x0000000075930000-memory.dmp
memory/1612-19-0x0000000005F20000-0x0000000005F2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0x5joxHlCqVV.bat
| MD5 | 4beb6dee80ab1abc098e90b516ec08b9 |
| SHA1 | bab20e13a31bd316bf46b4756813e306e2650597 |
| SHA256 | cfc5058ee2d15867ee8901a5c9c9434cdbc5210fe923f4c9faaff743a65c386a |
| SHA512 | 38a12aa6129e1c5b9767d59f06c3030e7b546c28cc4feaa3d766817931cd07406151177f89e00e851fbaa7d74ec7844592b29e80ac1c6be07ee115acf9d6df94 |
memory/1612-24-0x0000000075180000-0x0000000075930000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | ecb2fa9c54a822f3015c0b60b5b8ae24 |
| SHA1 | 40d65e45866867d96ff15f8cc50c16ae5f4f6cfe |
| SHA256 | a13f8cd3919e85eab682a0a4f57748c38d1ba37fd283db05aab8f41c3de88006 |
| SHA512 | af3cc52d6a4705c834915d9f46ac02c8e51bfa575e52af952aecf6785de9f2052912930b165233f4c8e48c28e973a94f2108aab4864ffb98e07a755a8445d38e |
C:\Users\Admin\AppData\Local\Temp\XJPraGapisO6.bat
| MD5 | f2dd482bae72240ee0dc674cf17cd086 |
| SHA1 | b410b37ead2465a39432635d478600daeb4572bf |
| SHA256 | 940b38e2911b3defe0720ec19c017e62ba42c4f68d84e438e9f1f6e8b7560dc6 |
| SHA512 | 3ee9d2b1c774636382adca64db4648c502ff4f933aef7d27f40b62eec398433e7662358904969e400b10e5260b2c7ca298d413e80231b21748c3be4cafc04710 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\n6MFRNeXTjbA.bat
| MD5 | 307f60da95d85b0fb9e6f10729560e59 |
| SHA1 | e9bf601e0c48435d0d19c71b4bfca3cfa3dab3ef |
| SHA256 | e1a2e4bcb69fd5519afde67135538192e5a1b9d4219353a82bb6f3336c4657bb |
| SHA512 | e112b0cfb377eb527bd66b1d3af3b4331006d7ffcb96078ea547be2fea97548244275cf47d6e10ffb392f1e6143c020037b998127504af9e4c28afdc8720bcab |
C:\Users\Admin\AppData\Local\Temp\ypFTtt9KRmMp.bat
| MD5 | 8eaaa9f6c07631f24ea66a1556857fdf |
| SHA1 | fd3638ef176622dd8a90d6f39723e9041455f265 |
| SHA256 | 61eb34a9a08fa694685c3c162dc167d1472967f8877242fc26a324b8c68ac301 |
| SHA512 | f7c6f8634b126e5a6f74108a5acca305d31f55b1c259c4bd0eb7ac22470d59e8d12344014c014dc3a95228e368d6ba5d8a89ed64cad1517bee90577cfe33abe2 |
C:\Users\Admin\AppData\Local\Temp\B3IW5cGC5m0Q.bat
| MD5 | ec2ce785ef4ab3ad4451bbd2dcabdbd5 |
| SHA1 | 768e1af55c4b61f63ff6f1321fa35fd43bcdad69 |
| SHA256 | 7455cdce04496fa56179a418f06bf6d47d6e06678531536f8a9ea71181c04d1e |
| SHA512 | aa7f70c508e162044547def239ccc9a430f6638bc6ba0051d54a6f6fc0e6216e6131472a70c9f07d7d47988b9c3c8eb91aa8aed8450558d20d7d1e7b915b17b7 |
C:\Users\Admin\AppData\Local\Temp\FkZIxeQM0CNH.bat
| MD5 | 92cbaa9b8e8d663b121e2fac9f122370 |
| SHA1 | 9c2ac770303033e423f28de882325981670dc4ba |
| SHA256 | 33caed065c269817ecbd55555e256b145aa4068baf09d0f31ec8ed1597afbfae |
| SHA512 | 01a448a40f1d7473203635925aea95e72d1c8e60e799d6d5509beabc7b3f43e71c9b8399bb7d18ea8f2d6803f8592e6e04bf60706ec9b8a76c31725c852c4947 |
C:\Users\Admin\AppData\Local\Temp\HwgE2TzSFfqE.bat
| MD5 | 78edd38cb38f65b435c271cb698e2e74 |
| SHA1 | 29bd5a5fe8f3e091c89463931b17a395a1deda7c |
| SHA256 | 0e26338d3e7f40bcd5a058d52a64a0b7694a91c531f125f6ab49f755e31fd408 |
| SHA512 | 5b350f0c12f14830c9bbd2ed0c575c6c36c922d0074868bb47198464f19058ea0a84b051cf5f95aeb04a8eac6ada6593cfc82abba07c2b560b879488d29bcad1 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 68387b8096e87d234ad55a61fd404163 |
| SHA1 | 6421a198e8c331684bca6a735d579df45ad11dbe |
| SHA256 | 04b139c7f3e8a3c0d71c596d949441a81b4bbe450aa930fca3dfb572a84d2b1a |
| SHA512 | 8b5244aa0a200b8e909e25e48b3a8d343bdee3b644b67c7a2becb9cb958fcbe852010ac16b600eaabd4d57bb7b957d3e039ddf4032ccb0bed47b3a96a9d3a522 |
C:\Users\Admin\AppData\Local\Temp\zwmagWzaBBQc.bat
| MD5 | 1fd373f384a065341381881a6d4c3174 |
| SHA1 | c544d17338c036fce830c96069708da41182d961 |
| SHA256 | 04bbbcc607a97561ffb5df4a60ed3bdb752051e628c4866eaf0b8368abaf1318 |
| SHA512 | 4fa875ed0676c2ed7553bbb3db124d726900129db5f652e48da315089c2d2bafcb0efb4971afaaf7b1371a543ca7411b94a747b0456aed9a1e59a5e877324747 |
C:\Users\Admin\AppData\Local\Temp\m1PBzWVn4PNS.bat
| MD5 | f042b2cb8c61b250a4379e400fc53e16 |
| SHA1 | 532241a0a3940247a6b0ed21af11d85f86959b20 |
| SHA256 | eaf20787c96e6b6a0cba53a21016de9beee8360ea0f6dfacbecb7ce1524e847e |
| SHA512 | 51ecd965465e8507a52b618b8bb199db81011abfb1163d846f8db7025eac3352e92ab8fdcba95d091d41c3ae1e23ec0e88e84d3dfc42af331da95a38fcbf9de3 |
C:\Users\Admin\AppData\Local\Temp\DPsM4WqzyjWo.bat
| MD5 | c756be32784b680e8b4ad79318721425 |
| SHA1 | a98a6ce6e19cc5c6614d51ddd8c848cffaa10289 |
| SHA256 | d87b2a27d666c2b387facbe69dc3eae3898121f661aefdb79d82a554468ea0ac |
| SHA512 | 998043321987fdb472fa100036991a1cf76e1f4561f374073ea99963fcbaeeb8b0bb147819d1922f96a8d2dc8a03ef71316d9fa3ea6c367d28df885f42081025 |
C:\Users\Admin\AppData\Local\Temp\yQlRVJ0RR4n6.bat
| MD5 | 1578f08e2076eb282cbafc0fb915f6ff |
| SHA1 | d8a3d8bb3043d82c4167ea79fd598a8118393d4a |
| SHA256 | e2e4118314bd1aaa7d9b15fc0bbb14030c96850e677e30bd0e88d81d1e298911 |
| SHA512 | 42e434b3f228ac6e252054c92007fad96240c92d1ac9ffa146a315e6493488918864e434735470b8ce6f9fe8c631492c18313369ef3f8baab8b315f81d417533 |
C:\Users\Admin\AppData\Local\Temp\ECioMR49Cv0A.bat
| MD5 | 4f4b605ac3f2c26d5dcaf12a7aaff4e8 |
| SHA1 | c7d6a8feb232ad241cb04c89eb79cfd283c78713 |
| SHA256 | 53540f9fe5dc61513cb06420a76672ffe28df690d25c5776361b8b3997cadb42 |
| SHA512 | 426376081e899822d5dba778a3f7751a04f5d724cc5e10ab7716031d6d505ee880daae1702f462c393193432a2bcfbee5e52e1cb2f71a895d576a33c44d313b9 |
C:\Users\Admin\AppData\Local\Temp\icyjECafc3rQ.bat
| MD5 | 01fdaf7fb57a5763e4949f67d8f686a7 |
| SHA1 | 9272402704cfa0188352786da9a70aba849437db |
| SHA256 | 5acbcae6975aaa8cb22bbaabae73a8b1b199a4518f0e2808198e906338238c81 |
| SHA512 | 32d14f55a67d90286d818067a2866f09f3bbd540fc3233e1e4d35e1ce10785ba9f091ffcdebc4b8479340041384764621dfb70b17408a98161c9a96bfc0f9433 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win7-20240508-en
Max time kernel
297s
Max time network
303s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (102) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BIVa5Ush6zkI.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2s3PeLbeqtxP.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vyF8EktpOeyU.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XtE097mNBGnu.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/2116-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp
memory/2116-1-0x0000000000BA0000-0x0000000000C0C000-memory.dmp
memory/2116-2-0x0000000074DF0000-0x00000000754DE000-memory.dmp
memory/2116-3-0x0000000074DFE000-0x0000000074DFF000-memory.dmp
memory/2116-4-0x0000000074DF0000-0x00000000754DE000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3012-12-0x0000000000960000-0x00000000009CC000-memory.dmp
memory/3012-14-0x0000000074DF0000-0x00000000754DE000-memory.dmp
memory/3012-13-0x0000000074DF0000-0x00000000754DE000-memory.dmp
memory/2116-15-0x0000000074DF0000-0x00000000754DE000-memory.dmp
memory/3012-16-0x0000000074DF0000-0x00000000754DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BIVa5Ush6zkI.bat
| MD5 | 109971e0f70db554a32a1784a08a14ac |
| SHA1 | 7cafd41fa9e19677fabd0ac25c79852a6ce2b878 |
| SHA256 | d3d4457186b96518bd21dcf06dd248c55fc5e8aed6130d298a513d32b8bd2653 |
| SHA512 | 5fd849cd523efd33a402a8d69641b28506e9f2334ae1bee167c55048d036927c507a617d0c61e40163bb382b300f091475db2ff39e1b4c8b3fefc17840ceff79 |
memory/3012-25-0x0000000074DF0000-0x00000000754DE000-memory.dmp
memory/552-29-0x0000000000CD0000-0x0000000000D3C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2s3PeLbeqtxP.bat
| MD5 | 89e401bb419f07b42b78011a30086074 |
| SHA1 | 6eb25b4a3e5c8903fa3680b5745e3cf9a656e92b |
| SHA256 | e661b30330a24781f79bc907f8def5438906252cce02eb243abe0dc1c5fd0862 |
| SHA512 | 5d02ed61680dd1d46d0f24a1bf483c797371c6db68f24ab546436ebaeddf3528ab29e9fac20db5c7b949682b2dab27fdf2ac406d190a661a0a021d2b51d90d93 |
memory/2272-41-0x0000000000220000-0x000000000028C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vyF8EktpOeyU.bat
| MD5 | e2539ffb3eb4d1813d96035f6d712c13 |
| SHA1 | c78f3e5c010722e89c53d53914793ea7db149f43 |
| SHA256 | a408e0a6bf46c75d2680cf0d36063b3e4368cdcea9da94ff5fa3f652fe3b375e |
| SHA512 | e82bebdffbbb8227a2bb46bf3b0cd0c33ef057964ec3ff141a7b677a0016f14e8b5eeea1dc13a702a6fd7ba65e2ba7d8c3d58b3270f83794a2344f0b0332924c |
memory/2836-53-0x0000000000EA0000-0x0000000000F0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XtE097mNBGnu.bat
| MD5 | 94a2927ad762ea0667d69150d7ec7639 |
| SHA1 | e930d7ec2ba4e6a2b8fbd8a768cb9a17bf457320 |
| SHA256 | 6047e3a8e887b967b8f564187f168d2a78b4a2c0cac537f778e8427459ca6f9b |
| SHA512 | f5d8f8e879015876f7cab7a3b16d2841a249bbaa240b5b110e8c241d09e91efa0bd03625feba32a0009bfaa4c1600dc5d17453be3eed34082d9aad68b24ef960 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win10v2004-20240508-en
Max time kernel
296s
Max time network
311s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9YG6EniSkgZG.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2908 -ip 2908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1452
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cSdFpiJ8lZEl.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3720 -ip 3720
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 1648
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kAikTUecDnIX.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2920 -ip 2920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 1088
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G48T7SlCKt2h.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5104 -ip 5104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dthKY39Y7MdZ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2656 -ip 2656
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7IxEQoe3XUUq.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3240 -ip 3240
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 1672
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ztZNIkwfcU1V.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 376 -ip 376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qQQ1HUsVIasb.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 656 -ip 656
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pbjEaZHH0Fee.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1692 -ip 1692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dBWdelOZaQUP.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4072 -ip 4072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 2220
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgSAWcncqzBs.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1836 -ip 1836
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k4uLbc8okJKE.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3680 -ip 3680
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 1096
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MY29gjMYU4Kn.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1320 -ip 1320
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 2240
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
Files
memory/4788-0-0x0000000074D2E000-0x0000000074D2F000-memory.dmp
memory/4788-1-0x0000000000FC0000-0x000000000102C000-memory.dmp
memory/4788-2-0x0000000005F00000-0x00000000064A4000-memory.dmp
memory/4788-3-0x0000000005A60000-0x0000000005AF2000-memory.dmp
memory/4788-4-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/4788-5-0x0000000005B00000-0x0000000005B66000-memory.dmp
memory/4788-6-0x0000000006750000-0x0000000006762000-memory.dmp
memory/4788-7-0x0000000074D2E000-0x0000000074D2F000-memory.dmp
memory/4788-8-0x0000000074D20000-0x00000000754D0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2908-15-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/2908-16-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/4788-17-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/2908-19-0x0000000005F10000-0x0000000005F1A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9YG6EniSkgZG.bat
| MD5 | 4143ce56e9f7cce71596c335b7b117f9 |
| SHA1 | 015931310ee44823bbba6a20969cfed6b084e5da |
| SHA256 | 3de92ca8cca4172f773ae8c07869f149000682c6e03a2458403be1534764f98e |
| SHA512 | 074607339cca6f43e29511e0fd75780840147d7b4b6b23c0d0de25a0c54eb09d3e9521144c167dab12f8f52e0669a4d5d5c6604fc927dd15706eb0ae168106fb |
memory/2908-24-0x0000000074D20000-0x00000000754D0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 171671f3f3d762be0c11b7ec7b8e26a0 |
| SHA1 | 8f7a3d3a55af21ac63f8d608b39645a29c75f0b9 |
| SHA256 | 3742a07083b16e52d7135fe9a7eca3fd1de89f799cd6c1f609f603f29ab94979 |
| SHA512 | 6c16e8bc865b02b9604a7364158a01a27ae393fcfef29b395479b893aac9073baa6c0c6c59fc9cdf7116587e6907b5dd40213230352c8605a2ec4d1ba1733889 |
C:\Users\Admin\AppData\Local\Temp\cSdFpiJ8lZEl.bat
| MD5 | 76cdc415210cd74890f9105f7c36a418 |
| SHA1 | b21578be8d1abfb0b1e42deff7768af3fc4677d4 |
| SHA256 | 700ea86cf4d7f974f7b987acdb3c0360df7738d2a11186f46475064312778eac |
| SHA512 | 86d9ff15bc13d750fc14c9d1141b3cbbd21ef446d0da2ac1e67cf59ae963a524fa79add69d3452701f15143e938a563c946f54512efbd834f8b86efd774c6ccc |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\kAikTUecDnIX.bat
| MD5 | 5af7dace40a5a8d93ceab1bca292cd22 |
| SHA1 | ebc6c34dc49d833dba81a58b85f0a1c1b1d0aeb9 |
| SHA256 | abecebc8de93689be5d98aabf4dda79c9e53a0ac37c394bcea3ca4d2358cbb0a |
| SHA512 | 79207077c8f2c4609c00f12b1efa14fa37e321cc3f261fa8aadceaa97a191a493a68028b48cac8a49c334e76d68091377efcbd228c3f6a7c3eb0b7b1c3372d09 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 1897267d9cca018881fe158125f18e07 |
| SHA1 | 97b46b754217c51ffd024040b58add260251acac |
| SHA256 | 3f30b51ba8adab932c5fdd0b5dc40c96ea3e2ec5a6b1ab7dc82d4d48a5349746 |
| SHA512 | 2cda87bb5de7205d4d22ec1902c7cda79233fd2e04e1ce8c7ea497d0edcbd2ccb3bc83cbb5d7b1d322a439f43dfc3eced0c4d069cd4ab518c7f1da1839499fa2 |
C:\Users\Admin\AppData\Local\Temp\G48T7SlCKt2h.bat
| MD5 | 8135509423c1e13ee6fa0fac2781dca9 |
| SHA1 | c0e2f7e11de727570b5bc2d042ce8f041c900007 |
| SHA256 | 60b48be2af95f98b4c24863e98b1d1e666fae2a1e85821d8c73d74309ee81f5e |
| SHA512 | 150b107142c6f8972a0bea71d25ae2afbc376c6f1f6a905a44d084ad1ddcb3e0715c25276c451866962dab336acb3da2729ab843d73760c7001a62c9312d51f6 |
C:\Users\Admin\AppData\Local\Temp\dthKY39Y7MdZ.bat
| MD5 | 6aec1fe43659b0a242cb46cb4b07096f |
| SHA1 | 60aa63358933e3d2d26970917c7ad66b750ea86e |
| SHA256 | 6610c0e6b6f73285741d5b1b9221f24ccfde7efcddf103a8025968299f1a5836 |
| SHA512 | 1ebe6fe635ee75ddad664aa5bd15ebcfef75a1f954c861df73409eaeda043b8cc408f6e302e5d75fd72022ac86f8e32e7ec3e422420d13a4c7f9168ba79a43c1 |
C:\Users\Admin\AppData\Local\Temp\7IxEQoe3XUUq.bat
| MD5 | 4090355629511d111213c605eaf5057a |
| SHA1 | eb44431192743689d3de8a92d3b03fe1d6d57236 |
| SHA256 | b36a4f22fe6457a47701ee679b08ceabf44a840231067e19c0bef72664703b0b |
| SHA512 | a3c58d20e83eb33ac8814025fbcde8cb144e6286622a5675aa4de2d7c23a014e9a8fddb4fb62d73654905cece900cdb466a7f5a5c0bf3c03cbd1ee4a5d67b8b3 |
C:\Users\Admin\AppData\Local\Temp\ztZNIkwfcU1V.bat
| MD5 | 6930812ec4c23ad1f180c4f983e059b4 |
| SHA1 | fe4b27790c8262889707db8416c09ad827a0907e |
| SHA256 | 1f2cb70f0739abe61037eb65a0caa7d562676032b2fdc15415a62c4f514a01eb |
| SHA512 | 7f6fb967933ce5bcf9a3db957f5b37f785a92e3d1206ea81edd480eccb4f4adbe34c8ed06bf6935ec0cd2d5346c404068f0af0dd2872c6e60697f5b7573fd13f |
C:\Users\Admin\AppData\Local\Temp\qQQ1HUsVIasb.bat
| MD5 | f4543a84cc1d1456e3b218d6b60d71a2 |
| SHA1 | e359efc5fb5f7289d0ef39faf00f3141e4eef3bf |
| SHA256 | a88caf92fce47bd660af949fb696415a1ef18a88ecacb7a8439938cfd2fa16f9 |
| SHA512 | bddb19df1eb92813a4fc02faeae0624cde60cbdd5b94067767f88ac31caddb9b6a98b7fd396568e27c4126cd054809a9c64a62e4f0253f46831fd70af78a3ce0 |
C:\Users\Admin\AppData\Local\Temp\pbjEaZHH0Fee.bat
| MD5 | 7904005b55d0103b10c6dcb9344aa4cb |
| SHA1 | 1a4e81da28c9ae6373a5591678e69b5d64ba94fb |
| SHA256 | b7fac4474933133814a7578518728d4558404427d3ed872aada72cb4ae812f5d |
| SHA512 | cc1493748464ff63131b0acdefee205371b6012241f300b0155507441fc8dc192b9cc00b7c4f9e178939e572372bbd53ca1f4b84da6b5a88780080882c7639db |
C:\Users\Admin\AppData\Local\Temp\dBWdelOZaQUP.bat
| MD5 | 1cc927975ba8838921e0af30f3a3ed8e |
| SHA1 | 77c94500c8f60dda900d84641f8aa28271eec473 |
| SHA256 | f0502a29970fa9b91a310c257799779b5acce7d136d56bd66c63868cbb4a4441 |
| SHA512 | 3ca5dc50ee509429860f426a7d0eecd4b6255a17b464d4ecc7f819f0f9c21480634dd6a0b8e72586ce9276abb52999edc0065171c7f28f0a9cb8f8445a927cf3 |
C:\Users\Admin\AppData\Local\Temp\JgSAWcncqzBs.bat
| MD5 | 3e006c765c1c75a975298b28c9e52936 |
| SHA1 | ed7db0713374b3629e12d95395c48b85d31fceda |
| SHA256 | 991eefb1be4bd32fa9d2beec6015fc70fc6099cd567c751f9ab0f6c6e41bf603 |
| SHA512 | ea2cc9fc445853d3d7d1f0d0de39ea72b1d7a6b54d27b38958556715e9a26c5aeef0d626aba6acaef3c3f60c634f45d3e41532f944b0d1e1eeb3e074df355498 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | bcd14e6f4f1fd586c4bc0fc18fe74406 |
| SHA1 | 95fa0a334cfed3b37fe690b5344859647cb2b98b |
| SHA256 | 7a427e3b175024231c59f7d94dca1f2efc707fa5fd8ccd1bf1153a1609050bef |
| SHA512 | b8d24735f30d88f8f893537b76266cf7bcf56623ede3570dd4970c59dc297b52b421d48824a647bce091689d65df81dfa11e559c83edbbe7f80d15293204ecf7 |
C:\Users\Admin\AppData\Local\Temp\k4uLbc8okJKE.bat
| MD5 | 0f1f9875bc329f4c17a6634f93f38de7 |
| SHA1 | 7dfae9e9a6ddff4b185fb746be20e5a79fab379a |
| SHA256 | cc28bbb08c54852cd1e6de6d061720c97e576fcd2e3d866869576bde57f35676 |
| SHA512 | a105b6991b8b2950ef4c9176ecef697a28dd62b1a4044f46b4aefbfa70684e82f1efc47ac1429d60cb39a01484284b4e2de8d6b901ceb7e4886fea44b6fa16b2 |
C:\Users\Admin\AppData\Local\Temp\MY29gjMYU4Kn.bat
| MD5 | 4369ca9bdbf2188c7297f1c66cebc8ee |
| SHA1 | 0da259d0b8caaff402e9901cd61193ade79c47fb |
| SHA256 | 8bc3e1f8fbe3d25462fd963fbccf1cbe7f1ef057f70a053d224afbadee77a654 |
| SHA512 | 07e90dadaf206f746a9202c3612dc5ddab0f2a8b45bf27ddd43cf46c6130b1e1ef831859c1c64dd810d2ef0d23e6769d92e166652d25a2d633e3765bc658db6d |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win7-20240611-en
Max time kernel
236s
Max time network
294s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2212-0-0x00000000743BE000-0x00000000743BF000-memory.dmp
memory/2212-1-0x0000000000130000-0x000000000019C000-memory.dmp
memory/2212-2-0x00000000743B0000-0x0000000074A9E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2900-10-0x0000000001050000-0x00000000010BC000-memory.dmp
memory/2900-11-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2900-12-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2212-13-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2900-15-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2900-16-0x00000000743B0000-0x0000000074A9E000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win10v2004-20240508-en
Max time kernel
299s
Max time network
312s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (100) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bzGuWdxMpK1G.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4004 -ip 4004
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 1908
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4KnJVB66oZDx.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 352 -ip 352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 352 -s 2176
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3V6WoGVrXDz0.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3400 -ip 3400
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 1672
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gj9Z1zcjBDda.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1760 -ip 1760
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g7bk60xv5Xnw.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 4416 -ip 4416
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 1712
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C01Tkx4VCdX7.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3356 -ip 3356
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 1672
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWx0bnSZSCEZ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4804 -ip 4804
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1672
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y1tXTercilu2.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4836 -ip 4836
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1192
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\chAILg2mdBHu.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsTVelQYMq4x.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2948 -ip 2948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 2168
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m9RLwwisuvgD.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 924 -ip 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 1668
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1REt2rAVyp0M.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4388 -ip 4388
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 1672
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYnbSkEVHa7q.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4452 -ip 4452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1096
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/1908-0-0x0000000074C3E000-0x0000000074C3F000-memory.dmp
memory/1908-1-0x0000000000F30000-0x0000000000F9C000-memory.dmp
memory/1908-2-0x0000000005FE0000-0x0000000006584000-memory.dmp
memory/1908-3-0x0000000005A30000-0x0000000005AC2000-memory.dmp
memory/1908-4-0x0000000074C30000-0x00000000753E0000-memory.dmp
memory/1908-5-0x0000000005AD0000-0x0000000005B36000-memory.dmp
memory/1908-6-0x0000000005FC0000-0x0000000005FD2000-memory.dmp
memory/1908-7-0x0000000074C3E000-0x0000000074C3F000-memory.dmp
memory/1908-8-0x0000000074C30000-0x00000000753E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4004-14-0x0000000074C30000-0x00000000753E0000-memory.dmp
memory/1908-16-0x0000000074C30000-0x00000000753E0000-memory.dmp
memory/4004-17-0x0000000074C30000-0x00000000753E0000-memory.dmp
memory/4004-19-0x0000000006850000-0x000000000685A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bzGuWdxMpK1G.bat
| MD5 | 138731d6f05c2a07d0be4c96f982b684 |
| SHA1 | de5b01983a4c7c41f670bd31e33561c6743e1236 |
| SHA256 | 7765c234cca769af840804b7e2072e85bfe95151a7db84a787f9e0bf148f9ba6 |
| SHA512 | 7e685513d1d29a917ae4c0a1fb28418b99b71ab39a0ee2cfb5b11f79ab7d535afe96e016309bb86e486648088a016adf2324e6804c29f427ba4bc221f7d27b23 |
memory/4004-24-0x0000000074C30000-0x00000000753E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 336619f69de66af6f4df2f6079f52d2b |
| SHA1 | 86839e19bcbbd3c5117bc88b42a4d7133fce6bf8 |
| SHA256 | e69a8a48eee6192329de9febabf4767be4d7a963e69f3fc64fbd62395689baae |
| SHA512 | ae592bae33506ace4b4241ccf250ee66425e91b91bde692e977ceb757fbc73627038ba07f3815f24d843a1f30941135370dce97ea229875522daa98a324f576b |
C:\Users\Admin\AppData\Local\Temp\4KnJVB66oZDx.bat
| MD5 | 1490f2166b5e3ab3cf8bc7327298114f |
| SHA1 | 5718a88ce9c318f18dc9d1afdd21cddcfd252145 |
| SHA256 | 0a7bfcc1b7f5e2d4c9d771f25096241129027d0f1b5195ac796d388fe9f57d4e |
| SHA512 | 1d9cee1e127731d93f35b6486b0a62f8f007761fba5d2ee8a57b0e410b5b6b662179c3bdbe0173f2688a7c74f630b45c1e37abc731adf269274145f90187f93d |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\3V6WoGVrXDz0.bat
| MD5 | 9aa3ad11adc726c026f328900997f6a8 |
| SHA1 | 8abb6ec44d318ee271232bb955c01029f0f9d9bd |
| SHA256 | 8a0647a07dd6a40e22047cb19a821c7129aec139ce332a73b0ddd6d54d73ad02 |
| SHA512 | 2d72cffe72d54eadd864727713d857c010c2aecbc22e5a30ebbf859dd1d698b6fbc112054246376c016c05f380e7cd0c9d950e5484d1f62c9c538d68729d0686 |
C:\Users\Admin\AppData\Local\Temp\Gj9Z1zcjBDda.bat
| MD5 | a78b01fc625259915df5652f00b2b1e5 |
| SHA1 | 0b8cfe7d80f785bb501c44126640133d27ba3ee5 |
| SHA256 | dc067c90cb908b61a4e85d5d8d694bf6123b30ab9942a91c43d96de92f465554 |
| SHA512 | 4c2531ed986068c187398cad4513f486b605a76d5c2bdca8eb49e3728cde03e9d7cec57e51d3700ceab1b6c74f154486dd88dc0b72c48720f7362cf542e1313d |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | afe4195670534300fcd39f1d9c36a205 |
| SHA1 | 5af6493240eeb7e07f5dc871167e87be3a418603 |
| SHA256 | 09a9af381b8eb3a239244d73b60c38878f051741730c2e94edd4eeabadd28b21 |
| SHA512 | a0eb624fe91bab12a46997ea736a8af9ab0f3bc4c9b72b3cb5ded3f7d7e371976d17dc04b662bad78d71858a971304822a3b9ee086769e9aeb79cbec046d3d1f |
C:\Users\Admin\AppData\Local\Temp\g7bk60xv5Xnw.bat
| MD5 | 048b689812ddde278bd396dbea6f26e9 |
| SHA1 | 27a30b5e27f8cfe8924106ef1c9522815509a8bb |
| SHA256 | a11c8bfe57f80ab84b22b46d5c334d87436fbc1c7f30a8cf4ec1bf71b87bb92a |
| SHA512 | 20cc39d5f9783677c4c9838fe97a43308b95c68d71d4cb8dda2ef697f7fe08abf48395872fd794e0805964bdede03726433626a7accc7fc5b24921c7ba557eaa |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 1a05ff087f2a4b7c85537c7b7d0fd8fe |
| SHA1 | a14d140697f61de31b0de25899734fbecd65f1b5 |
| SHA256 | 093c45b33d83a972a23e36e099ff2478c5aa1bc554d4815ad7c6f7d56f0cd610 |
| SHA512 | e0d0aae28a4d7ed9dec789adc03c47c3346d373bd62631c61697bda15bc273a3d362b02e0586200fa4a5848afc59c7e7f2aea189e6857b2a25cbbabcf242c1f9 |
C:\Users\Admin\AppData\Local\Temp\C01Tkx4VCdX7.bat
| MD5 | 3422cbc61f1c6e5f2aab425491625c09 |
| SHA1 | ceb44daf145ef19c8945ff4db3101c9a452b8dd1 |
| SHA256 | 81a4b1166828510e5d404b513112fd2ba3051308c4d5225d5ee0c501220ffeab |
| SHA512 | 5c06c06ab03b02da99d1131a0a4b69bbb07f590ef7a27c75dc8023df0ef9beb48cf16f902284c52fd9ab8b44fbfded4060e82c0deef9554ad76b5800b2171b4d |
C:\Users\Admin\AppData\Local\Temp\sWx0bnSZSCEZ.bat
| MD5 | 56f5230e24857f0e9d9dba3fce07bec3 |
| SHA1 | 23a9ab1ec63df359a5aaf4d0dd59a46227bab60f |
| SHA256 | 02ff2c00fe864c1f19abdbb446cfdb26df55dae9ca3b5b3e59009cf3bd528eb5 |
| SHA512 | 395fc9758329d9ed9153c32d11e098d6e68f80dad72e37baf572cb4481be44a83385834d52de2d0b9f9265f6ce518e1b53f2e2bb13974e8ef13a95901812cba6 |
C:\Users\Admin\AppData\Local\Temp\Y1tXTercilu2.bat
| MD5 | 91a5b76d8f949a30209f13cfdf1e890d |
| SHA1 | 9dd75f65092716e989cfcd32623d6da2c8609e8a |
| SHA256 | 58334d4fc3f404ca5eee36fb29b3c4692426e67ee7d6c29435495d6429c0205d |
| SHA512 | 83f727c9f5585de5176d4224713773bdfbefab146ecc151df89e06566e4eb774332c58b9f646791878c18505ae96d0ee610861b0cf2718750400e6aeebe33b3a |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | e75dfb846af939d47fef92919b8eb561 |
| SHA1 | 8f89b0923f5bbb74fa5caad3b30fc8e800db0075 |
| SHA256 | 7385006d16ace02795d91c1e9f9c28a1a1975e68c51567044e3bd4b7140c15f2 |
| SHA512 | 42053c3a5e6ee149da5b808dc695e909d76a8c6c21da170774591a0436a0adb2c2a31ac19bff85f328b80a894629cc9f81910eca1ca1a10b48dcc7ac764f68c3 |
C:\Users\Admin\AppData\Local\Temp\chAILg2mdBHu.bat
| MD5 | a2e1f0ee70cafc7ae1d732b6b5671280 |
| SHA1 | 113c51145a6592aa878c659722cb31a66489a741 |
| SHA256 | dc4d5a009372f1bf5f0459dc6046aed39ebd88d39e2a2c9eed039c1386be41a0 |
| SHA512 | cb0561af55a479bfbdc14e7eb8f1d8f33b6fda9b8578eecc3f68ca1de3b088a6039d88d5f813a26a5a99d77123937265564515aae8daeb7a2351c5cc6b8df020 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d9d8ec550a8a2d0af0c659dbbd652ab5 |
| SHA1 | 9678ccb4bb27b049beb1e646f781ebedef734e67 |
| SHA256 | cb9d4c5cc0691d682360fbac78b62ff7f1a6d92a981218a64e775e0d47d9cd85 |
| SHA512 | d1ed7d4ea19338a2fcfbe8a5468102f371ed1f0e0fe0146d4290385703fc7430e70ab5744576258c9b7a0a81784661d77c9adf3d595ace329442e6625987c30a |
C:\Users\Admin\AppData\Local\Temp\bsTVelQYMq4x.bat
| MD5 | ac4dcafcdff29804786b8becdf5b0c8f |
| SHA1 | be6970fe1894ba6dfe3b2020829c084e82ecb78f |
| SHA256 | be95710e0c409c8ba17aa2823fcca8ea17addf111df1049a6bd6be1f401ac761 |
| SHA512 | e2c2f3d86d12db97b04525709f20059b6f9644de558caff9c74b45d63a98353aa24beba927acb7fe92fb1735973a3b21fc48dcd76ad53e5c51bd16ba1235620f |
C:\Users\Admin\AppData\Local\Temp\m9RLwwisuvgD.bat
| MD5 | 2109a8f8f9a79afd7fa4edca3fd61fd5 |
| SHA1 | c397daa968116b543e7e337308b56f931d4d14ba |
| SHA256 | 99c977d8820c26f54561f47079e492b0a98b702f53f32c944a1ece6761cedeb9 |
| SHA512 | d2d24e49910f22df3f9be273ec5404138dccb267b258c5ceb635d83db643bd1454de1cbecba811c0a614d00d27d74112924422f14e34a8dcb8201b7ef30ba94c |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | fa6e668697e31cf60939834a90e5d430 |
| SHA1 | ce1c8679bb23f4c06a80056a3fed0060e7390e75 |
| SHA256 | 3c9ebbaec3a5cc6fdbe5fb0533cdde3770ff651b42f0aeaa5ebfd7542398022b |
| SHA512 | 79ef3bc3d53bef08fd1649986fbd2a3ffd19a97787f71460d0b462697cf6009b998990643d7b63f92e438cd922575733dfa5dcbf3b19f9407417f4c8c416cab3 |
C:\Users\Admin\AppData\Local\Temp\1REt2rAVyp0M.bat
| MD5 | 8689423258c1fdaefc33ba02359b93a0 |
| SHA1 | 4da860f5d150c29f2d2f94b424fdbb4fccb5921d |
| SHA256 | bad817a184174731d09eff314c41811c9a8799b6713aba86d29f4744c0955f2c |
| SHA512 | 1af414b17c95be94f44f96741780194ff46fdc9eeeabffe8dc7b58e62462dab9e265cfe58fb52ad2bee1ef53f9f0b7c4fb754e855aba9a0f93306731e110810e |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 965acf0176279e54ad9cea48e7587efb |
| SHA1 | 5a881d6a1889e4852d5a001e8a41e15d4ded31c3 |
| SHA256 | 0e18562fadf816eb1ce0e5af58354dfffd20c166b1bc8a836631ffaf63143228 |
| SHA512 | e57b98280e024216e90c9f93c3e3815b929e8fcfebd64eac6ffb8323f5c8af0758fad3d2ecc0f9c862ea1278d47e5e776d691854901cbca9fa180c0ea1659867 |
C:\Users\Admin\AppData\Local\Temp\yYnbSkEVHa7q.bat
| MD5 | 6459483d47bcf0167a73e98f46719c3a |
| SHA1 | 40b46a9b5844d26e52bb83dd5675fed1da71bd77 |
| SHA256 | 31b56fdca94cbcb0a476c17e0851596bc2f5635433192540206cd6e1e2312ddc |
| SHA512 | 95b55250ade7c7e16780a65671a8b60bd9bcf350b1a57885915367c5320ea96707ab8750a5a4651f728aa51926344006f5a7f8605e8076a5d2d68172a65b4dfb |
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win10v2004-20240508-en
Max time kernel
296s
Max time network
315s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (100) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z6GDPrZnMG9e.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1084 -ip 1084
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 1932
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JbGXZppQQMFA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4576 -ip 4576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 1640
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wXJjmGGdY3N8.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2984 -ip 2984
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 2252
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9lLmzzMVC31j.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4384 -ip 4384
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zrn75j22b5fT.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1216 -ip 1216
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1720
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSPGwfKeh5C8.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2368 -ip 2368
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 1092
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RNdjNMbYKzdD.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4724 -ip 4724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 2232
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V4uUEOliFP05.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3472 -ip 3472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tbSd9BsPGvqH.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4944 -ip 4944
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 932
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z6OA11HSWUXj.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1592 -ip 1592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1668
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vio2fhiO7HlJ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4692 -ip 4692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 1092
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NJPBXe0zDHHy.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5024 -ip 5024
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TxkBIDziEcgA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4332 -ip 4332
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1672
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
Files
memory/1420-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp
memory/1420-1-0x0000000000AD0000-0x0000000000B3C000-memory.dmp
memory/1420-2-0x0000000005B40000-0x00000000060E4000-memory.dmp
memory/1420-3-0x0000000005630000-0x00000000056C2000-memory.dmp
memory/1420-4-0x0000000074B60000-0x0000000075310000-memory.dmp
memory/1420-5-0x0000000005590000-0x00000000055F6000-memory.dmp
memory/1420-6-0x0000000005600000-0x0000000005612000-memory.dmp
memory/1420-7-0x0000000074B6E000-0x0000000074B6F000-memory.dmp
memory/1420-8-0x0000000074B60000-0x0000000075310000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1084-14-0x0000000074B60000-0x0000000075310000-memory.dmp
memory/1084-16-0x0000000074B60000-0x0000000075310000-memory.dmp
memory/1420-17-0x0000000074B60000-0x0000000075310000-memory.dmp
memory/1084-19-0x0000000006440000-0x000000000644A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Z6GDPrZnMG9e.bat
| MD5 | b1f5c6dd33110476f17cf17c594defd8 |
| SHA1 | 19036788ae5a0c3388d7dd1d455962876b8209be |
| SHA256 | e8c51bdbb43d345739927a144c33d21e720ffe61f0442996fd7808001f09a023 |
| SHA512 | 728e962ae9e340d07715e36cdbae7bedec80f96dfe73fae794ac3a3ef57ba924902e7c26c35b95607be9b7c4407ad00c1373ee4a1d1e546047d677b87f9a6d29 |
memory/1084-24-0x0000000074B60000-0x0000000075310000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | a7bdfad765822cf3f98ddd05a7004d4b |
| SHA1 | 7661fb98fea801ca32430b85cf9ff7b407920583 |
| SHA256 | 70b05e3b2387b68f9116a73edbc215b386a45f5bfa9a4c8ef5ba0e7d4639fc7d |
| SHA512 | e8394ea55d49a3591931096cf870d0ea7ef2306de033d8857f21c1684c5d826e598394e9efd03a6b4e5235e6fa0152fbc7224477f293cdca37641d3991920302 |
C:\Users\Admin\AppData\Local\Temp\JbGXZppQQMFA.bat
| MD5 | e0ae9ac29fd2ceebc5a37c277a6bd191 |
| SHA1 | 9c5ac24b28bba1dc1b0be2671d9ea53b394cc715 |
| SHA256 | b3e477a983fc8851bb96bb8a6abdb543286df1762a0f063fa881c55f39a1b5c5 |
| SHA512 | 639af3aa4a532228793e379d5d6e22c3c2d5efc3d6142c768270e316535cc2dc25a38f69c94050db731d4bd39d8e69a2d6f67d0816a1075b3f1a18012d4e5a10 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 0e29f81d904552dc1a4d693a9a9f0eab |
| SHA1 | 0520544896571b6acda5d3ccc10c278687ba4155 |
| SHA256 | 1bd6c690a8b507adb577e7cbb81297d4373d102123ffc38cfd8374eb21843bc3 |
| SHA512 | 11efc6b698da6202484879a90123fa0516600be3609ac294d929f2244bd8e94bdbd85ca077636a8706c5a679b965f6726bdf4b54dcf2d7d277a246dbb814d2d8 |
C:\Users\Admin\AppData\Local\Temp\wXJjmGGdY3N8.bat
| MD5 | c7f9e8567737d45fb578ad3a45c2b51e |
| SHA1 | 5dd683c13bd551171a288efd2b1323c4094857af |
| SHA256 | 0108b6f51350aba320b2928bea91b0bc0f3581f2786913877fc2ba238b415ce4 |
| SHA512 | 4ce3c13d4f9c791860c88b148bfe388f871f1a20966150fba5aba966377d51666a1131e6f5ea2737e90505c136067147befcaec62c5d37fcb5a93a72907c5ff3 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\9lLmzzMVC31j.bat
| MD5 | c7c7f2dd1d5d870f2293f742f91f710a |
| SHA1 | d121a353cc27bcaf6b71b2074ee3409d8bc8fb22 |
| SHA256 | b684e0252e6e4b9b672b256fdb53cbbb945e0d7f730b24dcbe00e69b957baef8 |
| SHA512 | 1f161b31f3d483445151c6de8024d38082cc7ea4f19f3cc38cfc5be55d75ec4b1737d20fe045cb9ae99da0ef83ded27c15c1ea910a9d889f01ed4030c2e0619b |
C:\Users\Admin\AppData\Local\Temp\zrn75j22b5fT.bat
| MD5 | 7e959b1d6048fabf12e5d8c7cb8bf05d |
| SHA1 | 08e2b0b9bde27c397f6a5f57ecbdf853dbcea665 |
| SHA256 | 8158429643285a557d8b1988ab9218cd16a2746e5ae542000365476b04f914ea |
| SHA512 | 32c0d2bb28522dbbcc7b2c65623655e72464efc68576b91dc4e87c93451203335496d44d4f1bba708d30ae3adba8be9d479d40f481d653e702139c604a283bc4 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 2c952c2b77352c4bc113c56600f85172 |
| SHA1 | 61f8f6e8134a9d38226818382a603c2c8b56594d |
| SHA256 | 9774ea02fee9bf0e3f4d75d9001b9d5e6e99b7289e6414c4abeb43dd14e79efc |
| SHA512 | 454e0002050cf635f7fe9009d94e5da93fec9a588480d7390a416e6936d8b5b3461a5cec1601a83949e337023d951010667bf55215d373d697258da6d0d52d7d |
C:\Users\Admin\AppData\Local\Temp\sSPGwfKeh5C8.bat
| MD5 | b8f288e1449ad03077573cf4fb0ee12d |
| SHA1 | f0cedfee5fbacfd3f1a446aafc8e1459bee564e0 |
| SHA256 | 54334848d374592a584fb7068a1683e6066621adbf2860e2fce4f40d25cfcb3c |
| SHA512 | f74c3f287f5efbca954cc8a3fa5020638686433ada48afd1fbfd125e7ab8661a1e6ddd51bcf64a9320de6f0b77e31fb858a2cfe163232bb74b108c5a67cb2912 |
C:\Users\Admin\AppData\Local\Temp\RNdjNMbYKzdD.bat
| MD5 | ba924285308e2f55154e20836d899c2b |
| SHA1 | 31c94f5b4add154c6725dedf4baa4ed6edb73fcc |
| SHA256 | 98173837bf0082cb83f9ba62b2f90d0e30881b301987ee25c7eeb2f93507e8e5 |
| SHA512 | 12f55b64e53438512e9413ead0a35a34ee4c8eae73aa74913d10f38cbb0925e00ca347a3e02bf845e3f68650466e2b23e39ce55f7bba02cc4afb962c55e67bf9 |
C:\Users\Admin\AppData\Local\Temp\V4uUEOliFP05.bat
| MD5 | a68d9ffa1a856eaf3a20a33159b9e7fd |
| SHA1 | c8bd2a850ecf3de04c85653d06ade32051126f5f |
| SHA256 | 51c9d666ce886d1110339e2fcad7a96cc2bdc6701ef96529e6901b8276359d57 |
| SHA512 | dcbdffa6bb6b1ad6a10c76760bfebb532ccd0d121339d5b1992ec5b10247b80b63df77e914c404279fde5144a7fb69b0479212eca24965af2fb9de87c0b688b4 |
C:\Users\Admin\AppData\Local\Temp\tbSd9BsPGvqH.bat
| MD5 | 409e3793abb4cd7435599e6629f096a0 |
| SHA1 | 6d121a7ee60e28cc8175e69d3cb958a9c31bbb27 |
| SHA256 | 4918944c6dc4511685b233e6e6f5c608a29204058451765847ae8056d12ce971 |
| SHA512 | 77f744d72f94551086d3c052ce84a8055346a3a2994e590f372fc5127d4bf50d2937dfb429777bc1942235e79dc9e7f3338533e9e926644c3e0b8189f275a7fc |
C:\Users\Admin\AppData\Local\Temp\Z6OA11HSWUXj.bat
| MD5 | 670baeab3b7bedf15425ac64a5f43f0f |
| SHA1 | 54876d2952b9c4161c0c0694fdd3d6663dffdc29 |
| SHA256 | 3dac443e1ec600c31f97da457eb646951467d53a4707dde3e9c0e125abb4e751 |
| SHA512 | 4b59b1cb2eb3f4285f963bfa4e8bd07efe76737ad8284813bac271159b2ac85ef4c1cdf640a4d8046067e5b5f7ff9e207de92069901f16c0cc34854d8033efde |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 65070af4a805a2499a3a50f2a8cb8464 |
| SHA1 | 623e4a166ca629d3479a70c02455e7626487a8eb |
| SHA256 | fed85c3c62a1d6fcc2370e25be33781b08d71d86fe2ef028c24cff9b75904650 |
| SHA512 | 86099727f67c9c7ef73dc5bef99170a4014b72b4087e3b1b2103a1a37b92a757ce221fcd166354cf5a566332692fa6e46e8f82772b9e74376a912095a85d5d18 |
C:\Users\Admin\AppData\Local\Temp\Vio2fhiO7HlJ.bat
| MD5 | 0c07aab2d579520d4cc150f621b17392 |
| SHA1 | 546b2cf232ca66f8369f9213beace8c0522cf56a |
| SHA256 | 45b87288415080a3a152d75d554937374b383b03f2547e4103d32f463f8fbe42 |
| SHA512 | 2c2d844b3e4195fca453971abe5ff7d416fd692df4b572ba59ae8d0f984d5ec4bdb2f33a319d08405c84d1f750b4db7067c8f3797117513611482eebef4aea4b |
C:\Users\Admin\AppData\Local\Temp\NJPBXe0zDHHy.bat
| MD5 | 4da537a182e4eb5c483597358e291004 |
| SHA1 | 13caf834a9c4f3796acbd58a3827224fef375167 |
| SHA256 | 6845b3adbe892e01f168566d5bbe7b00b235b48ab5ffc0bacb7d8a8804989c25 |
| SHA512 | 77972fe94e02eee74d0b475de9f799f3408fc2104cfb1e83561de6ffcddfac4949b0e963e626fbfc89f1a4f2847c6af8c64cba575a5eae722325d97fde315ffb |
C:\Users\Admin\AppData\Local\Temp\TxkBIDziEcgA.bat
| MD5 | e3e4eccbde3a230773958157a3a3865e |
| SHA1 | 8f97e21ba46511d50b7ba969b666c53d7eaa45b6 |
| SHA256 | a0e14be9bbc7f896079a568ac571104aee9d3a491d9d1f2c144f1582426e07f7 |
| SHA512 | 601ab5036906f7d4152f57375b03d9d2917e6aa8d2760d322734f9c8cef7ecc6d4e568c001d3a1e50a469f1fe8f7b4125b7290cdf0a91a8c33230e8f6d2e3e61 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win10v2004-20240611-en
Max time kernel
238s
Max time network
301s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (101) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.218:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4276-0-0x000000007526E000-0x000000007526F000-memory.dmp
memory/4276-1-0x0000000000990000-0x00000000009FC000-memory.dmp
memory/4276-2-0x0000000005900000-0x0000000005EA4000-memory.dmp
memory/4276-3-0x0000000005470000-0x0000000005502000-memory.dmp
memory/4276-4-0x0000000075260000-0x0000000075A10000-memory.dmp
memory/4276-5-0x0000000005510000-0x0000000005576000-memory.dmp
memory/4276-6-0x0000000006110000-0x0000000006122000-memory.dmp
memory/4276-7-0x0000000006650000-0x000000000668C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/884-13-0x0000000075260000-0x0000000075A10000-memory.dmp
memory/884-14-0x0000000075260000-0x0000000075A10000-memory.dmp
memory/4276-16-0x0000000075260000-0x0000000075A10000-memory.dmp
memory/884-18-0x0000000006F80000-0x0000000006F8A000-memory.dmp
memory/884-19-0x0000000075260000-0x0000000075A10000-memory.dmp
memory/884-20-0x0000000075260000-0x0000000075A10000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win10v2004-20240611-en
Max time kernel
236s
Max time network
298s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (102) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 88.221.83.201:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.131.50.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/808-0-0x00000000748FE000-0x00000000748FF000-memory.dmp
memory/808-1-0x0000000000460000-0x00000000004CC000-memory.dmp
memory/808-2-0x0000000005460000-0x0000000005A04000-memory.dmp
memory/808-3-0x0000000004F50000-0x0000000004FE2000-memory.dmp
memory/808-4-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/808-5-0x0000000005110000-0x0000000005176000-memory.dmp
memory/808-6-0x0000000005430000-0x0000000005442000-memory.dmp
memory/808-7-0x0000000006230000-0x000000000626C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3100-13-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/3100-14-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/808-16-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/3100-18-0x00000000065A0000-0x00000000065AA000-memory.dmp
memory/3100-19-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/3100-20-0x00000000748F0000-0x00000000750A0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win7-20240508-en
Max time kernel
297s
Max time network
305s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RmjAHMXzf5he.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\naEgPtNf5Syy.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ANjCXQDLWqGH.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FabX8uO5v17Z.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/1724-0-0x00000000743BE000-0x00000000743BF000-memory.dmp
memory/1724-1-0x0000000000C60000-0x0000000000CCC000-memory.dmp
memory/1724-2-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/1724-3-0x00000000743BE000-0x00000000743BF000-memory.dmp
memory/1724-4-0x00000000743B0000-0x0000000074A9E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2136-12-0x0000000000F70000-0x0000000000FDC000-memory.dmp
memory/2136-13-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2136-14-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/1724-15-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2136-16-0x00000000743B0000-0x0000000074A9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RmjAHMXzf5he.bat
| MD5 | bff54bb6f4c3f42a1555c04e2d4e8ce0 |
| SHA1 | 14fddbfef7d62760e43e9cc76d36bf164e80d8ab |
| SHA256 | 056b7fd75497d47c536963d8504884b01c090800c4895620776ce8ba86af3a52 |
| SHA512 | df0f738c842188d7d3102f4030065daa7db20755cb84867ac53aaaf261fe61da49ae8e9dc1f945b46795abd7172a6114a23cc6aff71116f585d10d185ad5c9cf |
memory/2136-25-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/1420-29-0x00000000013B0000-0x000000000141C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\naEgPtNf5Syy.bat
| MD5 | fc58e7b7fdecfd102a5e437bd886edbb |
| SHA1 | a23a6bde7d03285cfeb08b4bf9d55343c894bef7 |
| SHA256 | deb13e13e71de4fc9b68bac2baab4ab11a0a0fa191bce818804b79e5ef1eb028 |
| SHA512 | 39da5716962bda55b39538e40df896b62ba8b99f99c55e7a080f9fb74f3a80c71dbd72edb8046293c20a67714c7a7e395d5189bec0ec5d82f4bfab9ae347432d |
memory/3044-41-0x0000000000340000-0x00000000003AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ANjCXQDLWqGH.bat
| MD5 | 3c6e004c8edfd551bbbbea5f1cd114e2 |
| SHA1 | c41c8f35ec9eeb652f58aad97645c9b3672769c0 |
| SHA256 | d825bc510b6c47717ed7e313e6eeeedbe174aa846735de6e78172b3330dc9222 |
| SHA512 | 15ab70e77f5a0ca1c55901aa06827edc9cee31918bca8763ba99a0ffbf10e20a7d6f11991a3f8735b49169290e04cc5036ff408d0cc28bf50ac5a17f4f7d1c61 |
memory/2488-53-0x0000000000890000-0x00000000008FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FabX8uO5v17Z.bat
| MD5 | 95bc1ca9db7298fe2f2b91ab8af20f20 |
| SHA1 | f08c0a624a478ef3ac7d2a6f1dfef7076920be20 |
| SHA256 | e9bfdfee5bd10dd39ee17f184262369c8db1a62040e670eaed40da5c275738a8 |
| SHA512 | 792171272e4ba4f61803cafdadf25d5b8c398303c82aa91998388c2729295fcc7b54eded02e0aee9e354f9aed2e6b1d0490c2a34788b3029e1ab7db50e1798a8 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win10v2004-20240611-en
Max time kernel
261s
Max time network
299s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 2.17.107.130:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 232.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1208-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp
memory/1208-1-0x0000000000840000-0x00000000008AC000-memory.dmp
memory/1208-2-0x0000000005780000-0x0000000005D24000-memory.dmp
memory/1208-3-0x00000000051D0000-0x0000000005262000-memory.dmp
memory/1208-4-0x0000000074C00000-0x00000000753B0000-memory.dmp
memory/1208-5-0x0000000005270000-0x00000000052D6000-memory.dmp
memory/1208-6-0x0000000005E50000-0x0000000005E62000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4584-12-0x0000000074C00000-0x00000000753B0000-memory.dmp
memory/4584-13-0x0000000074C00000-0x00000000753B0000-memory.dmp
memory/1208-15-0x0000000074C00000-0x00000000753B0000-memory.dmp
memory/4584-17-0x00000000072A0000-0x00000000072AA000-memory.dmp
memory/4584-18-0x0000000006AF0000-0x0000000006B2C000-memory.dmp
memory/4584-19-0x0000000074C00000-0x00000000753B0000-memory.dmp
memory/4584-20-0x0000000074C00000-0x00000000753B0000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:39
Platform
win7-20240611-en
Max time kernel
236s
Max time network
294s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (101) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1524-0-0x00000000748DE000-0x00000000748DF000-memory.dmp
memory/1524-1-0x0000000000F90000-0x0000000000FFC000-memory.dmp
memory/1524-2-0x00000000748D0000-0x0000000074FBE000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2748-10-0x0000000000080000-0x00000000000EC000-memory.dmp
memory/2748-12-0x00000000748D0000-0x0000000074FBE000-memory.dmp
memory/2748-11-0x00000000748D0000-0x0000000074FBE000-memory.dmp
memory/1524-13-0x00000000748D0000-0x0000000074FBE000-memory.dmp
memory/2748-15-0x00000000748D0000-0x0000000074FBE000-memory.dmp
memory/2748-16-0x00000000748D0000-0x0000000074FBE000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win7-20240611-en
Max time kernel
296s
Max time network
321s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (101) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1944-0-0x0000000074CFE000-0x0000000074CFF000-memory.dmp
memory/1944-1-0x00000000001B0000-0x000000000021C000-memory.dmp
memory/1944-2-0x0000000074CF0000-0x00000000753DE000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1636-10-0x0000000000DA0000-0x0000000000E0C000-memory.dmp
memory/1636-11-0x0000000074CF0000-0x00000000753DE000-memory.dmp
memory/1636-12-0x0000000074CF0000-0x00000000753DE000-memory.dmp
memory/1944-13-0x0000000074CF0000-0x00000000753DE000-memory.dmp
memory/1636-15-0x0000000074CF0000-0x00000000753DE000-memory.dmp
memory/1636-16-0x0000000074CF0000-0x00000000753DE000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win7-20240611-en
Max time kernel
235s
Max time network
293s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (102) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2208-0-0x00000000744DE000-0x00000000744DF000-memory.dmp
memory/2208-1-0x00000000000F0000-0x000000000015C000-memory.dmp
memory/2208-2-0x00000000744D0000-0x0000000074BBE000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1976-10-0x0000000000E00000-0x0000000000E6C000-memory.dmp
memory/1976-11-0x00000000744D0000-0x0000000074BBE000-memory.dmp
memory/1976-12-0x00000000744D0000-0x0000000074BBE000-memory.dmp
memory/2208-13-0x00000000744D0000-0x0000000074BBE000-memory.dmp
memory/1976-15-0x00000000744D0000-0x0000000074BBE000-memory.dmp
memory/1976-16-0x00000000744D0000-0x0000000074BBE000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win7-20231129-en
Max time kernel
161s
Max time network
295s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (104) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
Files
memory/2884-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp
memory/2884-1-0x00000000003A0000-0x000000000040C000-memory.dmp
memory/2884-2-0x0000000074B20000-0x000000007520E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2624-11-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2624-10-0x0000000000EC0000-0x0000000000F2C000-memory.dmp
memory/2624-12-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2884-14-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2624-15-0x0000000074B20000-0x000000007520E000-memory.dmp
memory/2624-16-0x0000000074B20000-0x000000007520E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win10v2004-20240508-en
Max time kernel
298s
Max time network
309s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uRmkRxfaOR19.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2384 -ip 2384
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1656
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSgpskp2rmIR.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1036 -ip 1036
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 2196
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukSOxfHfvfca.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1668 -ip 1668
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgVaB7jt4NkZ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 456 -ip 456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 2248
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2avJo4qTBTUk.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4796 -ip 4796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1696
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VvRioczDAigQ.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4972 -ip 4972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jDEHtXSqFbza.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4612 -ip 4612
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1660
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUAW9gDGiUXA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4456 -ip 4456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 2180
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boqQlUjSKbWF.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1824 -ip 1824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 2180
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m5oG4e1mtg8V.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3264 -ip 3264
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 2232
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egQPvbJOygfA.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4140 -ip 4140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 2224
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QhJUMOTqR0wR.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4636 -ip 4636
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XPOz0AoJsE0D.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4628 -ip 4628
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 2248
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vExpRlBffib5.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4864 -ip 4864
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1720
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
Files
memory/1068-0-0x00000000745EE000-0x00000000745EF000-memory.dmp
memory/1068-1-0x00000000009D0000-0x0000000000A3C000-memory.dmp
memory/1068-2-0x00000000059C0000-0x0000000005F64000-memory.dmp
memory/1068-3-0x0000000005410000-0x00000000054A2000-memory.dmp
memory/1068-4-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/1068-5-0x00000000054B0000-0x0000000005516000-memory.dmp
memory/1068-6-0x0000000005960000-0x0000000005972000-memory.dmp
memory/1068-7-0x00000000745EE000-0x00000000745EF000-memory.dmp
memory/1068-8-0x00000000745E0000-0x0000000074D90000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2384-15-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/1068-16-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/2384-17-0x00000000745E0000-0x0000000074D90000-memory.dmp
memory/2384-19-0x0000000006210000-0x000000000621A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uRmkRxfaOR19.bat
| MD5 | f0975b3274fa09c74e9789804c185b1f |
| SHA1 | 68f2a3072489fc43abae82cdea92f46a865f6a85 |
| SHA256 | 829df18ceeb70b4962186de934abce77519d479f24f97c6df84d97c6c6ef978f |
| SHA512 | 122a4588897cbf4d1b8a250c6a7f06ef30cd346f447003b05bee0d41b2d7e4b47ac7079fef6436e1bbe9271e427976f681a455597ba8c9c136fdc5ad31ed7509 |
memory/2384-24-0x00000000745E0000-0x0000000074D90000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 63da7970aa3146eb91c6af6d79bb42c1 |
| SHA1 | 1b2e1240ee5d6053f0578586064201f559a4c7f7 |
| SHA256 | c139d4efe33aab6d1ce017569fc7e1cd0a6738346bc23344096f2fb51e6b0b6a |
| SHA512 | a50b128c984aea76f8ff5bc6dcf53c93b8661a26e67913fd350f9145b4c91152b138bb46febc28e5fe58f6f4b7fdbef8202d916f413a8c40aa8b61d7eab7813d |
C:\Users\Admin\AppData\Local\Temp\fSgpskp2rmIR.bat
| MD5 | 967ecfad66639dfe8a680795a2c12d53 |
| SHA1 | 78718c4decc47d8a390eaae26956c41d152080ce |
| SHA256 | fdaa4c2812ae92defb28c7d42057f433e42864fe3aed8af095e870fbe666bb9d |
| SHA512 | 8420ea7396a274bee3e1d076588294805fc3c8379ec71dc4cad5ab908976adb3080e934ddabcd67b8c8ec074abfae75ef657b9cef93eeae03a09deb651d481b6 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 6d4369724679450e30d1045f8a600a88 |
| SHA1 | 2088d6f2877aab63cab8bf92b2609413fb16f151 |
| SHA256 | 0832b3a92e61bc2139a2a35a94c8eba62ee821d324af75e9756dbd438d809f9d |
| SHA512 | a5a1228927d56631a07959ed884b9088b846152fd2ea9217339166c9f22bff5897811994c1f1fb9b84fa38af02253ee33f0cdfd2f219b93512e879bc3e9cc57f |
C:\Users\Admin\AppData\Local\Temp\ukSOxfHfvfca.bat
| MD5 | 0afe1b9c6cf09e4d0708fdf0c192ee41 |
| SHA1 | 2527ca2d87546b24d5d959534a3d078556421b53 |
| SHA256 | a5f21ea6deafaf87cc524116021533aec5b477a512efcaca11ad7926da4f5963 |
| SHA512 | 9bd8b3cb7a24fb242637b8abb1700aabab4f9e4147187142afc50c7c25f5d3ed9b91c932d5f01c2a1b5b0c7e0ecb51d8ed2ba5b3fef84c80565d2b5e0bd7a039 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 5e47b7e92ab8a19cb82a4aba144b0273 |
| SHA1 | 852599d0d757e40ef4bb26a40352dc4f977a0b1f |
| SHA256 | ca6b9143aca14056cdcc9cd4da02716aa00250333ddc87d0df20406ab39e6277 |
| SHA512 | e819c2a0d1763ed1c6ff3ea1304ae961b1110b20d943955a20354831b69eee69e1e2c486d151493e3d0b1a9726a4a3ff3aea2b1e4debcb2f3bd2237ef5e389b0 |
C:\Users\Admin\AppData\Local\Temp\WgVaB7jt4NkZ.bat
| MD5 | 86bf98090e656c6fe3623f76e7173df8 |
| SHA1 | a1a5ec50b18cce68a8b4466b1e41ea7ab01373e2 |
| SHA256 | d5b73fdecdbe4c04aba735f3960d87ea019b3de3e476ba1040a1632d5fd587bd |
| SHA512 | 2f6a79f027e047aaf6388afd2a2cce3f43f9009f00ec9f563bc9ea1ade1aad7b3caaa2c88f1f1ef909f4e4b84c19da2a9da4c87255c25458357e8c91b5fd76dc |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\2avJo4qTBTUk.bat
| MD5 | 8e439698069e8825c2b68dd8ec878536 |
| SHA1 | 6b0e107149dbec3c2ba028cdc1a9cf169e54fe85 |
| SHA256 | 501374ce65c90fd66668141252fa76fa1bbc9acf3f9cba9e4dcc292c587b1764 |
| SHA512 | e99b224d5b603a0a901674bcb109adb41b34c8738b15f9e64bc8bac570ed8d29dc8895290621d3c48061f102efc2d7901b7312f12e1d9519309c19c20b724dd1 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | bae8e79550ef336b500b3677fa32f31a |
| SHA1 | 00a992ce6e052ccf679be6162db8b29e0e63ed84 |
| SHA256 | 6d2b5e9154bc182b621e2a733e0a38146065012d4292121f693e2fe4745afbb9 |
| SHA512 | 418498dabcf683074a981f5010d1749d06773b364cff6ace925e704d38c2825134b00630ecc03f6de8325aeb50cb9620b49730e37cc4922ddd1c9beba696c351 |
C:\Users\Admin\AppData\Local\Temp\VvRioczDAigQ.bat
| MD5 | 3b2bb1df38be4d476d56835eef1c7b2c |
| SHA1 | 7eb3070c3b27690b36de50d50934c832434fdea0 |
| SHA256 | 0c356ae5cd977ec47c4367c8d77ccfb38065ef789bd58c2a2549cb5a2262b59b |
| SHA512 | 60c3ccd645c868121dd96cbaf134684971951f9386211b1c7b6da31e11e64cf4dbacf5288cb11f11580cad96b91516b9374b9e7b33320d4f23b5998deca69a78 |
C:\Users\Admin\AppData\Local\Temp\jDEHtXSqFbza.bat
| MD5 | b1fcc62d66e31937e4fe601d0b1f1013 |
| SHA1 | 47aa5fbda021a5088707e1723d29ae36797ecd7f |
| SHA256 | dccbd8beae0c7f1557a8a45031720beb555db776353134c507783a5419e42bee |
| SHA512 | b69077a5f41748e85cddb18aca275181c7f010af69a05a56d5a8149a38d0a171776fdfe25f9b22b4aa1b408846fd35bc744c08e05652534a0b3ef76cd584f474 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | 3415fcd350d9dda71f95b8eb7cc93e5a |
| SHA1 | 4aef985e04195e88e87c4f7c7c4cc45b4d57fe21 |
| SHA256 | 3920cec23feb35b59d26ffa673f2f8ff706b8c846b8f6fca54fdec68cf49b91b |
| SHA512 | 168ee5e6779a22ebca0b30a2219a9e4e782e005ee9df03031c934f47b695d72bac4a4897d68e6395e485ed4be9aae538772febc69ac08d68838b32d1a98707f6 |
C:\Users\Admin\AppData\Local\Temp\rUAW9gDGiUXA.bat
| MD5 | 70c7ea5046ed60658dd928519d5c1b9e |
| SHA1 | 9b8a04f81f08defc7a7bf7ebde1a04606a7334d0 |
| SHA256 | 754b3cd1e40f12f53cfe3e5422ae58100d26d77362dd0e07e2323bc9c37b3306 |
| SHA512 | ca0bf7616109fbd560be0b6388d7304d2560c64dc1f299bd032d90e53723c3edba023773420fe41ace31ad51e7cca34ec1c07c1cc9191388159bdb09489ffc56 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | ba9e4a590b284ac6c884999f968b493c |
| SHA1 | 0a9568aa6b68f3f98babac09eafe3576c59b7766 |
| SHA256 | 4687ec58ac09d7b5f790fd65b5f917531402204cc72841a79c1851f6d081e0de |
| SHA512 | a2219a6ce92a55d02bb860b0172a404268c9424a6b4791afd95c6ec3118d7804aee2a61225e858ffe2d360ade7a3e06bf945b0ccb66b0097f5ac62f0f0001e8d |
C:\Users\Admin\AppData\Local\Temp\boqQlUjSKbWF.bat
| MD5 | 860a873cb759685e826392bc6d3a0fdc |
| SHA1 | 1e83a56c3fceee423caddf01d5a848ddfdde00b8 |
| SHA256 | 76de3302da6d02fdcea44f80e2f7f8ec51fc4bb46c553d44190c3ee6fcca873c |
| SHA512 | 224c3e73d006c56377728db43dda751af251485246fab29124ead3c6be6f3e65b46f915aafb94ced365cf3f580007a7fe6e04850b4d91ed0aef36c9f3c69d634 |
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
| MD5 | a2bcaa5f72969bc5799fdddd6be47efa |
| SHA1 | 0c8856d2429496b3fe27d658110bce8f4cde45b6 |
| SHA256 | c0811b6a49be218bdaae63d96fb8a611c0f20839a3fe26385c1f05a9d1a5b5ae |
| SHA512 | 538960c7bc650ec65e70a01798d75accfe6727a1968333746ed52449c4d7b6aeb75285622ea3c18340d1aa0e55ac4a4bb16a62c387a2d990ae61966d0c32568e |
C:\Users\Admin\AppData\Local\Temp\m5oG4e1mtg8V.bat
| MD5 | 7e08380bb484f241d7a9bd5e69481961 |
| SHA1 | 7189a7ece24961ed6f3ed30fba46f8a29467df13 |
| SHA256 | f94b38275326f3471304642a9b19cf36802c75a4d0edcf5870e9a420b45e8c9e |
| SHA512 | 70cf181d2796934259533fbb3cda999c5a68be08ab11efab24de9e6e6b8ae3702291adf139bf47d64b4ba650b5eaabae82c8019856f3e736f2a9bc75c6f3c650 |
C:\Users\Admin\AppData\Local\Temp\egQPvbJOygfA.bat
| MD5 | 2c0665e6c46afce2c0ff30318b40dd6a |
| SHA1 | 460f2f4c49395507841ee5a18cd5f0ef2e5bdb77 |
| SHA256 | b2a8b20985965fac73b0cc93fc0e9290897ba7a582f37cc5b66a7b7380e85e6b |
| SHA512 | b207ecab4ea375ffeece8c6a78d154bffd0101550076b294570534aeaadabf78299f9bd822cceb0859a56bfebd63ec6e9169c2c3a5c34e030ba22c1fe758d576 |
C:\Users\Admin\AppData\Local\Temp\QhJUMOTqR0wR.bat
| MD5 | 476460a2dfa43a696246d6c127733998 |
| SHA1 | bbb218a9393f40e0f803c61029168589293b170a |
| SHA256 | 16e466e87b1b39c0d8c6cef7ff8c43b5de7db4543d47e536b70cd73323190a6c |
| SHA512 | 8fe4a3eb20fe10eebead8ef65850b15cc62eb9681042654e5f5c75f5e988df42c63f6b68f6c67edc6a9fdc1b7ea484808ae7bf0f7e9aaabeaf0e10a849b59fc2 |
C:\Users\Admin\AppData\Local\Temp\XPOz0AoJsE0D.bat
| MD5 | d173b887eee0651ba4ba6f4799c96cac |
| SHA1 | 257cc3d2c403073ad14d03222d9da8b4433c358c |
| SHA256 | b58e6c59ff91d508e5a789813ba45da76b40ded507c9a224cf48cce0fb3b64c3 |
| SHA512 | 6affd9f15ab20219c00a5e1fd15f88d01e42a1c3657e5d86795517e33273cb957c997b6843d11e219c0656dec323776327a604267b6a61fd23530e02bde64c38 |
C:\Users\Admin\AppData\Local\Temp\vExpRlBffib5.bat
| MD5 | 4b68a94235f2d085b7cb22ab2cff5d25 |
| SHA1 | ce41cae3ab7342e6653b4727da4ecf345979cfbf |
| SHA256 | 350dc800a28a854e9b33f5d88bbdb6dab48e8277cb72ba4b42375330285a6921 |
| SHA512 | 853ce344fc22975338009626dc841829cd2993ece52601064c053cccb3078a40c75e113db5addfde2a4d7d4ac75e442f89df24358c91a377413a064017a8353b |
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win7-20240508-en
Max time kernel
297s
Max time network
305s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (103) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IhsH40olLSYM.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uAwkq2Vpi7EM.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iAaElUHvLAty.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8zuTglHvIMrB.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | github.com | udp |
Files
memory/2060-0-0x000000007482E000-0x000000007482F000-memory.dmp
memory/2060-1-0x0000000001090000-0x00000000010FC000-memory.dmp
memory/2060-2-0x0000000074820000-0x0000000074F0E000-memory.dmp
memory/2060-3-0x000000007482E000-0x000000007482F000-memory.dmp
memory/2060-4-0x0000000074820000-0x0000000074F0E000-memory.dmp
\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2036-12-0x0000000000030000-0x000000000009C000-memory.dmp
memory/2036-14-0x0000000074820000-0x0000000074F0E000-memory.dmp
memory/2036-13-0x0000000074820000-0x0000000074F0E000-memory.dmp
memory/2060-15-0x0000000074820000-0x0000000074F0E000-memory.dmp
memory/2036-16-0x0000000074820000-0x0000000074F0E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IhsH40olLSYM.bat
| MD5 | 53f407d16a558393d2e2acd088c1b1ef |
| SHA1 | dc0b8277ade2b34a1a822835cff97bd986ddd421 |
| SHA256 | 6f0e870cb5f2e30cc47632f00480f9fd958bc8ab81a05c0256b00d394ab5972f |
| SHA512 | c5101000000f9c2feba4256a86b2601f592441c286b0272cb871f5310391dbc34630fc2111acbb37049262771caf5761556e92a87ca135c022302ab852bdbe2b |
memory/2036-25-0x0000000074820000-0x0000000074F0E000-memory.dmp
memory/1936-29-0x0000000000800000-0x000000000086C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uAwkq2Vpi7EM.bat
| MD5 | 6750e905b70526d7b731bbf0082f3363 |
| SHA1 | ca1b8ea51437fbe7f86d93ac3daf1dac4f893f52 |
| SHA256 | 35ca458f252100d83203b67f2c5cf52f18d4e3d5d93d32032701fdb9039d69bc |
| SHA512 | cac426711907b6decc93bdf86dd304e6d1dbdf7dc1ee3e64bd827a8dbb870a2cab4d08626a93a900bb32a40d0c2acb051b4583559be3804e277501ca5fac19f1 |
memory/788-41-0x00000000009E0000-0x0000000000A4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iAaElUHvLAty.bat
| MD5 | da5b7b89f973b4446021b81cdb527573 |
| SHA1 | 6ccbde21e73bd303facf91529bc7c7cc9761ce87 |
| SHA256 | 49809953abe132c177e9cc1457a3efd6a4fcb2474cd4e5de891176ef561e9edb |
| SHA512 | 0af8d44aa14d88a24073bdd829a0aea90bac2a400334af3d7ad1ea02994d8ee3ff56625ed1e9701772abfb809bcc87df1d9fbb5fdf9a6336a5d0dce1f2567dab |
memory/2600-53-0x0000000001270000-0x00000000012DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8zuTglHvIMrB.bat
| MD5 | 7ee78f4a2ddea9e19f8eb50ace237883 |
| SHA1 | c94eab1e4ede4d8b9d286f29a03345c280f00641 |
| SHA256 | 6d1c84edd5003073a16fc29a4051b9c6417af6674201b29be4c44307976c5269 |
| SHA512 | 9f29830a80a24985f304f0c49e6e5e780475ca3d221212a1325d3d19d7e028c9467a6f2544ccba66254702de76334a2fb08fb21abbee6179e7067ca0f656287e |
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-15 07:32
Reported
2024-06-15 07:40
Platform
win10v2004-20240611-en
Max time kernel
236s
Max time network
296s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (102) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3836,i,8660989700097327804,17931739887231169645,262144 --variations-seed-version --mojo-platform-channel-handle=2712 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.193:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1700-0-0x0000000074CFE000-0x0000000074CFF000-memory.dmp
memory/1700-1-0x0000000000640000-0x00000000006AC000-memory.dmp
memory/1700-2-0x00000000055C0000-0x0000000005B64000-memory.dmp
memory/1700-3-0x00000000050C0000-0x0000000005152000-memory.dmp
memory/1700-4-0x0000000074CF0000-0x00000000754A0000-memory.dmp
memory/1700-5-0x0000000005160000-0x00000000051C6000-memory.dmp
memory/1700-6-0x0000000005590000-0x00000000055A2000-memory.dmp
memory/1700-7-0x0000000006410000-0x000000000644C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3560-13-0x0000000074CF0000-0x00000000754A0000-memory.dmp
memory/3560-14-0x0000000074CF0000-0x00000000754A0000-memory.dmp
memory/1700-16-0x0000000074CF0000-0x00000000754A0000-memory.dmp
memory/3560-18-0x0000000006F00000-0x0000000006F0A000-memory.dmp
memory/3560-19-0x0000000074CF0000-0x00000000754A0000-memory.dmp
memory/3560-20-0x0000000074CF0000-0x00000000754A0000-memory.dmp