Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:52

Platform

win10v2004-20240508-en

Max time kernel

591s

Max time network

608s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A

Enumerates physical storage devices

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3532 wrote to memory of 1412	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3532 wrote to memory of 1412	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3532 wrote to memory of 1412	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3532 wrote to memory of 1348	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3532 wrote to memory of 1348	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3532 wrote to memory of 1348	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3532 wrote to memory of 228	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 3532 wrote to memory of 228	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 3532 wrote to memory of 228	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1348 wrote to memory of 4432	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1348 wrote to memory of 4432	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1348 wrote to memory of 4432	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1348 wrote to memory of 748	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 748	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 748	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 4316	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 748 wrote to memory of 4316	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 748 wrote to memory of 4316	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 748 wrote to memory of 3216	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 748 wrote to memory of 3216	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 748 wrote to memory of 3216	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 748 wrote to memory of 2108	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 748 wrote to memory of 2108	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 748 wrote to memory of 2108	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2108 wrote to memory of 2584	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2108 wrote to memory of 2584	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2108 wrote to memory of 2584	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2108 wrote to memory of 4164	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 4164	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 4164	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 4324	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4164 wrote to memory of 4324	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4164 wrote to memory of 4324	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4164 wrote to memory of 2588	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4164 wrote to memory of 2588	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4164 wrote to memory of 2588	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4164 wrote to memory of 1712	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4164 wrote to memory of 1712	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4164 wrote to memory of 1712	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1712 wrote to memory of 4572	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 4572	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 4572	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 3980	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 3980	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 3980	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 4944	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 3980 wrote to memory of 4944	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 3980 wrote to memory of 4944	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 3980 wrote to memory of 1564	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 3980 wrote to memory of 1564	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 3980 wrote to memory of 1564	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 3980 wrote to memory of 3136	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3980 wrote to memory of 3136	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3980 wrote to memory of 3136	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3136 wrote to memory of 1776	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3136 wrote to memory of 1776	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3136 wrote to memory of 1776	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3136 wrote to memory of 3808	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 3808	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 3808	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 3996	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 3808 wrote to memory of 3996	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 3808 wrote to memory of 3996	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 3808 wrote to memory of 3576	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (101) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8xVKh48LzsYN.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1348 -ip 1348

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1656

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xq4jWGZiUxWy.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2108 -ip 2108

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1644

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0Y7TZ1Qx4r42.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1712 -ip 1712

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 1088

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMraDsezLWy1.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3136 -ip 3136

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 1708

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAchrks1cBsz.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3356 -ip 3356

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PBWmHX2T5W9G.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4684 -ip 4684

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hm7v9TJ5BWgv.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3036 -ip 3036

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1708

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3rlWSTpI4jcm.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hVn195zqQU04.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 724 -ip 724

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 2232

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEgFabUeNWlk.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3804 -ip 3804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pLFw0UXegIsE.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1880 -ip 1880

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4d2V6PzHkBCN.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3384 -ip 3384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 2232

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aXSEjM6srHwY.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2520 -ip 2520

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1672

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4wj9c7cNHPmo.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3888 -ip 3888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pxcE2umpjj35.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 624 -ip 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xfhjgg7IBy7r.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4332 -ip 4332

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 2236

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1MyUXiHT6OUj.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 640 -ip 640

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mNsZyVSvZjl0.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3640 -ip 3640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1688

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGFjZQ2bacRV.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1036 -ip 1036

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1608

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSNffGbgp4uS.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 544 -ip 544

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1088

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Iak6stp0ddjq.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4980 -ip 4980

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1716

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BBLFjp6cjdFV.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3224 -ip 3224

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCFLAcH4ByWm.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4572 -ip 4572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G00SoTU6SdQk.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4628 -ip 4628

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1084

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KhGDfVfGO3nc.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3576 -ip 3576

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMcsQeIduwzr.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 696 -ip 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 1672

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pm09cYBcDnJq.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4716 -ip 4716

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1688

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp

Files

memory/3532-0-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

memory/3532-1-0x00000000001B0000-0x000000000021C000-memory.dmp

memory/3532-2-0x0000000005240000-0x00000000057E4000-memory.dmp

memory/3532-3-0x0000000004D30000-0x0000000004DC2000-memory.dmp

memory/3532-4-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/3532-5-0x0000000004DD0000-0x0000000004E36000-memory.dmp

memory/3532-6-0x0000000005A30000-0x0000000005A42000-memory.dmp

memory/3532-7-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

memory/3532-8-0x0000000074E60000-0x0000000075610000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/1348-15-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1348-16-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/3532-17-0x0000000074E60000-0x0000000075610000-memory.dmp

memory/1348-19-0x0000000006B20000-0x0000000006B2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8xVKh48LzsYN.bat

MD5	2fb77a7eb41730ecb635bdfe3be20046
SHA1	54adb844ace55d034939a3379ee530e83f331508
SHA256	ce58350087d5852d1fa8b7f7b133ab97cb83c866aaa3f74092b87d036a112fb0
SHA512	94aac8c90f1af86226d5ae34552da35a27eb70abc39169ec4b6554df2e422b3b99cad32cd2b7bfd4ea414ead12855e9ebb1d2eee7b272c1fb2d1267f7f8f31a7

memory/1348-24-0x0000000074E60000-0x0000000075610000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	61375e3b5150c9d0974fee19cd7fdf34
SHA1	cc14c07103e471e1eca4c5f944a1981e7b7fc752
SHA256	b342a9a01a69f83a6811da6fbc6e2e003b798f2d979631456ff9a21388703741
SHA512	1f9a64e32b17a3fb761adcc042015b4fbddf6e7fcae7a4e7562d97bade5b4f0bc5bfd5e2ad24b03bb58b1faf2a6df66810fa4c82f9dfd3461fbae9985833cdea

C:\Users\Admin\AppData\Local\Temp\Xq4jWGZiUxWy.bat

MD5	034432c4aab8b76f236581376e9dc35a
SHA1	9ab1b728419e2bd7f43ecd91a7fecba85cdbc349
SHA256	23c245d3d0ef4aaa162c358c4fc2df87fc5985e62fb640281bde4fc8c7546faa
SHA512	e3138db589f17ae7d50eae4a7d2116ea29e965231d14f3b7924bfa0f6a18aa1444b2b883172d79abacd82e62133d62d0fbe6a70e9ae1fbc1a02a1df4ca98eff8

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	789ab233d652a44799a2d47be8aae68f
SHA1	06488a4ea820724d459a59d6dac855b3743090e6
SHA256	65291c42e90b1fae1a56d83bccccb4fa652ef8624852162fe522af8d7ef6d2e0
SHA512	3cc2f37d09164379a4b2220ef0dae1d8a717fe242e1ec7ad5c85d868330baf150aed73ae07c237ca504673f151bbb2e0efd67688e554ac21392569a36fdf5ebf

C:\Users\Admin\AppData\Local\Temp\0Y7TZ1Qx4r42.bat

MD5	c5cdb812db7c5f95a4df7f882d54e92f
SHA1	9357bd13d520e91b8f8a2815eec808d9ee2fa62e
SHA256	0dd1c2c6df9d0d2615914692cb825a9c8032101902d4a161d60e32766132c3e1
SHA512	7c7be5905a858b7d83603469848decd5cf9e5f830bbf4be678c483524ccc01faeeebdf348820e7d6200cf1d5800d4b2af0a29057f43144da8ce30eba35946f93

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512	cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\JMraDsezLWy1.bat

MD5	1549b9d6732d09bdb5dfc12edc086f71
SHA1	95cb59810c885d8612e76f583cacd8c054738486
SHA256	2008f5beac9a3d4e63b798679b23a7f4d66bb1c4ba08bbf3378b483d2c534f52
SHA512	1258bd61de98c22877cacd445b6e3fa6790858941190590735a0fdf6b14aa41cfd6ebdac6145571ee8f56f25ed9c2518381859409f8399e8b2cefe376e2ff5b3

C:\Users\Admin\AppData\Local\Temp\dAchrks1cBsz.bat

MD5	49a05ab9d9ee7e37d36d2f147ae63d51
SHA1	49a7544639b06d30d0c7347f0cf55c84016ae2f0
SHA256	abe58eb8e11f0dc8505b97de56fc14e30c5a96ba3298a2c0025c3cb7e9cc8eed
SHA512	9c12e7308d0ce686927b71519b6c21cc498e28e59f0bdb9af0692b0ab3a549d505876187f3e411d561d769a401245acee9269e05fd63478f579e8679339a88c1

C:\Users\Admin\AppData\Local\Temp\PBWmHX2T5W9G.bat

MD5	319c30a4359aa5f880ff6d290336af37
SHA1	9b577b03903b2fbb97e4eff4d6342270bcae0831
SHA256	67de5b0729d70b09d40b28db38aeb2c2e1bc3e8802899763841a8ffccf39a68e
SHA512	fcd2c7172739bbfd0a4cf11c89ad644bc10e74c58a75f49e4f4c59383660699c41b4dff2bf8bcf96bbf9b315ce7bb6fadce3a66dd41440aae32a0cbc24bd602f

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	550defdc406882950ff92a966a0c0349
SHA1	88cc02a23efc904b0398372606170fb85bc82137
SHA256	f282a9a6f41c61f5f392fce0c2bd1dcd1cc769f9f9e2df65874cf9fed92bd4e1
SHA512	c64c92e14700a8b8346cb4bcab39fc12a7c765bb1280ba8f0bd137f35716ff08c144f9cc8ab3f16f40327af88233dc01e858ca1a950fc1829cd013b0e6833716

C:\Users\Admin\AppData\Local\Temp\Hm7v9TJ5BWgv.bat

MD5	597f27b309833032c88b4dc42db8a08b
SHA1	ef26db2702d7c9eb6cdb7085e2226807979dc83c
SHA256	f8d881a10f0ba3df9c8f6cea962950a000b5cb5e6f4ce40c668fc0acf3004eec
SHA512	b89c50d588d29087ae2797201fd306ae174c0db16e07390e14a0f3234241bbfcf5df37ae104d492f873181d85e0475d0c7393ebe1df260f86a6e4c4b3f7c08d9

C:\Users\Admin\AppData\Local\Temp\3rlWSTpI4jcm.bat

MD5	6649eba1f09647d86aa0c876ee69893c
SHA1	3c648f2cb004905bb7107b4ec1a910ea2bd570e4
SHA256	aa2245334d08a15d4c504a0a599e1d6ce97e03d47d458dfd91dbb95dbf54b7ad
SHA512	51c8e6a0a5d8da9483065c14d39c49b2e5c3369ad6ced4fbe6f188dc313d3b7fd4a64dc9baaef6fb409ca71691623a0418576007b179b9df4ebe0507634e39d0

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	a645fe501d50bfe3a79b7d9cd3c15905
SHA1	cd10be40c4edda3ffa09c5ea4ed9d0c7523f3052
SHA256	00b94e0a66535f13ed3855d21c3ac321c61c8fe9bd61c0d5ff1533c39977c0db
SHA512	ccf9b2bedf207d9377902fd9808c104d39aa09bd06072ab232832ceee1cebe70bf9d4a104032926dbc4f1772be46b2f927e829930ca2a158dbbd55a637ae86f5

C:\Users\Admin\AppData\Local\Temp\hVn195zqQU04.bat

MD5	a1ecc3acbe7d7efecc4340e727148b02
SHA1	e4c957549d1003aaed4a443d1e9b3a67bcf48767
SHA256	5026597f2de6e4587fd544b595acba6abec1cefcfd6a1f56a52d373c3376ba92
SHA512	fdee1a331e0dbe1010d4f16eb67826a67ebf43ff8ba5e16cd7c059042d0cd531314a2247d01cd23f55de977e9254b5b1b3a4a430a4a4a5fd12fcb92c4675efbe

C:\Users\Admin\AppData\Local\Temp\sEgFabUeNWlk.bat

MD5	df91acd44e98c114c832cd63061646d8
SHA1	7c889c3c51bd79cac904759869a8210eea320049
SHA256	d5685a6c19d3fc8fd4f82ac2bf94e73ce28ae0f5f563c7d0fecf4bba8483672d
SHA512	89400a1570bed6f05ea531c8fafead52997b7aaa92b48ce93017a8a6f7eb28252c21011741d876aa770bdd318eb2e55b65f506c28ceaded2e71afeb6260ba949

C:\Users\Admin\AppData\Local\Temp\pLFw0UXegIsE.bat

MD5	4ff43a18e6545bf4d053eda478584ebc
SHA1	840acc065ef9bde16f9b85475c6bd5b2ad4f121c
SHA256	350689e461ad84b1841491d2246ea32fbb330e9696ee94353ee4e8e6c9252672
SHA512	69e7a88e6c4885fd485521dd9a0578a118857a81a60150b91addc7a56acb940fbfa53c5f246d549df9af5f7f649e51cd466921bc5d86db3e60189f17fff8c14e

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	5ed09496a054e37734f32547cb56522d
SHA1	cc86e2095755cfe03476a658e64f8408c774b864
SHA256	f65ec7edb28fc084584dd5322d55f33c21e492af5f39d3fe91346e7cc36c36de
SHA512	808af52fd413c1ce8af46c4dcfa8b8260e016b7d90f560afd9f1a0dd6d759583acd20befd981b8c5bbfef0da98c645dd16b42bebab812f7e8e309ff28302e70d

C:\Users\Admin\AppData\Local\Temp\4d2V6PzHkBCN.bat

MD5	f7dd8f696ad07af4f6978b1aa8790d1e
SHA1	487a1a49a603fc0e077b5457cb3f3bf6c9cb6e26
SHA256	2960d711b1e179e1254487c2e8350bee9be850f70006635154f0b7e099852b2a
SHA512	5bae2e1b350bf99023762e2d8eb13e562406ee3754edb0ec01a31af1c1670de29634273c41ef046b82740c18a1fbd658bc435b9370bf294cdaabbe929242d39a

C:\Users\Admin\AppData\Local\Temp\aXSEjM6srHwY.bat

MD5	a0a8d9fed42c27c36af850465bde9279
SHA1	ee50ed9d6a55c0a6143bb17ff87d74f4bbdb84d7
SHA256	567bc429e2e07482c899b76468ae31e096263075fd671f87489b585c40ddb6c7
SHA512	80ad9a9e89a9ecfb75210555d92f02030c61c3d1b9690a6be3e20bfaf13a7afcfb812cd2dd410bcc93aa19c0cab664a0aabf9282d8e19eb88676b3f424d6edd3

C:\Users\Admin\AppData\Local\Temp\4wj9c7cNHPmo.bat

MD5	bb4818bf5607c8149aa7035744c4e653
SHA1	26d5cbc9fc8db0a9d5fc87ae7d95b3fab74d5c1e
SHA256	b717413d605f3cffd8b6aea9341bce0e9e37c36e8f3a47c98d493b3d2e5e829e
SHA512	c755ed84cb1629a7b26b9a4b93b25ecfbbc6d375d45abba365dc025a96e5130f3c1c3dd5aa602224ed759d5227ce215d429190721958947b1ad95a5457a64ec3

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	5257121c0fcad93affd93a083cd7c543
SHA1	96c1487c34c7eea41be4205c4d9c37b7de727152
SHA256	6ca2b7f90daedc4ca1b57c4865192c3b5f156fd286078df0e1a9a8657961ff7e
SHA512	d9b795667738b48fe8d477860683418b64f268dd1284f8397bf092552a378339261078f8ed3bbd2c35bbcba2dfdda47a5ba53e8a97ddf4c3bd1b9d0160f68ba9

C:\Users\Admin\AppData\Local\Temp\pxcE2umpjj35.bat

MD5	1a53885a671bcf101f750552154d3ef4
SHA1	0a326b01b3de9883b64e321f2ae2a9c7d628a061
SHA256	8f883694ea499e213da8e6ed720a7bd83011345ebc248f5365324deb932a3e7e
SHA512	0da7a58f9951f2b4597845a40f2d219242aead6f95a05cdc2697069f6bb59f2f6dc4b6d3d6b42829c547509c8206cad7fbad544d0489c32f3343b162b941d93a

C:\Users\Admin\AppData\Local\Temp\xfhjgg7IBy7r.bat

MD5	f1be9c4222ab54dd94966556ac68b5e8
SHA1	b6b5be3bb05f5febf96c06e0437c53116123420a
SHA256	13452919c5e10dd5c961b79f81a4d9b6a9e2f75655e483d0425890297293379e
SHA512	4bb6d02b3a89f5b2a0b7a70bf48b4bdd9a980dc51c854b6c280538d176462876c629abac748a09270d6f250b132852acaa867efc85edfd5ae2a5e20b7d524292

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	a8f782bf8cf6732d162c3e212d341f1b
SHA1	ff8e342b0341c663c04f7aa8e4cebbc9f878b1a9
SHA256	bc7ac75f6c88fdc41f6a3aec455241925ede7e714aa4dc3bb4444894803dab99
SHA512	b0aad21040fc2695a707dea51f864007594d2b5a0bb56514f39fdbdebc129c998358079b32d146654a51afa3a7226e20f8fc8f57b8382b4927dedb5c2d0df195

C:\Users\Admin\AppData\Local\Temp\1MyUXiHT6OUj.bat

MD5	c16ac140d242fe2fe8c42fafcb49611d
SHA1	5a4bf4b2bf54bb7c5028b5dba609f83dffe4fc0f
SHA256	2ab0b3327c98bd31a73cce0eb92caee2562fc760de0d5690ea4c5d1417b3b294
SHA512	172ba70e2b3bf7ee4a1b147990c9bbda93452bf6d0da9101450fb0bef00ac13ce8b4b48368a9112bac4baf93f7e588903d2a79a672d29b9a5bf7d5d04eb57075

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	d1c6747e8edef6a2d34e19d4e4646886
SHA1	54a1f2df5720472af05adfeb20b908b959a50697
SHA256	b008ad933c010486f5fdab9c2c2976db2206a5cd6d70798b14350dfc967ca27e
SHA512	6b2b3ef3182855b3e1ce558959d573921062ae40d3398eb6b7434db06bb87941bd1a7394d90dac4e23f90b9d2f7966c683de62e2dfb52205c0882e1f9a948760

C:\Users\Admin\AppData\Local\Temp\mNsZyVSvZjl0.bat

MD5	073d8ec8b35206dbb53578611bc7bc5c
SHA1	22b70a44c5294682ca12a9327cccf691e1436c69
SHA256	95efaac2f215bfdff7442e031aad2a6d03a49d1787fd1f8e37b39c66cd161637
SHA512	f69d9c548bdb18f6721c2010309b98f26aa1d9a5ce412afd166a67314bbf892f88b97e8c1e50a6a5a7ede81f7ae8d259c8156d2ded60d8a6d367b19173f35c79

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	e38e0b0856f2f6655f0075afe892f17e
SHA1	53e5377bd397f6d1bf096e92a0fde5c75f371042
SHA256	52a1d86e0e5645d81f00d63aa7d6419bc42d8f1bf58438bbe1fae2ca97d50aed
SHA512	a793a7a64d4643563e08ed9a62c64f40c07f66e06c506726161c7badd6474bb833df6f6edddea94d2738e8f1faf2d5880a7c8b99ae84020ee19b4837117e39f1

C:\Users\Admin\AppData\Local\Temp\FGFjZQ2bacRV.bat

MD5	91989aab96c9d146e36cc386e5d796e0
SHA1	4a726d488a7bb2f40f936bfebe7acc8808488d5b
SHA256	ec338047be3267d4e11c301a2e1d10ffe5d25e491ddb918845ff02367c50a388
SHA512	c190a7974bda4293b966ea96a0413866b27767f72e50fb20ae07a1a9572ab69cc00b60901482eec583d1d401cc7d1435581e5f8065d48644b8bcbb66958e3a72

C:\Users\Admin\AppData\Local\Temp\HSNffGbgp4uS.bat

MD5	f606f6c99541ee547dfe192091bb7800
SHA1	1d660a6dd5ebb05d5efd1ddc10e3fdc10b34f255
SHA256	17020724dc2feed0dc0de2027e3846735416cde4b663265ef163a79ef95cfdc0
SHA512	53fcbfceb236b242054eec60db9eb9e94b086f114cb49ee0a7a7752119952e548537562c0293cc025f85899ab05eba8b858568820a6b27eee154f8a796b9347f

C:\Users\Admin\AppData\Local\Temp\Iak6stp0ddjq.bat

MD5	64c378f3bd607eca0170320ec28b00d5
SHA1	aa2f32f16d952e98a916719ac1356497c7a21a08
SHA256	b9859cdd8dae1fe180fee3fe9762b242782285308401593741063290fe8c5675
SHA512	ec63f4b452812b17a132b8561b5f81ed65b746c63b6bdddb7e84169f7d12ece42dd025ffe8611c2103ec3c29042ea07445bd46ba2df8f9b39a0d8c038c67fca6

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:39

Platform

win7-20240508-en

Max time kernel

596s

Max time network

606s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2036 wrote to memory of 1600	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2036 wrote to memory of 1600	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2036 wrote to memory of 1600	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2036 wrote to memory of 1600	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2036 wrote to memory of 1472	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2036 wrote to memory of 1472	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2036 wrote to memory of 1472	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2036 wrote to memory of 1472	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2036 wrote to memory of 1472	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2036 wrote to memory of 1472	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2036 wrote to memory of 1472	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2036 wrote to memory of 1884	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2036 wrote to memory of 1884	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2036 wrote to memory of 1884	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2036 wrote to memory of 1884	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1472 wrote to memory of 1452	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 1452	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 1452	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 1452	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 988	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1472 wrote to memory of 988	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1472 wrote to memory of 988	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1472 wrote to memory of 988	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 988 wrote to memory of 2248	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 988 wrote to memory of 2248	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 988 wrote to memory of 2248	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 988 wrote to memory of 2248	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 988 wrote to memory of 2460	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 988 wrote to memory of 2460	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 988 wrote to memory of 2460	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 988 wrote to memory of 2460	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 988 wrote to memory of 1400	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 988 wrote to memory of 1400	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 988 wrote to memory of 1400	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 988 wrote to memory of 1400	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 988 wrote to memory of 1400	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 988 wrote to memory of 1400	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 988 wrote to memory of 1400	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1400 wrote to memory of 1300	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1400 wrote to memory of 1300	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1400 wrote to memory of 1300	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1400 wrote to memory of 1300	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1400 wrote to memory of 556	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 556	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 556	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1400 wrote to memory of 556	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 556 wrote to memory of 1724	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 556 wrote to memory of 1724	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 556 wrote to memory of 1724	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 556 wrote to memory of 1724	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 556 wrote to memory of 2216	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 556 wrote to memory of 2216	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 556 wrote to memory of 2216	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 556 wrote to memory of 2216	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 556 wrote to memory of 604	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 556 wrote to memory of 604	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 556 wrote to memory of 604	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 556 wrote to memory of 604	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 556 wrote to memory of 604	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 556 wrote to memory of 604	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 556 wrote to memory of 604	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 604 wrote to memory of 2668	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 604 wrote to memory of 2668	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 604 wrote to memory of 2668	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RXtPsbPilh9s.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rMCeosPiis86.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\dshKx8Zjextn.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FngBrVSHQZiD.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iBtlRAP7UcFv.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QcqBuU43T0e9.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OE0T3p8dFWF3.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\r48SlqIwhVvB.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp

Files

memory/2036-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

memory/2036-1-0x0000000001170000-0x00000000011DC000-memory.dmp

memory/2036-2-0x00000000746F0000-0x0000000074DDE000-memory.dmp

memory/2036-3-0x00000000746FE000-0x00000000746FF000-memory.dmp

memory/2036-4-0x00000000746F0000-0x0000000074DDE000-memory.dmp

\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/1472-12-0x0000000000C60000-0x0000000000CCC000-memory.dmp

memory/1472-13-0x00000000746F0000-0x0000000074DDE000-memory.dmp

memory/1472-14-0x00000000746F0000-0x0000000074DDE000-memory.dmp

memory/2036-15-0x00000000746F0000-0x0000000074DDE000-memory.dmp

memory/1472-16-0x00000000746F0000-0x0000000074DDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RXtPsbPilh9s.bat

MD5	3e33e64e95922c6ec5f3ac7cd40116de
SHA1	ba9649896266f34df6778fe1627d7024545c3177
SHA256	e7eb70fec0b356731e05c2edb42c3cd3b69c10f87cb7c23e79dadcc4dd7d7f6b
SHA512	b693935f26207faa89930ac874bd13293712ce97c526d3c22e0538da0261776e892cfc859d4a157ec6c690101b52f8e1bfae8867348a7832c95b78b9f21c928e

memory/1472-25-0x00000000746F0000-0x0000000074DDE000-memory.dmp

memory/1400-29-0x00000000003F0000-0x000000000045C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rMCeosPiis86.bat

MD5	20154a4fac181fbe86dc94fa39873dda
SHA1	1c764c718f93eb3426396d6a99e79af37e73cec7
SHA256	c2925d5266f325ccbcb8499e349ce427d5ad12b562a925d3290b5cb8eba9f4ae
SHA512	c26b17d67b37d1fed933fa443c1ca9bef93ac5033767a3a48ed710984ce6f4316274eb45e75c11f03763a4c27046e6ed7344cee9c203fabb2296e11b7e7c1c30

memory/604-41-0x0000000000CC0000-0x0000000000D2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dshKx8Zjextn.bat

MD5	7777c6947d22b90ba2e315317392eac0
SHA1	cc598d46437c2eae37ecd887a5cf9975658dd8d4
SHA256	ea5a6c8e648837b3c32054a8e840b979ad5372311de748a0fdf245b01a7dd09f
SHA512	265751536a0fd9be1a6eb62784660856ecb7fd1f5173a54d0f5cf5de2112014fc8f8f7393328e2204a2a431a7dc30eb212c9123c906de79ce5fd7a8bacb03586

memory/1968-53-0x0000000001000000-0x000000000106C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FngBrVSHQZiD.bat

MD5	57e5a3afb668b5e55ed7cf7245a5869c
SHA1	c27243461e36321fdff6e167dc4aea877fe9f1d9
SHA256	0cb07d87f4aa416a479908d4be5150f74d9765060bb22183351eef2729672c97
SHA512	c10eac870855ed90c87f81b6fe761a2435df3a89111c1f1502fef27729a5f3bde86871b1b522f385c2aadcaf9143f5eb5b0b639cb7069173065f60f2f60b88cc

memory/2800-65-0x00000000010C0000-0x000000000112C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iBtlRAP7UcFv.bat

MD5	5d0f55b33595f4a9f801a0fab497264e
SHA1	25371ad8bcba3a3c3e4a024f1704cf47b4939a65
SHA256	d71fc8eed9d7ac6cc057100deea8266995ceeaa62029543b68820836b6a92217
SHA512	654bb2769a24f2049125acdaad8868ff4ce3c24607d45b46cc479f0c17ff8b71bc6e0a86ece5589384697d36af20d10501dc34d7afcccee904405a08aabe5f6b

memory/900-77-0x00000000010C0000-0x000000000112C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QcqBuU43T0e9.bat

MD5	2214599556c8cac2e91e50c84cba8aae
SHA1	78c4fbea1110ccecfafe82fdd335ac97949c6a9b
SHA256	fd28ab5fcd797ad970bc9131ad5d8190c3f1c2bd29f314437eae8a52a4e753ca
SHA512	16bcf21c4e3532f3473d787f2de6c75d4b6d4f59f1e0934075c7e7fbc9639c8e8990c2f4ee1f7c012fa955badb1d859cf1ce8433b73c34fa660cbb0834a96c00

memory/1528-89-0x00000000010C0000-0x000000000112C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OE0T3p8dFWF3.bat

MD5	3d88c76e7cda9a76abbdb116d414a3b0
SHA1	ee2243d2062f01c99b65550229ad7008c3a62558
SHA256	9250da996d8824c34dcf5e97701c8bcd1608740470fd1a15136f7e0b69debdab
SHA512	b36ae36a24c937e8da751c6519bd0d5f75be3c8f62b848bd1d122cd68bacf0b676d299932fc624ac017dfdbf7d2f758c2c8a41eaa26e52e2aa8b18f8ce566b8b

memory/2192-101-0x00000000012C0000-0x000000000132C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\r48SlqIwhVvB.bat

MD5	df8602e44c9d0b24472e59b472af30cd
SHA1	bb17cdf08d347ce9ed8e78bf3ec3737909c0c695
SHA256	4a3cd8c1ecb3f6c4fa053c156d31135dd0bfd60dd93e46c12d22004aa352080b
SHA512	e5559d5be8e3dec0adb01fa64e7ae8ce38ebf6f7c673959a61159311a3bb3709ba979744bfe3c9156a1018b9649e36b1fc9d64d2e193ffb827fd12578e793aa9

memory/2768-113-0x0000000000130000-0x000000000019C000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:50

Platform

win7-20240508-en

Max time kernel

596s

Max time network

606s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 492 wrote to memory of 2508	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 2508	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 2508	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 2508	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 492 wrote to memory of 2540	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 492 wrote to memory of 2540	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 492 wrote to memory of 2540	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 492 wrote to memory of 2540	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 492 wrote to memory of 2540	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 492 wrote to memory of 2540	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 492 wrote to memory of 2540	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 492 wrote to memory of 1724	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 492 wrote to memory of 1724	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 492 wrote to memory of 1724	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 492 wrote to memory of 1724	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2540 wrote to memory of 2440	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2540 wrote to memory of 2440	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2540 wrote to memory of 2440	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2540 wrote to memory of 2440	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2540 wrote to memory of 1868	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 1868	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 1868	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 1868	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 2384	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1868 wrote to memory of 2384	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1868 wrote to memory of 2384	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1868 wrote to memory of 2384	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1868 wrote to memory of 2952	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1868 wrote to memory of 2952	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1868 wrote to memory of 2952	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1868 wrote to memory of 2952	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1868 wrote to memory of 2488	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1868 wrote to memory of 2488	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1868 wrote to memory of 2488	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1868 wrote to memory of 2488	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1868 wrote to memory of 2488	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1868 wrote to memory of 2488	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1868 wrote to memory of 2488	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2488 wrote to memory of 1736	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 1736	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 1736	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 1736	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 2232	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2232	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2232	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2232	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 1704	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2232 wrote to memory of 1704	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2232 wrote to memory of 1704	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2232 wrote to memory of 1704	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2232 wrote to memory of 2328	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2232 wrote to memory of 2328	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2232 wrote to memory of 2328	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2232 wrote to memory of 2328	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2232 wrote to memory of 2356	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2232 wrote to memory of 2356	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2232 wrote to memory of 2356	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2232 wrote to memory of 2356	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2232 wrote to memory of 2356	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2232 wrote to memory of 2356	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2232 wrote to memory of 2356	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2356 wrote to memory of 2116	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 2116	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 2116	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (101) - Copy - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\F8yxQcruEb0r.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DIEpQci1aATM.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sE1Q8jlstayg.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\U90I35eQfCn6.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DehEPbe85Trt.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mYrMXENMLIyP.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Y4M1gTYNHNk7.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\D09dOabFZnGR.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp

Files

memory/492-0-0x0000000073EBE000-0x0000000073EBF000-memory.dmp

memory/492-1-0x0000000000F90000-0x0000000000FFC000-memory.dmp

memory/492-2-0x0000000073EB0000-0x000000007459E000-memory.dmp

memory/492-3-0x0000000073EBE000-0x0000000073EBF000-memory.dmp

memory/492-4-0x0000000073EB0000-0x000000007459E000-memory.dmp

\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/2540-12-0x0000000000990000-0x00000000009FC000-memory.dmp

memory/2540-13-0x0000000073EB0000-0x000000007459E000-memory.dmp

memory/2540-14-0x0000000073EB0000-0x000000007459E000-memory.dmp

memory/492-15-0x0000000073EB0000-0x000000007459E000-memory.dmp

memory/2540-16-0x0000000073EB0000-0x000000007459E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F8yxQcruEb0r.bat

MD5	597d18a8d309ca7c63e292e68482c0a8
SHA1	bbba92079322938d1ec0eec0513b7350014525ec
SHA256	8086b863572bd7bb1bcebc4ee997aeae9428ae9e49b844854971ea065a503413
SHA512	e9df6e162e1e5f8e9681a07333a8224227935cff2b23a4b266c37d2c087cfc824164202552535f354127e0e66249cd8eeebd900cb0446326785c324a8605e111

memory/2540-25-0x0000000073EB0000-0x000000007459E000-memory.dmp

memory/2488-29-0x0000000000110000-0x000000000017C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DIEpQci1aATM.bat

MD5	6bec1befda9cf2dda800a38acf8fa999
SHA1	65c0889cbd5941676f2eca6fda83b4876b450cbe
SHA256	4ab79906bf4a52a14d83ece830108ff57d1d12da994296ab759e9f4a1266a45d
SHA512	aa7dba7304dcdb6fdac4246e406d8eefa320a5c4b648c72e229ab3f557415e405c39d4f9a6aab04cc886e980314d08e2fb499d457a9bfef01b886e84a0fd0082

memory/2356-41-0x0000000000C30000-0x0000000000C9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sE1Q8jlstayg.bat

MD5	2af45d14a49923d94dccef46e347ca88
SHA1	c771c11de4eea1f9d4ed6538418ab260d9af52d8
SHA256	38f43ec34cc749697d38007de243711026bc9bf4208c9ec69544fa7acc0a4247
SHA512	e1b267fa2e1702a03b6432ac44e14a8062172f72f7875088c336e47ee31c51c9731475dae23ce344f8246333be9300a22217c26911b3f709a67e0944c561af9b

memory/2764-53-0x00000000002E0000-0x000000000034C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\U90I35eQfCn6.bat

MD5	48171d787f9c382bb06e1fd68f4f78da
SHA1	e1333306ccea97171f720342bb0eb8cc9489af86
SHA256	68001f84b94bbf2e673a2cfa8face0d23185a2926a18b081236b5e261bed7fdf
SHA512	1b708f29f163b497674b7042b7d1c693e26a209623e20171181896f7217ab463f00d2e8bcd01f947c607767a037b7af292e58a676a23152fdf3e9dfa28239a53

memory/492-65-0x0000000000A30000-0x0000000000A9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DehEPbe85Trt.bat

MD5	692982512a37b4335898eaa868587389
SHA1	c2aec4ac56c62d28f88f004ea8542ac9bf349f26
SHA256	75e48031c7a93801e24c4a67115b6504cadc3fb810deec27adcdc5039cd6d438
SHA512	b0be05de9ad35cc442d537bcd09ae1cc0c9f026bcb88dee3f8e9e4922d59867e19818f074567aa190ff8578d70b58acff331f90cac8a8de437cc57eaf74c5da2

memory/532-77-0x0000000000240000-0x00000000002AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mYrMXENMLIyP.bat

MD5	ed11ae24f6f7566e1d53370e588c1f5d
SHA1	83f3fd83c48997e4a4c942f5d84bac79c43031ff
SHA256	943f74cf4f985758ec4020ecc61dd38eece008dfaea52ea61c99fb5484ca6580
SHA512	172186e14eef9e44af519b2669a27646f53b7e5eb459217cde25691dbcd20b510ea5f1ce5c4b0cfd0e1c69030c4c7529442a74b8479413b2f655029eb8b857d9

memory/2656-89-0x0000000000D40000-0x0000000000DAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Y4M1gTYNHNk7.bat

MD5	e34c081c00b8d142672ab541ec754948
SHA1	b0a0f995de42c52c1debcbda4adaee1b70e7851f
SHA256	7c770a011f8309684bb7e15db1a263cbd6733ea36547555a7ed6bee506d55793
SHA512	623c75cfc9a59b56c0d1a2d49354a06afc0db95e24c8b7d093f9977b8385fb695eebf795c89b584bf779097b8d844417d0e1a30e7460aef034d6f61d1233e96c

memory/1684-101-0x0000000000D40000-0x0000000000DAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D09dOabFZnGR.bat

MD5	163a96def42c3403d09d3f8d018e1613
SHA1	7e2cb41328b1482118da6b738962cd03f3075ec7
SHA256	cceead55dd455d247221635b9139d47ebc6f4811e5a2f6534bd81623fc28e23d
SHA512	8f50b7ec273a8950927c2e5a3ade4790b40551436de31fc2ad37c88724b3d3efa8c7064f98dd23b90880096c3c8d7e7e4efb15f2fd3307a343205a7919b5d366

memory/2496-113-0x00000000010D0000-0x000000000113C000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:51

Platform

win10v2004-20240611-en

Max time kernel

579s

Max time network

603s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1152 wrote to memory of 3400	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1152 wrote to memory of 3400	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1152 wrote to memory of 3400	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1152 wrote to memory of 2756	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1152 wrote to memory of 2756	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1152 wrote to memory of 2756	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1152 wrote to memory of 2600	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1152 wrote to memory of 2600	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1152 wrote to memory of 2600	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2756 wrote to memory of 2132	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2756 wrote to memory of 2132	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2756 wrote to memory of 2132	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (101) - Copy - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
NL	23.62.61.194:443	www.bing.com	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	4.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
US	8.8.8.8:53	194.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	205.47.74.20.in-addr.arpa	udp
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	8.8.8.8:53	github.com	udp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	1.112.95.208.in-addr.arpa	udp
US	208.95.112.1:80	ip-api.com	tcp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	215.156.26.20.in-addr.arpa	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
US	8.8.8.8:53	15.164.165.52.in-addr.arpa	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	21.236.111.52.in-addr.arpa	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	12.173.189.20.in-addr.arpa	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp

Files

memory/1152-0-0x000000007489E000-0x000000007489F000-memory.dmp

memory/1152-1-0x0000000000D50000-0x0000000000DBC000-memory.dmp

memory/1152-2-0x0000000005C20000-0x00000000061C4000-memory.dmp

memory/1152-3-0x00000000057C0000-0x0000000005852000-memory.dmp

memory/1152-4-0x0000000074890000-0x0000000075040000-memory.dmp

memory/1152-5-0x0000000005860000-0x00000000058C6000-memory.dmp

memory/1152-6-0x0000000005BF0000-0x0000000005C02000-memory.dmp

memory/1152-7-0x00000000069F0000-0x0000000006A2C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/2756-13-0x0000000074890000-0x0000000075040000-memory.dmp

memory/2756-14-0x0000000074890000-0x0000000075040000-memory.dmp

memory/1152-16-0x0000000074890000-0x0000000075040000-memory.dmp

memory/2756-18-0x00000000064B0000-0x00000000064BA000-memory.dmp

memory/2756-19-0x0000000074890000-0x0000000075040000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:41

Platform

win10v2004-20240611-en

Max time kernel

588s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2364 wrote to memory of 1808	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2364 wrote to memory of 1808	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2364 wrote to memory of 1808	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2364 wrote to memory of 2108	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2364 wrote to memory of 2108	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2364 wrote to memory of 2108	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2364 wrote to memory of 448	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2364 wrote to memory of 448	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2364 wrote to memory of 448	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2108 wrote to memory of 2928	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2108 wrote to memory of 2928	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2108 wrote to memory of 2928	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3956,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	0.204.248.87.in-addr.arpa	udp
US	8.8.8.8:53	55.36.223.20.in-addr.arpa	udp
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	8.8.8.8:53	github.com	udp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	1.112.95.208.in-addr.arpa	udp
US	8.8.8.8:53	215.156.26.20.in-addr.arpa	udp
US	208.95.112.1:80	ip-api.com	tcp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	35.15.31.184.in-addr.arpa	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	138.107.17.2.in-addr.arpa	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	208.238.32.23.in-addr.arpa	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	9.173.189.20.in-addr.arpa	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp

Files

memory/2364-0-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

memory/2364-1-0x0000000000050000-0x00000000000BC000-memory.dmp

memory/2364-2-0x0000000004E90000-0x0000000005434000-memory.dmp

memory/2364-3-0x0000000004A20000-0x0000000004AB2000-memory.dmp

memory/2364-4-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/2364-5-0x0000000004980000-0x00000000049E6000-memory.dmp

memory/2364-6-0x00000000056A0000-0x00000000056B2000-memory.dmp

memory/2364-7-0x0000000005BE0000-0x0000000005C1C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/2108-13-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/2108-14-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/2364-16-0x0000000074BB0000-0x0000000075360000-memory.dmp

memory/2108-18-0x0000000006340000-0x000000000634A000-memory.dmp

memory/2108-19-0x0000000074BB0000-0x0000000075360000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:43

Platform

win10v2004-20240611-en

Max time kernel

578s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1844 wrote to memory of 1604	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1844 wrote to memory of 1604	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1844 wrote to memory of 1604	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1844 wrote to memory of 512	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1844 wrote to memory of 512	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1844 wrote to memory of 512	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1844 wrote to memory of 5020	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1844 wrote to memory of 5020	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1844 wrote to memory of 5020	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 512 wrote to memory of 1196	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 512 wrote to memory of 1196	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 512 wrote to memory of 1196	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
NL	23.62.61.194:443	www.bing.com	tcp
US	8.8.8.8:53	17.160.190.20.in-addr.arpa	udp
US	8.8.8.8:53	0.204.248.87.in-addr.arpa	udp
US	8.8.8.8:53	194.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	8.8.8.8:53	github.com	udp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	1.112.95.208.in-addr.arpa	udp
US	8.8.8.8:53	215.156.26.20.in-addr.arpa	udp
US	208.95.112.1:80	ip-api.com	tcp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	35.15.31.184.in-addr.arpa	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	0.205.248.87.in-addr.arpa	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	9.179.89.13.in-addr.arpa	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp

Files

memory/1844-0-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

memory/1844-1-0x0000000000E90000-0x0000000000EFC000-memory.dmp

memory/1844-2-0x0000000005F90000-0x0000000006534000-memory.dmp

memory/1844-3-0x0000000005920000-0x00000000059B2000-memory.dmp

memory/1844-4-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/1844-5-0x00000000059E0000-0x0000000005A46000-memory.dmp

memory/1844-6-0x0000000005F60000-0x0000000005F72000-memory.dmp

memory/1844-7-0x0000000006B60000-0x0000000006B9C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/512-13-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/512-14-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/1844-16-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/512-18-0x0000000006570000-0x000000000657A000-memory.dmp

memory/512-19-0x0000000074F20000-0x00000000756D0000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:46

Platform

win7-20240508-en

Max time kernel

596s

Max time network

606s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2032 wrote to memory of 2580	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 2580	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 2580	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 2580	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 1808	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2032 wrote to memory of 1808	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2032 wrote to memory of 1808	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2032 wrote to memory of 1808	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2032 wrote to memory of 1808	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2032 wrote to memory of 1808	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2032 wrote to memory of 1808	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2032 wrote to memory of 2148	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2032 wrote to memory of 2148	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2032 wrote to memory of 2148	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2032 wrote to memory of 2148	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1808 wrote to memory of 2868	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1808 wrote to memory of 2868	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1808 wrote to memory of 2868	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1808 wrote to memory of 2868	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1808 wrote to memory of 1200	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1200	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1200	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1200	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 1696	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1200 wrote to memory of 1696	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1200 wrote to memory of 1696	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1200 wrote to memory of 1696	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1200 wrote to memory of 2452	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1200 wrote to memory of 2452	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1200 wrote to memory of 2452	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1200 wrote to memory of 2452	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1200 wrote to memory of 1724	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1200 wrote to memory of 1724	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1200 wrote to memory of 1724	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1200 wrote to memory of 1724	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1200 wrote to memory of 1724	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1200 wrote to memory of 1724	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1200 wrote to memory of 1724	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1724 wrote to memory of 1676	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1724 wrote to memory of 1676	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1724 wrote to memory of 1676	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1724 wrote to memory of 1676	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1724 wrote to memory of 1960	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1960	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1960	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1960	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1452	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1960 wrote to memory of 1452	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1960 wrote to memory of 1452	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1960 wrote to memory of 1452	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1960 wrote to memory of 1348	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1960 wrote to memory of 1348	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1960 wrote to memory of 1348	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1960 wrote to memory of 1348	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1960 wrote to memory of 2264	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1960 wrote to memory of 2264	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1960 wrote to memory of 2264	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1960 wrote to memory of 2264	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1960 wrote to memory of 2264	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1960 wrote to memory of 2264	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1960 wrote to memory of 2264	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2264 wrote to memory of 2712	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2264 wrote to memory of 2712	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2264 wrote to memory of 2712	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rMYtyXpcd9xc.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DA3O64fI4XEw.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CmEgFPjsq3qq.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mC3jOa0LvhlL.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\wutdW1xTWeCS.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\YpsURNq1JG1s.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\mYW8NZxSQ1At.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\pgey4rmQOILc.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp

Files

memory/2032-0-0x000000007473E000-0x000000007473F000-memory.dmp

memory/2032-1-0x00000000010E0000-0x000000000114C000-memory.dmp

memory/2032-2-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2032-3-0x000000007473E000-0x000000007473F000-memory.dmp

memory/2032-4-0x0000000074730000-0x0000000074E1E000-memory.dmp

\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/1808-12-0x0000000001120000-0x000000000118C000-memory.dmp

memory/1808-13-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/1808-14-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2032-15-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/1808-16-0x0000000074730000-0x0000000074E1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rMYtyXpcd9xc.bat

MD5	4a602d6298ea523f43f8ffb0f7f0875f
SHA1	b3d1bd4674ad296f447e22387d420a15f81dafd7
SHA256	056ee8526479322965d4f35ea266f9dda2bb4050032822fc9e24d0772540c1eb
SHA512	4c54dad3cfadb4d162c416414ef69a5b2bad9d5531c0b0bcc56e9347e97cb37e4c3287f1a6702ea58c6ce567fa36682ef61e8c62f5bec406534ebf3819bb684f

memory/1808-26-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/1724-29-0x0000000000310000-0x000000000037C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DA3O64fI4XEw.bat

MD5	51a815b00fe94f69bd76bd0f61248417
SHA1	e3ac38e59c23074f95c7e1b5d7deb7cb324d2c52
SHA256	b5ee7a7126c546b27c5fdc23665e9ab53c0795299260ecce1e0f140e363bad66
SHA512	477ce2832c1b99e36c6ba1275f8da2d7de7b6f9ad1c5e6c7d8f01b4bda90df7fd902c69908dc854e483871784a92a33d0a4dad6ad24b275542cc959db45cacd2

memory/2264-41-0x0000000000990000-0x00000000009FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CmEgFPjsq3qq.bat

MD5	fdfc67bedec0dbad7660438161c303a8
SHA1	88e866a3c4820ce482322ac0dd2518f33fef0d41
SHA256	33723c6e0ddef8c60fa0ece25a1388cf75f619eea3c2d7a131d445f379cb9321
SHA512	6a9e311d7dc3f79ff0e9d501406a8d871f696a45ff0b8f2bc8d8ac10399eaffdec4ce94e288e366246dc81088b746e08da8ee402905fc892adcd51bad1fbd800

memory/2648-53-0x00000000012F0000-0x000000000135C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mC3jOa0LvhlL.bat

MD5	f5e683ecfad0d17d02d3d4c5d9ea3c10
SHA1	b44c2197a7f98bed3a0b5a6d348a1a1d350f0ed5
SHA256	9243ba81655999153063744af35268d4e759a307607563be15bd538393c1c289
SHA512	58aa29056214d76105d08cef53b4c884159eb48d2d9ea39c9c0b2bbf24725eb913250a53f55b65e81e630e9bc2dcc5af77e295adffb08db68371f84775dfbb41

memory/1696-65-0x00000000012F0000-0x000000000135C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wutdW1xTWeCS.bat

MD5	0a9362612ce81435e096aa7c39115f61
SHA1	8ed8cee0535324829272411c24a6b5a3ef66ccab
SHA256	63ee9ca225227cdb53870a469a230015629cbb0f44e8b6560fc08c03b43a3b68
SHA512	2eaa1229941a31619df46c0c0ee934c5c76a18f8e2f5bfef56e6d98ed65cee0b77c13894f928a067cc34de92b12e1c008161aa5b27c389f66a233b6028f02876

memory/764-77-0x00000000003C0000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YpsURNq1JG1s.bat

MD5	7f3a191b8c3d22e19506787aafeb7f8f
SHA1	b98fb3f9edd072f138a8acdf66cd061db76b9b7c
SHA256	333d8c988f6a4cd810c82d593b4c05815496543f2609668bea582b9bfb471a50
SHA512	f44c8a3f07232f52d79cc023eae8128624fcba14888f8d9eb03e5435db45dbdc1c3ce7e5f511e931cf86ffae3dc3f43973f796d37760274641046ab7f0a30a61

memory/1536-89-0x0000000000230000-0x000000000029C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mYW8NZxSQ1At.bat

MD5	faf29efa261450b69f98635622439638
SHA1	38f9589772b1db1db5a37633e2bf68f7984b0f57
SHA256	4df8dcc446b2d8b535275cf29432b03df2153ba4fbf0932a64a06aae2ef587e1
SHA512	4563595d5b9148fb74ffa2ccdf27e2a7f0f08e23b0109ae22e823f91b2b752fc17a45d46c9b632079801aab760412a91b330e5609968372f1ddaae7ea207ba4d

memory/1352-101-0x0000000000A80000-0x0000000000AEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pgey4rmQOILc.bat

MD5	7b5159ce7589237fecb6bb065d83cb41
SHA1	0109b430745ed9551e56d337fc33109e45dd6387
SHA256	7680071c094eaa0a47a63e6782d2956ed54901784f354b6e4365363b5ef78203
SHA512	4e8a1ddc7824f3f761006ad55ba69fac77e6d8b89fadbd8db7679e947ce5f3078ec57ec3065a558db7212efc81a714b7648b3baba8b5e39f8e00b45695f60d3b

memory/1560-113-0x0000000000E70000-0x0000000000EDC000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:47

Platform

win10v2004-20240508-en

Max time kernel

600s

Max time network

607s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A

Enumerates physical storage devices

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4276 wrote to memory of 2340	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4276 wrote to memory of 2340	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4276 wrote to memory of 2340	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4276 wrote to memory of 1140	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4276 wrote to memory of 1140	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4276 wrote to memory of 1140	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4276 wrote to memory of 3328	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 4276 wrote to memory of 3328	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 4276 wrote to memory of 3328	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1140 wrote to memory of 756	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1140 wrote to memory of 756	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1140 wrote to memory of 756	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1140 wrote to memory of 812	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 812	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 812	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 2104	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 812 wrote to memory of 2104	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 812 wrote to memory of 2104	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 812 wrote to memory of 2512	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 812 wrote to memory of 2512	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 812 wrote to memory of 2512	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 812 wrote to memory of 820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 812 wrote to memory of 820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 812 wrote to memory of 820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 820 wrote to memory of 4068	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 820 wrote to memory of 4068	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 820 wrote to memory of 4068	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 820 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 4480	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2616 wrote to memory of 4480	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2616 wrote to memory of 4480	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2616 wrote to memory of 1500	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2616 wrote to memory of 1500	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2616 wrote to memory of 1500	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2616 wrote to memory of 2556	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2616 wrote to memory of 2556	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2616 wrote to memory of 2556	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2556 wrote to memory of 5080	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 5080	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 5080	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2556 wrote to memory of 1496	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 1496	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 1496	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 2656	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1496 wrote to memory of 2656	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1496 wrote to memory of 2656	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1496 wrote to memory of 3316	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1496 wrote to memory of 3316	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1496 wrote to memory of 3316	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1496 wrote to memory of 1312	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1496 wrote to memory of 1312	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1496 wrote to memory of 1312	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1312 wrote to memory of 3568	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1312 wrote to memory of 3568	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1312 wrote to memory of 3568	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1312 wrote to memory of 4580	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 4580	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 4580	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 4580 wrote to memory of 3548	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4580 wrote to memory of 3548	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4580 wrote to memory of 3548	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4580 wrote to memory of 1180	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wym3B1TGm83Z.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1140 -ip 1140

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 1204

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k0UrOYo2kH1k.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 820 -ip 820

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i73ZoRr2328E.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2556 -ip 2556

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 2232

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T8xeFE1UVNPV.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1312 -ip 1312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 1084

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WK4aK3aZkptS.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1520 -ip 1520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EK9wy6aihMTq.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4328 -ip 4328

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hjQrqr6D7UK6.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3908 -ip 3908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KDYevxKxqFJe.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 676 -ip 676

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 2224

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e0IlZpYz8uDd.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1124 -ip 1124

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KWEIRfw2NTu5.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4296 -ip 4296

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 2228

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XjHLeO3u1TYf.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4560 -ip 4560

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 2236

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IkBQ4BDMUnpx.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1052 -ip 1052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 2224

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ALmZw7VyanMc.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1720 -ip 1720

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 2224

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\urWqai3LLAky.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 912 -ip 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYnbSkEVHa7q.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4032 -ip 4032

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1692

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uADT6QfRsOLP.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 920 -ip 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1688

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4RBJPbxlRTxf.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2052 -ip 2052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UluybPxBvuRS.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4508 -ip 4508

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 2224

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGqVTFLEAT8u.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3416 -ip 3416

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 2236

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUsYgyS7oTmV.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 596 -ip 596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fnUqYd44PAnY.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4472 -ip 4472

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 2228

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiiJzLLx14Ed.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 920 -ip 920

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dbHjnWmKX9DE.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3156 -ip 3156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 2172

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZDgcSCEG9wQn.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4960 -ip 4960

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\576L6ALqG2Ay.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 664 -ip 664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\haE8BGZaznAX.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 936 -ip 936

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 2216

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp

Files

memory/4276-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

memory/4276-1-0x0000000000FA0000-0x000000000100C000-memory.dmp

memory/4276-2-0x0000000006000000-0x00000000065A4000-memory.dmp

memory/4276-3-0x0000000005A50000-0x0000000005AE2000-memory.dmp

memory/4276-4-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/4276-5-0x00000000059C0000-0x0000000005A26000-memory.dmp

memory/4276-6-0x00000000066F0000-0x0000000006702000-memory.dmp

memory/4276-7-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

memory/4276-8-0x0000000074C90000-0x0000000075440000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/1140-14-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/4276-16-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/1140-17-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/1140-19-0x0000000006270000-0x000000000627A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wym3B1TGm83Z.bat

MD5	ed0882313c49b67fd8a6e8875a5105d2
SHA1	8d36b4a69872bd9b7f3584b73514ad6eb805ae31
SHA256	7779950f26be928c4e9fbd100ec713261629dba9dbbd7e9c13d24403ff074535
SHA512	4106a3d6b955c0a1bfc705d304f3b6609f0c898b91fcc17a47d89fce2f279098dc246c0fced3dbaa9e141e956e886ffcc2a8b38e04b3b26b367a0ea398e0d3a9

memory/1140-24-0x0000000074C90000-0x0000000075440000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512	cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\k0UrOYo2kH1k.bat

MD5	e1268aea0ef4cb0061bdea44bd2876e7
SHA1	f591ab34422f9f9a022dfd2bf779a9fd908c96ff
SHA256	0810ec0cae35c9d29f6c7eafed31c6bac491cc0de266f51108fc2428fae5de4d
SHA512	ea6718f0c520cb37af065024c9751cae596c3597f0f2796167741fdfd15f9661dc6aab66d038fe138904bd6e14523162be4f1d7fad3cb4a2b4f7bcc66f07684d

C:\Users\Admin\AppData\Local\Temp\i73ZoRr2328E.bat

MD5	e3bf62b53b823aa0153a63244311d0d7
SHA1	54c5df80d3c73a4f26227ea76ae2e91aae7303e9
SHA256	847ebffb1195302e53491e7570879c7911552cc9818e72ae0ca6076690d51140
SHA512	8bfbb2687fb936736f199ade499a4dd2673b319e278623b5c9652180775e774c307c3c7a3d6dddd4569bb65b234e3163e533b66dd51fcc07acef051e992c1ee6

C:\Users\Admin\AppData\Local\Temp\T8xeFE1UVNPV.bat

MD5	adeadc3c9a733b28ddfbca073de4ce37
SHA1	3c30d7dce5a0c150d71d9c45210cdf367bd59582
SHA256	9ea414cb5129a983d62640ea1c237582b983e7cb2ffd3817f05357d0dcb02bf5
SHA512	4f9ab67a07dbf8eb2493bc3e48bc0b94a21a94d501f2116fcfd4daa7f8e7f429eaa76e2f566be75da267e86e38947998dcc85a6be5924cdd4a55862566d3adfe

C:\Users\Admin\AppData\Local\Temp\WK4aK3aZkptS.bat

MD5	3083816ffa92516b5db81b16aca081b1
SHA1	b0f4324091d154b634a9fcde1a49060428cff1b0
SHA256	e6e71a5c3f0fdf8b32748f3b22c58bf303e6abe1f8b6b2b407ef0c3d61b8d0f1
SHA512	cd5f2df60aefb5e12dcba3c33f6df2b1f7c428c5c3229d99c7a21a4ce58c465b631e56015f3686fe82593356cea12a8a86628a59fb0c1b142d70608d11fc8700

C:\Users\Admin\AppData\Local\Temp\EK9wy6aihMTq.bat

MD5	453287f2b0742320f992ca5ae3bee2d4
SHA1	faebe965445367bd722665038ea7a7357d173da7
SHA256	a32187063c09d70d4160216d9a8c47ebf2f3d41061a0a060d1bb32688cef124f
SHA512	ddf09d9f55773b874fca6cf7b0dd23a2f3652ae038288eafc48af741c794e189c7ef5d1f83f3c83156353659542aef99e09091a9e8aba91ace4a9309beb13462

C:\Users\Admin\AppData\Local\Temp\hjQrqr6D7UK6.bat

MD5	4e51d49b7a26d7dcf1b2e38ac85a730f
SHA1	acd150f86c862b1d5413627619458baabfd89de7
SHA256	75686d1f2657092d4500ab19f16d4e84f6a81ff085ec2554ec9e23752a995c2f
SHA512	6a5450f6f0f13f163460de69d7486be6f52fcc1a36653ad844c3c891a6bc453f9f722de33b46d11ddcba2c6d8178780ae3ddbfff990641f4ff94f14c9655c4de

C:\Users\Admin\AppData\Local\Temp\KDYevxKxqFJe.bat

MD5	a7ae2bfd0af6479c3d157064216eca37
SHA1	66408eddfaca405217406eb3e31187f585e4c9e5
SHA256	4db78e9940aa3329f92926f0327c5c2a441667ec7e1b4452eab0af6e008d8fe2
SHA512	5dcabe73785c48e71b4acdc297e6c2b0446d6987f9771a7acbfeb01417a9b81e86ddebe912444bdafeeb5c2aede9cc61851176b762e78ae1fbb6dc5c2b83fc35

C:\Users\Admin\AppData\Local\Temp\e0IlZpYz8uDd.bat

MD5	13c403977e7b3c756644eb882625aed6
SHA1	6d5d0ba0b6016d49477dab5794506f4a8f454967
SHA256	a9cbb85d165d17521ea2826ec01e5166fdfeaf8578e79e8eef8f934057eaf0fc
SHA512	14229d00ed5481afafa5759e89943c55331c7d28092c0036b88d39ea1fedbc317b209eb769f9dc8bd027f605ae7d711617fbb899f8e1bd2650519c9bfe7597aa

C:\Users\Admin\AppData\Local\Temp\KWEIRfw2NTu5.bat

MD5	8e28bc4167b62f170a85a4cdfeedda09
SHA1	8f3f8f51a6a69a5b10ca81fadc3c5b9d9c833bd4
SHA256	3a11b3b87ad7fc8a19008e306cd401f22097d6a88a83f6c92ed9417f4963438a
SHA512	7ff3c000d2d9ea9527f852d258e20d003f02f787252812266f64bc38d4df4e2ab83ceee833537522c8bd2e9090fdee6b13caf71374af65beb6b029844a8b9ef7

C:\Users\Admin\AppData\Local\Temp\XjHLeO3u1TYf.bat

MD5	363a56c795c8b13e6db7d4bf3f94d1f0
SHA1	8026e290204e88449f22b6f13924991f63e5edf8
SHA256	6a39cc4b58259b016b65eaa1bb4af6eabdf0b59eb38a4618240e81370512e96e
SHA512	da1b7ac2d190d14a17ab825d4bce100d50973ed9e1ef9bbe46d6405000d34147b02e7ab9f9cd44649fcc861aff097549515db2fea8e726b49973cbb53dcfc828

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	82c24f388bd302e0baef0da264ca2294
SHA1	98792681fe9cf40ba546bf28160f6060af828fce
SHA256	6926da88ad82ba5fa6946b8ff28f1094e59d8748853c5fc09da94e99b7070166
SHA512	0b15970484767473975c229271c77e5324e4a1dc3f55025eee364cea69ed77648ee1bd17343e332d00f6ddc24054e53864f54e9519e287d3a350d67eaa265cf0

C:\Users\Admin\AppData\Local\Temp\IkBQ4BDMUnpx.bat

MD5	2256f5f45c5e841943e291ec27b3d06b
SHA1	4d55a0608b578d8ec65d053345b1404631fb69cf
SHA256	e3809fe14856016c6e787dc0dde240d0c84fe42c9d68d9457be3478600fee1e0
SHA512	c2c31cc20efd3e802919f294fdddad9fcf6d58368b68ea1610301809e9eb1b9b43f3abf91554de257d2cc860afc7030a88fdb87d31a7c17b3e763afd0e249cef

C:\Users\Admin\AppData\Local\Temp\ALmZw7VyanMc.bat

MD5	c454684a568f29ed63a9732e97641cdc
SHA1	d88fb7c3ed3b831dfcfabdd154cb5fb135defe59
SHA256	a89737b060ff33dbf8bbca2cee64307b89479069de973c825dda63c80a6b5a2d
SHA512	937efea74cb69dc79cf65f6d6a93fba6de336e0a7eb13612c269e70481fdc8dcfa92a873a685702cf6c09a46aff277e7eb9044eedd1bdbb5b84bbf3898bc69c3

C:\Users\Admin\AppData\Local\Temp\urWqai3LLAky.bat

MD5	657ba666722cb8b0d8cf1103262926bf
SHA1	c55533af4ecea86ccd839f09cb3e48e3a5e51efb
SHA256	ebc01e3badc839e12ade38e721e5aea97216632bda1c2e067c465df04077651c
SHA512	9ea919b3f297d4714eb06454e55b68e0f232390b8fcf8305bbdb98bfe0c98ab018739bad7eb0d2c50ba453ceebaa2275ff0af3fcb6f003d65a3879d7112ceea6

C:\Users\Admin\AppData\Local\Temp\yYnbSkEVHa7q.bat

MD5	6459483d47bcf0167a73e98f46719c3a
SHA1	40b46a9b5844d26e52bb83dd5675fed1da71bd77
SHA256	31b56fdca94cbcb0a476c17e0851596bc2f5635433192540206cd6e1e2312ddc
SHA512	95b55250ade7c7e16780a65671a8b60bd9bcf350b1a57885915367c5320ea96707ab8750a5a4651f728aa51926344006f5a7f8605e8076a5d2d68172a65b4dfb

C:\Users\Admin\AppData\Local\Temp\uADT6QfRsOLP.bat

MD5	8ed0d5a34bbb0c2acce1bba0666b8335
SHA1	16ac653ba85056d9ae78f6c7d5f36339bc926dda
SHA256	e25aacb33cd8a4de9310c6f3d86c31d5a334e2915b78986ca9fe8243908ff9e5
SHA512	ce800dead851b91a692352f15ad9cd4278ac85ade74c9ba93654f20c1a87fcf128a6727fbcbc2ff333762cf67959013f17f0e57e80bf7d367218af9578be0903

C:\Users\Admin\AppData\Local\Temp\4RBJPbxlRTxf.bat

MD5	c14d31bcbc11010f57e6a82828eb8c94
SHA1	0bacf6eeecb1b3303d9eaaab15dde04065411fa4
SHA256	8227d5d7833bf54ef7e201fb09460c7eeced514379fa8f817e362cc83d1fc32b
SHA512	026a97a2f159602b3875464bc9a40839aa72460f01c135bed4896247165c8705db874878ab4089745747c0e7a5f4d323ba828f4bc619e53753d9a250b3003a8a

C:\Users\Admin\AppData\Local\Temp\UluybPxBvuRS.bat

MD5	58506a2862d9a4b387942825445e01c8
SHA1	c69903b0b0d649ea0e70fcb770892bb83d17113f
SHA256	0cd532cf82b565c8cdfd6b535b4d2c0907be7d97eafccbc7b1e79d432d31ab14
SHA512	50b3657cc281a6b728ca7bd62f2819c2c353a45ce2d64409bf45a05660be41d6f773260b639358084df862646d98c90310b3cb65f880efb798eb6a535e5e7556

C:\Users\Admin\AppData\Local\Temp\AGqVTFLEAT8u.bat

MD5	07ade78a58a26808f36ac627f928349f
SHA1	6ca719b7a75210728b6d137c99abe8aafc6a4d48
SHA256	a2fe166321e8e6f48ae597d32ed6ac9874fb837d8f9b9621abf5ee0b70692faf
SHA512	72fd29bf5c4bfb77b9ce2dc69c3b530f34280810d8f25c5751cd64c8d7ef6263ef00f0c8aa0c57550cf9427d7c1d96ffa80ec78d083aab54c8acdcce3ba23a2e

C:\Users\Admin\AppData\Local\Temp\NUsYgyS7oTmV.bat

MD5	19ae4695380d6fb52015f39967e2f896
SHA1	c1e7644b1616ea7c72310fada10b54de9c383511
SHA256	a78685abf0ce2cac58f8b7b3f90235b2aca5d539f753a3bd84f985da96d90bff
SHA512	825c69d7f50a5ab86eb2e91aa074c01648cb70affdc9a7dc596e3103e00c0f00772d91f0a15f99f2592cd5ac0afeb3685316eca8a8c1870577eeaafcf810e235

C:\Users\Admin\AppData\Local\Temp\fnUqYd44PAnY.bat

MD5	21b11e6b82303c9a0d454cb8025e98e0
SHA1	e2ecb625d7b0f6376a87c142b709e2709ec7c403
SHA256	bd298c82c3af8d53f1130c229229096f2fa5ef1df9dc8c36afd3d372ed2f6551
SHA512	b4bcbe254f807b87d504bd005dd03cd9c0094476055e84361e25520eec61e3c678e3b99099326db74c69918547bcca5f9221036a9cb5c2e2d75aedadbe222f34

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:59

Platform

win10v2004-20240611-en

Max time kernel

580s

Max time network

607s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4808 wrote to memory of 1532	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4808 wrote to memory of 1532	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4808 wrote to memory of 1532	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4808 wrote to memory of 4024	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4808 wrote to memory of 4024	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4808 wrote to memory of 4024	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4808 wrote to memory of 4016	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 4808 wrote to memory of 4016	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 4808 wrote to memory of 4016	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 4024 wrote to memory of 1432	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4024 wrote to memory of 1432	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4024 wrote to memory of 1432	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (104) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
NL	23.62.61.129:443	www.bing.com	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	23.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	129.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	8.8.8.8:53	github.com	udp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	1.112.95.208.in-addr.arpa	udp
US	8.8.8.8:53	215.156.26.20.in-addr.arpa	udp
US	208.95.112.1:80	ip-api.com	tcp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
US	8.8.8.8:53	198.187.3.20.in-addr.arpa	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	57.15.31.184.in-addr.arpa	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	11.173.189.20.in-addr.arpa	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp

Files

memory/4808-0-0x000000007453E000-0x000000007453F000-memory.dmp

memory/4808-1-0x0000000000E90000-0x0000000000EFC000-memory.dmp

memory/4808-2-0x0000000005F70000-0x0000000006514000-memory.dmp

memory/4808-3-0x00000000059C0000-0x0000000005A52000-memory.dmp

memory/4808-4-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/4808-5-0x0000000005A60000-0x0000000005AC6000-memory.dmp

memory/4808-6-0x0000000006620000-0x0000000006632000-memory.dmp

memory/4808-7-0x0000000006B60000-0x0000000006B9C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/4024-13-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/4024-14-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/4808-16-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/4024-18-0x0000000006340000-0x000000000634A000-memory.dmp

memory/4024-19-0x0000000074530000-0x0000000074CE0000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:57

Platform

win7-20240508-en

Max time kernel

596s

Max time network

606s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2124 wrote to memory of 2592	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 2592	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 2592	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 2592	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 2992	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2124 wrote to memory of 2992	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2124 wrote to memory of 2992	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2124 wrote to memory of 2992	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2124 wrote to memory of 2992	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2124 wrote to memory of 2992	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2124 wrote to memory of 2992	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2124 wrote to memory of 1520	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2124 wrote to memory of 1520	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2124 wrote to memory of 1520	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2124 wrote to memory of 1520	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2992 wrote to memory of 2740	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2992 wrote to memory of 2740	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2992 wrote to memory of 2740	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2992 wrote to memory of 2740	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2992 wrote to memory of 320	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 320	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 320	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 320	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 1220	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 320 wrote to memory of 1220	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 320 wrote to memory of 1220	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 320 wrote to memory of 1220	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 320 wrote to memory of 1260	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 320 wrote to memory of 1260	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 320 wrote to memory of 1260	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 320 wrote to memory of 1260	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 320 wrote to memory of 828	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 320 wrote to memory of 828	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 320 wrote to memory of 828	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 320 wrote to memory of 828	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 320 wrote to memory of 828	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 320 wrote to memory of 828	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 320 wrote to memory of 828	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 828 wrote to memory of 1344	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 1344	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 1344	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 1344	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 648	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 828 wrote to memory of 648	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 828 wrote to memory of 648	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 828 wrote to memory of 648	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 2308	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 648 wrote to memory of 2308	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 648 wrote to memory of 2308	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 648 wrote to memory of 2308	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 648 wrote to memory of 1784	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 648 wrote to memory of 1784	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 648 wrote to memory of 1784	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 648 wrote to memory of 1784	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 648 wrote to memory of 1800	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 648 wrote to memory of 1800	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 648 wrote to memory of 1800	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 648 wrote to memory of 1800	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 648 wrote to memory of 1800	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 648 wrote to memory of 1800	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 648 wrote to memory of 1800	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1800 wrote to memory of 2788	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1800 wrote to memory of 2788	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1800 wrote to memory of 2788	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (103) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\OQuUMXeL3mko.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kEPzV4U2UA17.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\jqaHeQYbFgc2.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FFba0qflpWrd.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\o9mj8SOz6Ky9.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\2sQM3eVQD57A.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ShjbzvVQ9H5N.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EDEH8BfR5Mq5.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp

Files

memory/2124-0-0x000000007441E000-0x000000007441F000-memory.dmp

memory/2124-1-0x0000000000F90000-0x0000000000FFC000-memory.dmp

memory/2124-2-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/2124-3-0x000000007441E000-0x000000007441F000-memory.dmp

memory/2124-4-0x0000000074410000-0x0000000074AFE000-memory.dmp

\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/2992-12-0x0000000001140000-0x00000000011AC000-memory.dmp

memory/2992-14-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/2992-13-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/2124-15-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/2992-16-0x0000000074410000-0x0000000074AFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OQuUMXeL3mko.bat

MD5	81c29b1cf82335a432960bebb03bdcd2
SHA1	6865278b5c2e42f830fecb18b33e6519b33fc8f2
SHA256	bbeb2be2149e67f03d3e2c3de5279820c97fc9bd6f42d8804da74cff814d0b48
SHA512	34926a365eae62c5b01c90ba6bb581630b90d7eb18d9680741093c7833135bdb375e53d7b0a2f4441642b36cf995cfdd7f7a057ee232cd302c6234b75469fe31

memory/2992-26-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/828-29-0x0000000000210000-0x000000000027C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kEPzV4U2UA17.bat

MD5	99eb860a28ac1854aa69d002bdb99e10
SHA1	1042ae6d13eeda418eb34c29fa67cf50d3983310
SHA256	e517cb8abb6388a68856d895aafda0242accfd75f5220851f1076b96edb2741c
SHA512	1ae748141d64c13de87bb2ca3cab07ea4ac781fbe9c5452206147c534f4ceaba7c83aae5a73fff0eb65fb02a8276f036ed8bb9851aa31a014efb199c1f4e822b

memory/1800-41-0x0000000000840000-0x00000000008AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jqaHeQYbFgc2.bat

MD5	15a284ede958a8ade17418a827873baf
SHA1	3e3cf98ed34d7a3a952af8e18c93ed87548f6252
SHA256	bf3a7b64a83017bd4f0b2c8ba3a2faacc6386e2d30c9c0037a7941a460b3afa8
SHA512	816b145ad51607bb4fb7e04c1d70ed0202f94b613b9f8a778e79a53b5f638a1976347557bc373531ac8103418396ffcf8f6b9942399d40acb51bba8b428c0a16

memory/2980-53-0x0000000000C00000-0x0000000000C6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FFba0qflpWrd.bat

MD5	6f2c516d72140f9e445744904adc4e25
SHA1	e240e86de2638af970a509ad2c3bdaa830749e6b
SHA256	e010cbac8504208ae0b23c5e6db01602233d441778318e38e4d023aa420773d6
SHA512	d6aceae40c852827f7ff6454c04a5f29dbb2ec5685c26a8809a0da2adbd3625ae387457d7a9571c0c5da6b093611a60a88ebae03e092ba3bcc87eaced5ed004e

memory/2752-65-0x0000000001380000-0x00000000013EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\o9mj8SOz6Ky9.bat

MD5	b4057fbf22791e8132c42f9c35f70554
SHA1	9959cecdd66debc720f70ecd6638d28cf4b88629
SHA256	65902ed33bf3b6a4f28f380cda17774b77b032da09a4faac3e83746039d9d212
SHA512	be6ac002f3982ca96770fe4218d6c69dfa1f67ad3bd015197223b0b7f8fa60a843deedff1c8e3388512832e65b08d466628d259a0e428b346e8a48ba59974d24

memory/2020-77-0x0000000001380000-0x00000000013EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2sQM3eVQD57A.bat

MD5	f33462ae94fcda123bab241f3b80a617
SHA1	66253daec9b9d753487a7e21fafb2df037c4ba11
SHA256	a236e044d9f1f665a9da0bb15542c4f61cc26230b4ec65b5262a82b95e9ae360
SHA512	fea2c60a2a01953b760864307bd669d0ca4b5dfa8415bf72b24d68e70ecf97e05d41f252d31f600742b66aecdf2e64673a7cff832539c69cd424dde6a4a695d0

C:\Users\Admin\AppData\Local\Temp\ShjbzvVQ9H5N.bat

MD5	83a503a0da2f6eeea09db3e49348a407
SHA1	002f0a972773f0f86fb94a62346d181ae10915de
SHA256	57ce83a782794c4f9e3a8d05ac0e236ff47fb2daff83a94c61b0845b87864c6e
SHA512	98593be71d91472911add53867828755c00d1919b1df686c343f219e55bbe3458c202f3fbee5eaf58774010a73876beca27380825202082aa83fba08dac7c323

memory/3020-100-0x0000000000190000-0x00000000001FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EDEH8BfR5Mq5.bat

MD5	c291a06f56509eb82fd40e9dcea1781f
SHA1	8d39c52fa31bfa7e7c8639c47377bfa463fc3337
SHA256	107b8acadb95fa19e67e1847056c95ef3656ce5699c9015c316e01b6262df34f
SHA512	6f329db073df91d6ea13f5f6f594216c3530c09c50b3d062f6d89198dba921b1bc3bbe59813009232ebe0807c0676b8572b6a0e2eea0a2a27725aa16a323b618

memory/3064-112-0x00000000003F0000-0x000000000045C000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:41

Platform

win7-20240611-en

Max time kernel

599s

Max time network

620s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2080 wrote to memory of 2892	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2080 wrote to memory of 2892	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2080 wrote to memory of 2892	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2080 wrote to memory of 2892	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2080 wrote to memory of 2880	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2080 wrote to memory of 2880	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2080 wrote to memory of 2880	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2080 wrote to memory of 2880	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2080 wrote to memory of 2880	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2080 wrote to memory of 2880	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2080 wrote to memory of 2880	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2080 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2080 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2080 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2080 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2880 wrote to memory of 2508	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 2508	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 2508	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 2508	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	8.8.8.8:53	github.com	udp
GB	20.26.156.215:443	github.com	tcp
US	208.95.112.1:80	ip-api.com	tcp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp

Files

memory/2080-0-0x00000000742DE000-0x00000000742DF000-memory.dmp

memory/2080-1-0x0000000000C20000-0x0000000000C8C000-memory.dmp

memory/2080-2-0x00000000742D0000-0x00000000749BE000-memory.dmp

\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/2880-10-0x0000000000E10000-0x0000000000E7C000-memory.dmp

memory/2880-11-0x00000000742D0000-0x00000000749BE000-memory.dmp

memory/2880-12-0x00000000742D0000-0x00000000749BE000-memory.dmp

memory/2080-13-0x00000000742D0000-0x00000000749BE000-memory.dmp

memory/2880-15-0x00000000742D0000-0x00000000749BE000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:49

Platform

win10v2004-20240508-en

Max time kernel

600s

Max time network

613s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A

Enumerates physical storage devices

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1232 wrote to memory of 656	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1232 wrote to memory of 656	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1232 wrote to memory of 656	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1232 wrote to memory of 2544	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1232 wrote to memory of 2544	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1232 wrote to memory of 2544	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1232 wrote to memory of 4772	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1232 wrote to memory of 4772	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1232 wrote to memory of 4772	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2544 wrote to memory of 3380	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2544 wrote to memory of 3380	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2544 wrote to memory of 3380	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2544 wrote to memory of 4776	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 4776	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 4776	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 4776 wrote to memory of 672	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4776 wrote to memory of 672	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4776 wrote to memory of 672	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4776 wrote to memory of 5028	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4776 wrote to memory of 5028	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4776 wrote to memory of 5028	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4776 wrote to memory of 2764	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4776 wrote to memory of 2764	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4776 wrote to memory of 2764	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2764 wrote to memory of 4100	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 4100	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 4100	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2764 wrote to memory of 684	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 684	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 684	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 1848	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 684 wrote to memory of 1848	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 684 wrote to memory of 1848	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 684 wrote to memory of 4280	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 684 wrote to memory of 4280	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 684 wrote to memory of 4280	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 684 wrote to memory of 2860	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 684 wrote to memory of 2860	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 684 wrote to memory of 2860	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2860 wrote to memory of 3924	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2860 wrote to memory of 3924	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2860 wrote to memory of 3924	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2860 wrote to memory of 964	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 964	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 964	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 964 wrote to memory of 3956	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 964 wrote to memory of 3956	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 964 wrote to memory of 3956	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 964 wrote to memory of 5036	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 964 wrote to memory of 5036	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 964 wrote to memory of 5036	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 964 wrote to memory of 3808	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 964 wrote to memory of 3808	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 964 wrote to memory of 3808	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3808 wrote to memory of 5084	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3808 wrote to memory of 5084	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3808 wrote to memory of 5084	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3808 wrote to memory of 3564	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 3564	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 3564	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 3564 wrote to memory of 4004	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 3564 wrote to memory of 4004	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 3564 wrote to memory of 4004	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 3564 wrote to memory of 2900	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (100) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d0OfDxCtX5DJ.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2544 -ip 2544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 2192

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wblxpb7v3gMC.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2764 -ip 2764

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 2176

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N8dboL4mimEI.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2860 -ip 2860

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1720

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ik2TT1VhKaSr.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3808 -ip 3808

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1088

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piCizBy2rZrb.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4104 -ip 4104

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1708

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U9Okyp1LhEsU.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 1712

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VHmABSEeVohs.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1788 -ip 1788

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2164

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naNT47qc5Vhw.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2424 -ip 2424

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 1668

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UFDhXTAUy4m8.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1200 -ip 1200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1696

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9gPiW7Dmnjn1.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3960 -ip 3960

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAXVbESWXUna.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4788 -ip 4788

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5yHdF5fYo9hY.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3480 -ip 3480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 1664

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NHsv8lHVOqic.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 956 -ip 956

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aVvyLTON2qMC.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3916 -ip 3916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 2224

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\njy1XCVFhq0m.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1280 -ip 1280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 2232

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcLB876vijgH.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1148 -ip 1148

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1640

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pXZdZpNpLd7M.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1252 -ip 1252

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qfx4mRa99Cvj.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4108 -ip 4108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N52jRxFy58Tt.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1988 -ip 1988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 2196

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmIUIyQ81Zql.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1164 -ip 1164

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 1724

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uggduu1p2SVG.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 2184

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zNwOlwCzyss8.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1948 -ip 1948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 1708

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\34DAcxM9tIF0.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 932 -ip 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 1676

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LNoSVdy6T0G3.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1660 -ip 1660

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1212

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eBZZ9UC8kf91.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4016 -ip 4016

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yzJgnMQ91K30.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3620 -ip 3620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BDMjz4X2fKia.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1568 -ip 1568

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1708

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	52.111.227.14:443		tcp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp

Files

memory/1232-0-0x000000007484E000-0x000000007484F000-memory.dmp

memory/1232-1-0x0000000000460000-0x00000000004CC000-memory.dmp

memory/1232-2-0x00000000054C0000-0x0000000005A64000-memory.dmp

memory/1232-3-0x0000000004FF0000-0x0000000005082000-memory.dmp

memory/1232-4-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/1232-5-0x0000000005090000-0x00000000050F6000-memory.dmp

memory/1232-6-0x0000000005CE0000-0x0000000005CF2000-memory.dmp

memory/1232-7-0x000000007484E000-0x000000007484F000-memory.dmp

memory/1232-8-0x0000000074840000-0x0000000074FF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/2544-14-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/1232-17-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/2544-16-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/2544-19-0x00000000061D0000-0x00000000061DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d0OfDxCtX5DJ.bat

MD5	a84675a9877aac37cf32a26a8787809a
SHA1	dd85dd1144ce8e2e1139f32692d735e508e148d2
SHA256	edab949cfa8e818350636a04e7164fbb3c713bf666ab2c61025538a87c00ac69
SHA512	bbd07ad5ba4a9f7703e630dc13b0d93ee9a7a052e587fe4f1cdf4635db479185733862f3798de85934601fd98c63dbb309bba211683f8ce2dd28bff83b2560a9

memory/2544-24-0x0000000074840000-0x0000000074FF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	1eda66d9cdedf0f115eb0d94687a557b
SHA1	3fee5a222df7e23fee51ec79f9bd370678ec3e73
SHA256	9301351159f6130e09bfd49e40b02e50b3ad8d3165b3f23f6622624feafcb451
SHA512	a6634baa0a8c1f378feea3b0009c96597e91ad418fc493f602605fb7e3a189fe90c8e3f89ab70bc10b9eea3e5bc36c76da23a500616eb82a6dce55ee2ce70533

C:\Users\Admin\AppData\Local\Temp\Wblxpb7v3gMC.bat

MD5	efb246bafad3c49bc3e485b39b115101
SHA1	92cec8251689589c688336e0bda3203bf1451a5f
SHA256	34ac06f791b14f1e547a951031dc2792fc3cda35c8ffe57b51dfee5e1ab11d05
SHA512	4e4fa0225c90d2bcca554062b3146b340b9c4f03dc98bfbe566d9d5e09d5ed22d051011823a56a128275728799769504159fb2faad268d09facacab3f31b55f8

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512	cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\N8dboL4mimEI.bat

MD5	4317297fe3dbebaa55943a12fd8e4912
SHA1	669ff38af185c8c3607d31c5f07c9d292ff2c47e
SHA256	3efa2ed7ee7ce505a47d2098ad27d7fc3e151fd1f70d6fc5593391c325d08269
SHA512	79f4d4aa83488f154473d73d6d35db9255e96ef2eed09f6371cbfb230c7160621a4cdcca51b2e872147dde0f009fabf3e0b5a826d127c5db5a5d92837cd2bb72

C:\Users\Admin\AppData\Local\Temp\Ik2TT1VhKaSr.bat

MD5	b3dbb6b1cae1e7dbce2e87b3a8a51e18
SHA1	f8dd91894c6cfc9fa555829f74f7ca5562ae6893
SHA256	c580bfbae6ce455262537607aa879887939225d8d3212a7ffed67e7846fe3cbb
SHA512	a70eceb99ddbc6d060fcefa3d42396cba54254ac18300b30b08f1c6b9752b171902df6d19080c6480655e554509c7cb355a58cdb75e98592b97e6b6c820fdc75

C:\Users\Admin\AppData\Local\Temp\piCizBy2rZrb.bat

MD5	e91072e5dc7814aa7a6a486df022c3e9
SHA1	de4928a3fd71e7aa44d34feea3b4dfd51fe2e4a7
SHA256	ba04469b33e569a9c49bfe8c10245fa1f01d47e263da8ca277174d96b4381d4d
SHA512	1dfefbc9f00f6b2bf514270c05193fc2807d625ee0ae24d14886436f91a46f61294d0159eb961b124258f830e3e144a0a269bb6a88a76a09f3642c7061ed1107

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	53f9d61a9d9aa16a3b1627585315bfe7
SHA1	e2e715a275a97443c5bb07dad3346e93846b7dd2
SHA256	75a8a96f05a58eb0dd203a5af4cb933093f638b40cd17284e37bfbf07a7e464f
SHA512	8193bf34637e03c111e2aadea3e7271084714f2b4e03741dac60c12cff57883151af32e4147785a58e1435d1152e732c2ba35be5f74557f1d20565abed38ba7a

C:\Users\Admin\AppData\Local\Temp\U9Okyp1LhEsU.bat

MD5	90521c83563d4469787aab3a207106a5
SHA1	76de4eab3204100e700077cdfb330004e8679c4a
SHA256	35b364484a8bb203ae2d6be2e56ba8e532a18a344f387eae3425154e25d339fb
SHA512	456babc3b30d3840175e1de35314a989023f1bebb1b0156c5bce2c1c91f766bdadd7e2fb4429e465c7d1353d83f8e5600cae6d61ec49fcb0fd1f230dcdc38518

C:\Users\Admin\AppData\Local\Temp\VHmABSEeVohs.bat

MD5	2c24240a379f8a3d3dd369be19628a4c
SHA1	2a7be66fe2156df7cd8a89b2176fe9fc4ea6472d
SHA256	e41114a6da7d8506b6698a4a96e761b0e39fd901295908f14ebce9fc37f1063c
SHA512	40b1c7dea0f3cb06d1e8555da783d1ebe652ec942c3652132a14f42b506aac305c0b03da4e8dba2197cd3e09b60566e4629eb81cfc0fb3e920c1f48a59874569

C:\Users\Admin\AppData\Local\Temp\naNT47qc5Vhw.bat

MD5	397ef4eee5a4fc92ea464b6d12427a8b
SHA1	654a3a7ce30afee75952383c06bd970ead656712
SHA256	7a0a78e9505968616854124e1d3c5144afd74ad604469bebcd3f8b79cac47340
SHA512	b8c405b0a45a1f3c04949b1769b9e909e176fb50d87f4a62d6dc8a08744e8ae1f0cb5689006b69ddaf08cf7c823e91aef8fde034e8d8a7c5c6fb249da8ede221

C:\Users\Admin\AppData\Local\Temp\UFDhXTAUy4m8.bat

MD5	cb77f0b1fa30dcc3e147640913d2b673
SHA1	611c86883698f436218d7190e8cc1620e2636435
SHA256	85c0771a4a48d74de7e748430e585d2ad3a7cd3d0ba29d2b285602b42073d1e9
SHA512	7b1da70ff18472613e4cd916d429a844c57489a17882175dbcfbb9fd391fe3a5b1eaf8aca1ebaba2662cd530538fc441e757e8723a2085417cd5a9d614b76d8a

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	784d15b80552313ee23a00d65e595d14
SHA1	079389a4ce828b0e5eb5982693dca649a920844f
SHA256	251971ef1590ec056c70ce59b0b8abb7763c38c8d9971a37d6bf0811e41b5e75
SHA512	dfd97d39a468404cc382155bc70d2f63ac75b1be7bfa6da9175310c89779dcc3730c305cd7d2e5eeb559d73950118c05d8c20f8ae864ef7477a5b4e2d9e57e9d

C:\Users\Admin\AppData\Local\Temp\9gPiW7Dmnjn1.bat

MD5	606add5b3a500aa9b738c8255bb22924
SHA1	99ead88a4e5bfaecc610c4817aa5ac628203cc97
SHA256	5470e7883109cde6db07824d3e478d467fd96bfbde2bfcb40186be75ba19fa48
SHA512	2e40ed3c2a4f6585059d19f3063d7ed439f8498be6de65f6e79a316a1957a255fc9a7ca3d8cc55a444300b43a3bbe482c81e7aaeeafa92271813a52a016c81cc

C:\Users\Admin\AppData\Local\Temp\lAXVbESWXUna.bat

MD5	a3a9594738fb7ce024c36391862a225a
SHA1	c410d71cbaeae202b98305c164c8402972270356
SHA256	a7a8ef235fa821601083ff5c3b910e9fccf71f02513b8f893453818c5cf45b6a
SHA512	bf2903b13074de0ab9133c256051e0ebe5712543e1a956aa680aedb566b17520ef5d6c9f5d75fc949615505d791cb4f0b85c1a6973954cba78b1f6dc37cad58c

C:\Users\Admin\AppData\Local\Temp\5yHdF5fYo9hY.bat

MD5	f5b805645db9c00af35081ca53afd07d
SHA1	ba03ef9d4d8db80834ad9b121efe5ff9f6a4c408
SHA256	fd4c202e87d5482d37b4220aa7221422a6b62aaa6a7650da5f6e372c5a6979d1
SHA512	4abffc87f0bf7f44d92f0e07b6054aad2da2ea29877598e5b9b9e9dd1b1649d1a342004bce64b24e8842f78e9f5b43e7485db59020bdf4d3027268465c8b7d10

C:\Users\Admin\AppData\Local\Temp\NHsv8lHVOqic.bat

MD5	446cf58a7eed6c9744c373299b6d2ef5
SHA1	3ab9e0010b1c4edbff3ae1368364712975367f5e
SHA256	bdc38b8523196fd610033e4c9b82fb607d693ede378151988e1e7be62e638934
SHA512	bd526009d8f0feccfb3a0d57f9e6dea354e727f70436f1e73ea746e32594bc40a1770ed7716c4b2233eec530cabada8f978646f48220f72602bfcb1e689913d6

C:\Users\Admin\AppData\Local\Temp\aVvyLTON2qMC.bat

MD5	a83a6358ed4c29be6cfad396556412f0
SHA1	24654baf48dba10aa13e821334be3f18d485f678
SHA256	0f4517d5e72108face1b593f6617ded192da619b36933cbc5fab3c525cb02443
SHA512	db941833423131b7412c4a7f4b4adf5e93d0afe252dc1a8e34470d77c215874f6c886aa5f3805d13fb47b8c7749a25c4ffc49b33ba9cdc4ef3bf4bbf5949dd54

C:\Users\Admin\AppData\Local\Temp\njy1XCVFhq0m.bat

MD5	49faba1dbddf82b18fc351e4c89aa0a4
SHA1	d45891929a219cac34ec3675d341bc62c92f5bef
SHA256	0c463eab4194dc84e5a441fd19c3667a90db33732426afd022cf26f37b85d9c8
SHA512	2504b322fba8f8aade75bbfd1db19544007e08167ef435c10f275bf0ae8bd64aa370b088ec53900c8a9471aa4ed2424bc05f961fe62ebbb652849c57a68bc99e

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	bffb95fde3b7f42718926bf99f2d3674
SHA1	95cf1b8bccb2ac67a519e6ed438972ee9dfca682
SHA256	085d6280f55dd24087c8694d65d4316127792678b427f25cd2adb2906da26d2e
SHA512	e054c6b64531f7ec9e3d67a3fb478dcd675a5316f753ac351fdb3111468e9a152a8b5f82cd17568184be378b49d88ae74036c0c1d103ac27f15e9c2908c32921

C:\Users\Admin\AppData\Local\Temp\GcLB876vijgH.bat

MD5	85bf724415fa21b938d8b66981415675
SHA1	675547f3eb24e736d861de2411b96ad3339c114e
SHA256	34041a060db904d085d9fa039ca3e1588342bb51a3dedc387ea49752fa1bafb7
SHA512	27719b90eef93422af684575f54830a6760a93e23a458df1afb3e259427732762f90152baebadfd7a4466dc003e5c9408615391f14cb42820cc4da9bd068b1c5

C:\Users\Admin\AppData\Local\Temp\pXZdZpNpLd7M.bat

MD5	44b10ef9fbda7df88eb5170a47125f3a
SHA1	03a7cfcbab5a605c773dd549edfc422e3c024377
SHA256	8ac5b3124b7b6ca0d318b63460b47326ea7226595d82864b11d7070a3d391850
SHA512	0381def451f3aaabdf9f1481215d24fe50e53d1a23b4c1a7d7fc0d2a72b9c75b877888a4404e0675ff88a13d8d9648798035ca31ca5b5ea17deaf525fe96f2e9

C:\Users\Admin\AppData\Local\Temp\qfx4mRa99Cvj.bat

MD5	52b94be366a4b6e83fcc47a27a99fd6a
SHA1	54591967c128803b585d67f3be852b592dfde72a
SHA256	9c7ac6ef4751406f182d57fb4e545c5c8c03d9b70335a4c7cc319bf065c76950
SHA512	e03912fcba511a80a6136bd9a5f7825b05b5fa76585df1f8cea65616bab477cc14dfc7c731634e68648dbcf76d7c9d1ad050bec1e7fc9c222434fb54ac99f2ca

C:\Users\Admin\AppData\Local\Temp\N52jRxFy58Tt.bat

MD5	06e1e1638f411888ebea131d9931460a
SHA1	f9ecd7a66c068a45e43769228cf7c24e4c16167a
SHA256	2722d368b0cd54cf85a9fe5cbaa41c3029bad3574bf69ea11893a4503d067570
SHA512	bc0b93a1da5ada78542e0d98f69501f61a922f2e23e2723b894f9b71031ddcd75904f862b9a62f3e2f88155fa2bef8e6c340c6572548d4c52a04a65467589921

C:\Users\Admin\AppData\Local\Temp\SmIUIyQ81Zql.bat

MD5	92840da3dfb39be6744e0d61b403260d
SHA1	d9f8f4504a3c776c47528b3f7cde7b8f399711dd
SHA256	c756d620d9095a8aec8625e345525dc04ce2357045f07262e08381aaba82c09c
SHA512	675d44d150a898d381f74623819dcc06fb01760f62db220b70878caf35235f2abae4c620b3b436d30393a5e90982a8788f642d82b9e023942d2dc8d9949b42d0

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	71691191d57c29711fb5e398a9d721db
SHA1	dd43a3449df86c6fd77bf2e541e6257e2eb29ef4
SHA256	f23a9f273ebd4e54c0ce3faa847014deff17d47c6b8c10f3e8d9abb0f2bc43e5
SHA512	eb8b115be54c9114da1869e60def180b9991aa302087abbd9174b1ee9c366b740a5656df94975e09a2fe05208ff4db71869a1d89f52593f7b2a2aa8a02ef1776

C:\Users\Admin\AppData\Local\Temp\uggduu1p2SVG.bat

MD5	af481af63baa7743d55acea2ddd49723
SHA1	0b7d851f8383b705c1932ff94ec362daa0799099
SHA256	f94765618287b327a202d1211eefbfbe6b8af16d98acc71fa97b1587fcfeba0d
SHA512	8a41b0339ec7cb3e6d1a6f73780dd40ce1725b9aaa5d900c44601d0157804275c9ede55ecb56b6b79e1ef4a21218a75251bc9f70fcb2ce5c3139a49b5ffbc201

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:52

Platform

win7-20240611-en

Max time kernel

597s

Max time network

620s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2928 wrote to memory of 2600	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2928 wrote to memory of 2600	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2928 wrote to memory of 2600	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2928 wrote to memory of 2600	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2928 wrote to memory of 2480	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2928 wrote to memory of 2480	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2928 wrote to memory of 2480	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2928 wrote to memory of 2480	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2928 wrote to memory of 2480	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2928 wrote to memory of 2480	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2928 wrote to memory of 2480	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2928 wrote to memory of 2792	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2928 wrote to memory of 2792	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2928 wrote to memory of 2792	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2928 wrote to memory of 2792	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2480 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2480 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2480 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2480 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (101) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	8.8.8.8:53	github.com	udp
GB	20.26.156.215:443	github.com	tcp
US	208.95.112.1:80	ip-api.com	tcp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp

Files

memory/2928-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

memory/2928-1-0x00000000013B0000-0x000000000141C000-memory.dmp

memory/2928-2-0x00000000749D0000-0x00000000750BE000-memory.dmp

\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/2480-10-0x0000000000A70000-0x0000000000ADC000-memory.dmp

memory/2480-11-0x00000000749D0000-0x00000000750BE000-memory.dmp

memory/2480-12-0x00000000749D0000-0x00000000750BE000-memory.dmp

memory/2928-13-0x00000000749D0000-0x00000000750BE000-memory.dmp

memory/2480-15-0x00000000749D0000-0x00000000750BE000-memory.dmp

memory/2480-16-0x00000000749D0000-0x00000000750BE000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:52

Platform

win10v2004-20240611-en

Max time kernel

582s

Max time network

607s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 928 wrote to memory of 2492	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 928 wrote to memory of 2492	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 928 wrote to memory of 2492	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 928 wrote to memory of 956	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 928 wrote to memory of 956	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 928 wrote to memory of 956	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 928 wrote to memory of 5096	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 928 wrote to memory of 5096	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 928 wrote to memory of 5096	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 956 wrote to memory of 3496	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 956 wrote to memory of 3496	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 956 wrote to memory of 3496	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (101) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	140.32.126.40.in-addr.arpa	udp
NL	23.62.61.72:443	www.bing.com	tcp
US	8.8.8.8:53	72.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	8.8.8.8:53	1.112.95.208.in-addr.arpa	udp
US	8.8.8.8:53	github.com	udp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	215.156.26.20.in-addr.arpa	udp
US	208.95.112.1:80	ip-api.com	tcp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	30.243.111.52.in-addr.arpa	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	5.173.189.20.in-addr.arpa	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp

Files

memory/928-0-0x00000000751FE000-0x00000000751FF000-memory.dmp

memory/928-1-0x0000000000510000-0x000000000057C000-memory.dmp

memory/928-2-0x0000000005530000-0x0000000005AD4000-memory.dmp

memory/928-3-0x0000000005020000-0x00000000050B2000-memory.dmp

memory/928-4-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/928-5-0x0000000004F80000-0x0000000004FE6000-memory.dmp

memory/928-6-0x0000000005500000-0x0000000005512000-memory.dmp

memory/928-7-0x0000000006200000-0x000000000623C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/956-13-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/956-14-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/928-16-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/956-18-0x0000000006090000-0x000000000609A000-memory.dmp

memory/956-19-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/956-20-0x00000000751F0000-0x00000000759A0000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:53

Platform

win10v2004-20240508-en

Max time kernel

598s

Max time network

606s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A

Enumerates physical storage devices

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4372 wrote to memory of 2720	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4372 wrote to memory of 2720	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4372 wrote to memory of 2720	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4372 wrote to memory of 1932	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4372 wrote to memory of 1932	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4372 wrote to memory of 1932	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4372 wrote to memory of 2664	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 4372 wrote to memory of 2664	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 4372 wrote to memory of 2664	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1932 wrote to memory of 2020	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1932 wrote to memory of 2020	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1932 wrote to memory of 2020	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1932 wrote to memory of 4524	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 4524	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 4524	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 3432	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4524 wrote to memory of 3432	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4524 wrote to memory of 3432	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4524 wrote to memory of 1016	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4524 wrote to memory of 1016	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4524 wrote to memory of 1016	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4524 wrote to memory of 2812	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4524 wrote to memory of 2812	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4524 wrote to memory of 2812	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2812 wrote to memory of 3852	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2812 wrote to memory of 3852	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2812 wrote to memory of 3852	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2812 wrote to memory of 1744	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 1744	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 1744	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 3092	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1744 wrote to memory of 3092	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1744 wrote to memory of 3092	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1744 wrote to memory of 2736	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 2736	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 2736	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1744 wrote to memory of 2320	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1744 wrote to memory of 2320	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1744 wrote to memory of 2320	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2320 wrote to memory of 4724	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 4724	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 4724	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2320 wrote to memory of 4288	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 4288	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 4288	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 4308	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4288 wrote to memory of 4308	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4288 wrote to memory of 4308	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4288 wrote to memory of 4340	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4288 wrote to memory of 4340	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4288 wrote to memory of 4340	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4288 wrote to memory of 3816	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4288 wrote to memory of 3816	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4288 wrote to memory of 3816	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3816 wrote to memory of 2380	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3816 wrote to memory of 2380	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3816 wrote to memory of 2380	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3816 wrote to memory of 2500	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 3816 wrote to memory of 2500	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 3816 wrote to memory of 2500	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 4588	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2500 wrote to memory of 4588	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2500 wrote to memory of 4588	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2500 wrote to memory of 3060	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (102) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAon6FRDnPi5.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1932 -ip 1932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 2144

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAfIU05lAXvg.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2812 -ip 2812

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 1636

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vJzx6coq7nDM.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2320 -ip 2320

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 2200

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\prfKr6u0IhmM.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3816 -ip 3816

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 1684

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGwFkqPWipdc.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2164 -ip 2164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 1088

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOJgxTdqXOR0.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3656 -ip 3656

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 1712

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaYzMSZOfaOg.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5080 -ip 5080

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQ6qn4xkS3zY.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5024 -ip 5024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v6Nbf58uNUMQ.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4888 -ip 4888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1716

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3oS6JrTNpiQB.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1548 -ip 1548

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 2224

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQszxYuJQVek.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1092 -ip 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 796

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSanB5F4Pecw.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1564 -ip 1564

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1664

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\StmoAjIMEJdp.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1420 -ip 1420

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 2224

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\abrJoVcqfYha.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1724 -ip 1724

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1708

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ek3Uos0T0vDs.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1736 -ip 1736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 2228

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sXwHcyYIgZLH.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2200 -ip 2200

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1644

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuajvEjA45oj.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1556 -ip 1556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1088

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vPWGn57EKeUC.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2188 -ip 2188

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYiQmSVre10T.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1684 -ip 1684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7GnvREpL5G4F.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 668 -ip 668

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 2240

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N3jJILt3q7GJ.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3168 -ip 3168

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ZTZxwSQcUeg.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4412 -ip 4412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zu0ywUbAciqM.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 1668

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSgLiyiKndOM.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1172 -ip 1172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rHEB8a5ga6zE.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4200 -ip 4200

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mte4nGXbCtDn.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3052 -ip 3052

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1688

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2gaSeObJxkQr.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3620 -ip 3620

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1708

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp

Files

memory/4372-0-0x00000000753CE000-0x00000000753CF000-memory.dmp

memory/4372-1-0x0000000000B40000-0x0000000000BAC000-memory.dmp

memory/4372-2-0x0000000005B70000-0x0000000006114000-memory.dmp

memory/4372-3-0x00000000055C0000-0x0000000005652000-memory.dmp

memory/4372-4-0x00000000753C0000-0x0000000075B70000-memory.dmp

memory/4372-5-0x0000000005770000-0x00000000057D6000-memory.dmp

memory/4372-6-0x00000000063C0000-0x00000000063D2000-memory.dmp

memory/4372-7-0x00000000753CE000-0x00000000753CF000-memory.dmp

memory/4372-8-0x00000000753C0000-0x0000000075B70000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/1932-15-0x00000000753C0000-0x0000000075B70000-memory.dmp

memory/4372-16-0x00000000753C0000-0x0000000075B70000-memory.dmp

memory/1932-17-0x00000000753C0000-0x0000000075B70000-memory.dmp

memory/1932-19-0x0000000006EB0000-0x0000000006EBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rAon6FRDnPi5.bat

MD5	07562201490da5ae243142b8150fed69
SHA1	08d27c1b0b56555e9c3f07220297a5210aae810e
SHA256	26b79cffd4362b0121eac044c2fd82ffd848e4924f79c5b4212c3d5930ff4906
SHA512	06653be30cbea173a0eaf65df5141c8d6aa97fc3b6b499b2133cb5e0fb9990009d79de4c4c4cdc087eb3b44f80269cb9e3e487326821dc06af92ab49fda10788

memory/1932-24-0x00000000753C0000-0x0000000075B70000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	b79b1fd2f8b9d529f9c16ac8faf930c1
SHA1	6698ffa25982e8746207c11f254f34fafc7dfadb
SHA256	55861a5d8d9b88f310f57cc347da1c15945669a8876a87870361a29e7eddd802
SHA512	0854e4a30d9d09038f334aecc0733a6d73684bf7908a72b825077880c1af40e32ee43108b9d02e6d2ece35ab2142fda95f33e1630aa77c48d22f8b2b80414304

C:\Users\Admin\AppData\Local\Temp\ZAfIU05lAXvg.bat

MD5	548e527414f3c3a9517299c52c34624b
SHA1	cf5cfd2ef918cc4749ce7486d8c6989ef3fc1549
SHA256	8439643419ee5ad61782ecd7bfa06b9ba64a4723222e56da4e7004e2e10ce527
SHA512	267c6a1bc1adf57646cf15984e163db3b8b29800ef88d6730748edc389eaf3c4cac96673db4117104f01a24832ad9880b35333e3ca7b4d90defb1fd27acd64dc

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	acedbd8bc88752033d6fd39b476432df
SHA1	f2c66595c14d341ac39d850fbf60a766876415f7
SHA256	b49d455d78e3ec822c6af481cb28720fa238e0a92ae2141a21fe6e126a69caed
SHA512	3cc2f573924db79064451c72581641e8959dcf8206f5efe5355574bb0d7d06d031070a6a9d102bcfcf50e7dc6c8464cf337a714c89aa88046de72195a1fadf1b

C:\Users\Admin\AppData\Local\Temp\vJzx6coq7nDM.bat

MD5	f57f7951e46ccaab18b669aa30269c97
SHA1	8f899088764bb08d0545eb7c9fe442b4dd7b66ac
SHA256	b101c70dec31b328aa031a1f999441c32cb6eb82851502ad70406a21ca492cd2
SHA512	a266fdb6d50e2047c4cf7cfa81cdeb399cda2c342c63ffd0dabbd332472f06f6b8b6dad3463cadfc766d1d421e4ef0cc4e1c2ad8cccef3905dd5a081210e271a

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	c62a9285436af7f9fd23a4007e083b45
SHA1	1d9193039de996d4cbb2b6c620ac9d7d98b53f44
SHA256	17ce649c493fda493adbf29217b34d4d1a7e08811014710c2c56257922ab71ee
SHA512	a103588ab2ada34579d43609c25209e3e84a0d0b8c0cd7bfac2748c8584a55720ce31b23e2d4db8f78530158a51c81bc5d2d72983c0d5ab3ea687a33ae8779ef

C:\Users\Admin\AppData\Local\Temp\prfKr6u0IhmM.bat

MD5	bcc100444b976443baaaa2c341da212b
SHA1	99ef1b3829a049f102c0ff0a94accf32a73c96b0
SHA256	02a5b43d89ec56d283e90eaa635c8556ec537d5a0f010d6ebf641390ee9313c1
SHA512	49851a92d08308e614790a1659db5803a4ee45df56445678359da381f7f6e71b0bc61d55dbc087c8c2eef0b187214510ed8ed2bcc44d6519d2c7866b41f59ce0

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512	cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\JGwFkqPWipdc.bat

MD5	704ddd7d49f06002e660ed31846889f2
SHA1	c7ed6f2f00feb110ca00e62fd2c1276d42077f4c
SHA256	01e8c5e8ff396d5fb940a98528fa04e172de27427d55613ef75d1658a8f997f7
SHA512	baa8479ad181003685f4db06f364c3ed1a424447a2605107e3235b68dc4eb225d0b9a77746af1a2cd2d34885f8e68c364670dbdf7bba028141d2bc96ad484805

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	10df072dbd08159d7c49f7b479133da7
SHA1	8681b96aae99ccfa966a2fa6196a5dd9477869fd
SHA256	5dbc90a2fa40464a5915bc43c0c93633e7bbfd1f9ffb07813c8880b663327c4d
SHA512	3c7975176542b080e91e12e68ea14f87dd78da08365672095be1cf84ef0425998651ce06e82846ae31d84c18e0b6e2f9087ac4bbf0a8a63f0bee0cafa3ac5e86

C:\Users\Admin\AppData\Local\Temp\KOJgxTdqXOR0.bat

MD5	7fc0db3700638518f67f1e37072e64d4
SHA1	e3dfc35b0b28f92c6c02ea73ee296c2c70850c03
SHA256	384bb756eeb5ae6aa5c78bdc94e425d2d478388d3d6e19c97500b9b00306d40e
SHA512	26f9f41cc94a67fa60961e6d15f59b4cbdec83d41d276404dc7502e9dd1e90aaf2a87bc4471f0d82d5d6fee3d6d84eb4a69e721eee392ff52afdcf5db2f069ad

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	8d6daabec45a06ee1562ab4c287e7fcc
SHA1	e4c12424d57846b54afbcbfea4ab3fbb6eb0eda8
SHA256	f18905b7ce624189ddc461413a395304870b41f45ff087542da2935f4e88d67d
SHA512	606fbb94d9462b15f3eb41ee9dc509e27fc28687a0a86bc4de20ecdf4240a71bca43fb3d6e0e3eec81d5b878323453c2880ee4ee5426876328c283b07e8d599a

C:\Users\Admin\AppData\Local\Temp\UaYzMSZOfaOg.bat

MD5	24020b2bd5d80efe96fb1a85b9b82ea6
SHA1	08935ed22ff53c77e810484e72caab987a83ae99
SHA256	19922d6fb9d05cbbe5c52766c30984317ecef0fa75482ed5f4fbe780f51a00a0
SHA512	9249632f24177f895b58fd74f510e57e5ee4f90b84d9f24300c72c8fedec4d295978888f97b40f909c3fa941d50822e4e145bf9b76bc24b555867b11021bb7d8

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	161f12ce685b12d39017ffa457bd1ff2
SHA1	f30aa1cbf3c97e1274346aa4694bb347a7e54424
SHA256	555913c0010dd99cc2c05370b50537f8dd04dc803e351701fd4739698f364b3a
SHA512	253b98618a9c1b559976ed98fae7b8f6700908d40493e1f07e755ea88eead47cf195133d9e691742da038ff3ddbfb5f39fa83a97f4f626a0fab477db92a9c6d5

C:\Users\Admin\AppData\Local\Temp\rQ6qn4xkS3zY.bat

MD5	77e231201980244c1f36a353c02e0403
SHA1	a2e8107c5a855839255c292a9ddec43380e1b195
SHA256	ec42dee687c614ae726cb2defdb9191330c300a41ead4bdd8b60e904d1975d34
SHA512	ae586b1d8520bbbe479972bd201eba1ec28dbea71fa85a7a1df1e74f68e886ddd47f245da0d88f60906ab11be2f657b42d80c785802d0fccd2bc8dc752164efd

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	a18ea136f518d642b91243c55d7a8866
SHA1	89a95c17012678d70bfb72b5dd085ef617ba3714
SHA256	9aa7c9dc24958a8dff5df83963ec95adb0624a7f88748d634584e5e0d5da6894
SHA512	55094bc75309818475d7c70063c917ce8f8af1887635b6614deed31c9457c21f159878aeb6a712fecc8820681d1efe3b941b5a7fc8644a4c7ba83156fbd0a99d

C:\Users\Admin\AppData\Local\Temp\v6Nbf58uNUMQ.bat

MD5	160da2fb701650f8e575e396a0e9ee00
SHA1	aa27a00c5d39774d1175f7a05230784e756bf0d9
SHA256	ab05a2fbe1dde958f887ea85911f20c5431538d72aec4e322dd6a8b14a94fb2d
SHA512	a3231a30532068d4218303643e1a6f09dcbc593a4ef446b1cabfce4f9f030a6fa8e5bc69fc420157f9b45c2f8e772b2293c053a86d415f8a7ae24ccfb7a3529a

C:\Users\Admin\AppData\Local\Temp\3oS6JrTNpiQB.bat

MD5	c5faf23198dc7c905a8ef0f89220937f
SHA1	0794f93081cb3971f22523a61b9464db1388785c
SHA256	14379593c3cfd92084b92ccc5d64c7c343af8316ac8272db7ee58c7a3dc0196c
SHA512	d5e14cd63316106f17406df100883624ede71ab623fd8758e88e4ddb3d48c21488430c2ad774fc3f7618af934f6a44db59de31e947d63453effb1ddaed2c9645

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	59ed232c23f9a253a917ccf8b1b6b4a6
SHA1	1119702e7bac9c17319ce6b604c8b3a0a89e3814
SHA256	b8126af8ade2f2fb0d5dcc7d8089930db319e22de38845428984cfb23da0f177
SHA512	cda2a8c40a8dcbbe4262d266ce5edfc787fe2ccabba8bf33fa829e331581bf0f6cd759c037040f4fdb7fb13fb88617ceeae8fe5c525a6d6e57f1b381100163a2

C:\Users\Admin\AppData\Local\Temp\zQszxYuJQVek.bat

MD5	0518794500442532e5f992cdc52686ed
SHA1	715704ee1e0c7120713fc5185b8da025a255357e
SHA256	58f2c2e42aac5bbc3eabc8bcef32283b3354f3b50567eb668231d9c7a29f5105
SHA512	051360913face8a508b5e5d330576b1c13c5b7a64ace6767fee649b7994b3cf98fbf0423588f2eb7c7439003c0b74ee3d16560aa3c82928a4db5e3e8916af1f5

C:\Users\Admin\AppData\Local\Temp\nSanB5F4Pecw.bat

MD5	85dafa673e8b39e4450189d276b69afa
SHA1	711d8561142cdebf45da88e79418efd2ae70df94
SHA256	1d0d6563bca0825b0d2d9037a47b3fae63d360a9a851e5a33fb2730de44b65a0
SHA512	fecfaf79b5a1b2fb411ae043cd818a7307f9da401c11c117c2c10615b81e7a6850064c31eaa3d6b193e8b043d1f7aaa02ba45c11f750140e79a50a80a0417f3c

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	c04bcbafbbbbfb2678ac38aa55b0e33b
SHA1	4f6223697dd2caeba343126b627db879ca401f94
SHA256	6074e248b3effa3deb9a9cc42c342838cc1301980a4b5934b20f2d3fb8b492ec
SHA512	49d7c32cd83fa06edf1c1464c62445ff359ddba1754cc77c9d08a9db6a94303ca728e1c69d31e73c58130d1156ce77dd42059b9c9a184c212b25ba249bbb58d0

C:\Users\Admin\AppData\Local\Temp\StmoAjIMEJdp.bat

MD5	8386fba5d1863b09a3d28f0b5de007bb
SHA1	4d9a6370c756028b7b1366e1f946cf36e71b79a1
SHA256	c23a04549540ee7035aa532fce49a0c78251833094a04f070d3fac9d30d05939
SHA512	a26622139cfb595e3624a0985de9bc952d2a6a36780b236cfdb4149f892b8693478decbd961d2e07878fc0de71c1247a5d790bfbddf7dfef7718fed41aed2cde

C:\Users\Admin\AppData\Local\Temp\abrJoVcqfYha.bat

MD5	3ed9516d9f9c51e793ed655c706d046a
SHA1	ba08ba94e23f853f136730e85a3203a170042540
SHA256	1eceb32f2dc0ba97ba6485bb5cf0f0b6599602d2daf49123313b535efd9e8fd8
SHA512	4b52edf9553924602e0b42c33b10ccb68516a2d0052d18d9680797031e5e628f1e19ed9a1760b182f5b3b8ca740a42dca3dae6624e6d4958a5b2f44cc4688499

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	53e13016480bb2e7c22b79e720534bde
SHA1	ab8008bfc7ac6962ded46ad91f644c00b323effb
SHA256	fc667bb2fb0f37d0c65e20daebfc476eee82ad965734a4cfd5cb6049651111bf
SHA512	6e3d92433104f77ddb6173c440a08bcef88e85ec0d389404198332f135f88b9b0117d14ccfc8b74df02ec95813f80911f1f9a44679b62eeef10ab5415cdc8bb9

C:\Users\Admin\AppData\Local\Temp\ek3Uos0T0vDs.bat

MD5	df6d0f9a4e9cee3dbd127964498eb152
SHA1	38697fb82486007a00288171b56e9a1b1d3d0bc9
SHA256	3972bd4471d5e32a7bfb59a41e22037e95bb7331a762abb1500faa227fbf9142
SHA512	f86122b4bae772db19cc73f46fb63c3297db0b5351a96ca5555df4fe8621b7d596f9c0ad286e6f0ae8f05a05390ee23709106bb470f0c8a786c29b92b04f37eb

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	44ae4c78fb1f5b57a479be2fb1b35c64
SHA1	1be63bb612281d7e6dc14d67fc6417013a405be7
SHA256	da86a448c604f018c1f53aedeef089dc60beeb665befeeaa87517702b2a635bd
SHA512	48ef7c4153178bf788736a041bcb99c234e3683c4f6670b829d9825e6acac9c62d9b24041fd6c8efc2157acf9918e4231472abda39e65c5aeb7675397c4694b1

C:\Users\Admin\AppData\Local\Temp\sXwHcyYIgZLH.bat

MD5	55a1f2a845f553e7879c833c7c71502e
SHA1	9088cf92ed70544ff9b2b2953f59fddefa2daa37
SHA256	ab5e01e018d994c90f6d876d71f18df562518bf4a974f471180dd734e4b7ae3f
SHA512	a1acf5f1b1d54124442eb55def6d5e969d6b6c631a6fdf5c2258f2238a56f4487b3207a0edbf4b8a4b0b5a1ebbd02ee868722b0d45cf395c67c714ace4aff754

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	e416f3ce2c8591040d9a31fa70b2cf27
SHA1	6da6a362aa339d7f6e9ce5040e8c50cef563cf28
SHA256	dc475662f8c7cc42380aa7f5bef5621a31ec8f37da13b8db2bc73b0e875a8fe3
SHA512	54c40274db9cbaf9b195934da543db1ddc4c1dc6bd61565ea7eb7ba38d418030e836f65de80736561da7d1ce1f1136a4d1e85652f3ff666304a44ab8e9ebbf20

C:\Users\Admin\AppData\Local\Temp\FuajvEjA45oj.bat

MD5	e8b71fdc56517d0a4a0572d08266e0b9
SHA1	62db5a861809a2f21dbc14f61ecac7626cd87617
SHA256	cb617f6882274c94d033365d91b7271da30124ab3de5e6271165a47b378f1e5a
SHA512	776eec5d27c097ca910533e24e40ff35c7f1630b813e595cf73275c8bad501b85d1e7f36e0424611410bfc28b2aa31245f78f36989b67929cdd3dbe46ff14db1

C:\Users\Admin\AppData\Local\Temp\vPWGn57EKeUC.bat

MD5	49d52241d744c132167d1324fa08a3e6
SHA1	86b63572710a1372ff3d36eeff2418b3024c2160
SHA256	8492020ff9bdc195955a56015e14cd05ccfa726b54044d8a62c088229f9009e2
SHA512	ec72ff4d5bb70440bcf7f9401815437176c82c4dbbae7fb8ab61c8925b3f605708c67236c0718fcb5dc94985c6e6232ab177b016afaffb863f6d10117d755686

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	f91b340a5bb0d71bd8bbe38de9e414b9
SHA1	215487b1902d15f22fe55f5732220c976ca82162
SHA256	af3534d23538f586c7c0d6fde68d4bfe033a266f17845596683acd4ef1886214
SHA512	0afb0d5135ee5cdbc313ab3e4da083ae178ae8885c37922465933e1f531c4b3471acdd062bc474a6632c0c0e6c2bcab91ab6b9f838cb1bd7fcc99234de279b54

C:\Users\Admin\AppData\Local\Temp\zYiQmSVre10T.bat

MD5	76aad9368e8e030ececf5bf1b2a12434
SHA1	7ecb64a9efff5efd572a436cad9a757937fa7ecf
SHA256	49198b70b13800109422dc5daec25133bb38073a977ba843051d711b4968261d
SHA512	162a120bb3993ebc20d30ad6b992e23f28ccb2aa7000678cf02fe43f9fd080fdb2f7cd42e2f034515c3392946b164a7317beb8a45a136ed171e4b8e60ce7511b

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	7190907c9c384fdfb23fae045bad6cb8
SHA1	946010cb8777ca23509f1c590232a4e7a22fb60c
SHA256	6ca5ba33fd19d9e6a409ea03f8c03433c1554acdebd37c24c42fead37e4a4f57
SHA512	96fd12d183a87c20a8f4b8ae3a2efcf040d9f1e09c3e75067a036bc2a7238ca75be26065598fa9ec899d9c7e8f412f063febc98228932dcddc901c88bb7ed510

C:\Users\Admin\AppData\Local\Temp\7GnvREpL5G4F.bat

MD5	c8a3fb2dd8720fc39807f8f6123542a8
SHA1	2e54f86b44c5e860d49cae1611ce868ab908de14
SHA256	6703efeed2bf38ecd143d0db0a4278ab55a964daf8a36717c15091878071d0c0
SHA512	4a68716ca1bba7181cdc7de9bdf687404e43fc16ac710cbb5a12d579ce837cc2d97fc163c2860db407a7f101da44298162f4176ae28354b77ea43b21c85d9361

C:\Users\Admin\AppData\Local\Temp\N3jJILt3q7GJ.bat

MD5	8ced6991987130bcc5e005988df9c36d
SHA1	77a8fd96436d0db258b6a253e3daace0cee1400c
SHA256	4b2e11f017536f00bfa4c3e37fc4a512795ab67ce41cfbad16f916bcc110616a
SHA512	c21e63e63ad95848d9070e6ae1312fdd412c6f68866557167dd888230f3e849208c0805eacdf45ee6c3892263da7094bd8a271919acdc5c24bd896828aadc904

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:54

Platform

win10v2004-20240611-en

Max time kernel

580s

Max time network

605s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3864 wrote to memory of 2968	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3864 wrote to memory of 2968	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3864 wrote to memory of 2968	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3864 wrote to memory of 2300	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3864 wrote to memory of 2300	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3864 wrote to memory of 2300	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3864 wrote to memory of 2132	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 3864 wrote to memory of 2132	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 3864 wrote to memory of 2132	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2300 wrote to memory of 1472	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2300 wrote to memory of 1472	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2300 wrote to memory of 1472	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (102) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	74.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	144.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	8.8.8.8:53	github.com	udp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	1.112.95.208.in-addr.arpa	udp
US	8.8.8.8:53	215.156.26.20.in-addr.arpa	udp
US	208.95.112.1:80	ip-api.com	tcp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	18.31.95.13.in-addr.arpa	udp
US	8.8.8.8:53	35.15.31.184.in-addr.arpa	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	13.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	137.71.105.51.in-addr.arpa	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp

Files

memory/3864-0-0x000000007507E000-0x000000007507F000-memory.dmp

memory/3864-1-0x0000000000130000-0x000000000019C000-memory.dmp

memory/3864-2-0x00000000051B0000-0x0000000005754000-memory.dmp

memory/3864-3-0x0000000004C00000-0x0000000004C92000-memory.dmp

memory/3864-4-0x0000000075070000-0x0000000075820000-memory.dmp

memory/3864-5-0x0000000004CA0000-0x0000000004D06000-memory.dmp

memory/3864-6-0x0000000005110000-0x0000000005122000-memory.dmp

memory/3864-7-0x0000000005E00000-0x0000000005E3C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/2300-13-0x0000000075070000-0x0000000075820000-memory.dmp

memory/2300-14-0x0000000075070000-0x0000000075820000-memory.dmp

memory/3864-16-0x0000000075070000-0x0000000075820000-memory.dmp

memory/2300-18-0x0000000006C60000-0x0000000006C6A000-memory.dmp

memory/2300-19-0x0000000075070000-0x0000000075820000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:48

Platform

win7-20240611-en

Max time kernel

598s

Max time network

622s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\uni\\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe\""	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1644 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1644 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1644 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1644 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1644 wrote to memory of 2452	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1644 wrote to memory of 2452	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1644 wrote to memory of 2452	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1644 wrote to memory of 2452	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1644 wrote to memory of 2452	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1644 wrote to memory of 2452	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1644 wrote to memory of 2452	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1644 wrote to memory of 2580	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1644 wrote to memory of 2580	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1644 wrote to memory of 2580	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1644 wrote to memory of 2580	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2452 wrote to memory of 2940	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2452 wrote to memory of 2940	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2452 wrote to memory of 2940	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2452 wrote to memory of 2940	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (100) - Copy - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	8.8.8.8:53	github.com	udp
GB	20.26.156.215:443	github.com	tcp
US	208.95.112.1:80	ip-api.com	tcp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp

Files

memory/1644-0-0x000000007445E000-0x000000007445F000-memory.dmp

memory/1644-1-0x0000000000200000-0x000000000026C000-memory.dmp

memory/1644-2-0x0000000074450000-0x0000000074B3E000-memory.dmp

\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/2452-10-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/2452-11-0x0000000000990000-0x00000000009FC000-memory.dmp

memory/2452-12-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/1644-13-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/2452-15-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/2452-16-0x0000000074450000-0x0000000074B3E000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:50

Platform

win10v2004-20240508-en

Max time kernel

599s

Max time network

606s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A

Enumerates physical storage devices

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2968 wrote to memory of 4092	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2968 wrote to memory of 4092	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2968 wrote to memory of 4092	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2968 wrote to memory of 2904	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2968 wrote to memory of 2904	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2968 wrote to memory of 2904	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2968 wrote to memory of 2688	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2968 wrote to memory of 2688	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2968 wrote to memory of 2688	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2904 wrote to memory of 5080	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 5080	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 5080	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2904 wrote to memory of 4144	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 4144	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 4144	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 2636	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4144 wrote to memory of 2636	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4144 wrote to memory of 2636	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4144 wrote to memory of 4904	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4144 wrote to memory of 4904	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4144 wrote to memory of 4904	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4144 wrote to memory of 604	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4144 wrote to memory of 604	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4144 wrote to memory of 604	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 604 wrote to memory of 4780	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 604 wrote to memory of 4780	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 604 wrote to memory of 4780	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 604 wrote to memory of 1300	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 604 wrote to memory of 1300	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 604 wrote to memory of 1300	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 3096	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1300 wrote to memory of 3096	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1300 wrote to memory of 3096	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1300 wrote to memory of 3940	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1300 wrote to memory of 3940	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1300 wrote to memory of 3940	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1300 wrote to memory of 1028	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1300 wrote to memory of 1028	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1300 wrote to memory of 1028	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1028 wrote to memory of 1932	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1028 wrote to memory of 1932	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1028 wrote to memory of 1932	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1028 wrote to memory of 3820	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 3820	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 3820	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 3820 wrote to memory of 372	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 3820 wrote to memory of 372	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 3820 wrote to memory of 372	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 3820 wrote to memory of 1916	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 3820 wrote to memory of 1916	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 3820 wrote to memory of 1916	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 3820 wrote to memory of 3408	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3820 wrote to memory of 3408	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3820 wrote to memory of 3408	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3408 wrote to memory of 2036	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3408 wrote to memory of 2036	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3408 wrote to memory of 2036	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3408 wrote to memory of 1712	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 1712	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 1712	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 2432	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1712 wrote to memory of 2432	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1712 wrote to memory of 2432	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1712 wrote to memory of 4940	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (100) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyM8gNhIB3tq.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2904 -ip 2904

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1652

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zxOuHOBX2MOX.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 604 -ip 604

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 604 -s 2196

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCFhHqSiCAk2.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1028 -ip 1028

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 2232

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KtWS8scs8b6t.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3408 -ip 3408

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2252

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tolvZaumkVXy.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1528 -ip 1528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 940

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lPM4RWBOqU4d.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3644 -ip 3644

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1728

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kafHkbaAZ9rg.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 376 -ip 376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7PE8ADyVMcSY.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1580 -ip 1580

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1608

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wz1XFP5nvnHK.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1712 -ip 1712

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuF0g6MhYhiO.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4264 -ip 4264

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1688

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hv956tX912zg.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2556 -ip 2556

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 2232

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9WkEypol61WL.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4556 -ip 4556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 2220

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ae8fBS25vbKi.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2532 -ip 2532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMDApEMYMpOU.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1856 -ip 1856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1668

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAxHT6aadUIS.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1908 -ip 1908

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwmI04GpUc1n.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 692 -ip 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 2220

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e2XFdDAWHZRN.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1344 -ip 1344

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 1720

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KXTmV3YZX88q.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3232 -ip 3232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 2236

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6XNrvri1zSP7.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1200 -ip 1200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 2232

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOkS9DGgIjht.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1804 -ip 1804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUJ9Z5KhbVpN.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3884 -ip 3884

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\im6if0mKfO8W.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4704 -ip 4704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1676

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lj9usSDXo6GV.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2520 -ip 2520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PPPfkUOhjWdN.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5060 -ip 5060

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jDAnOLcj0BXL.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2356 -ip 2356

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kLXDbyp3olLj.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4596 -ip 4596

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 2236

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp

Files

memory/2968-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

memory/2968-1-0x0000000000730000-0x000000000079C000-memory.dmp

memory/2968-2-0x00000000057E0000-0x0000000005D84000-memory.dmp

memory/2968-3-0x0000000005230000-0x00000000052C2000-memory.dmp

memory/2968-4-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/2968-5-0x00000000051B0000-0x0000000005216000-memory.dmp

memory/2968-6-0x0000000005EB0000-0x0000000005EC2000-memory.dmp

memory/2968-7-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

memory/2968-8-0x0000000074B30000-0x00000000752E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/2904-15-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/2968-16-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/2904-17-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/2904-19-0x0000000006000000-0x000000000600A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KyM8gNhIB3tq.bat

MD5	5c1876b15a610acc45fd8fe1ca3f83ba
SHA1	6fa5bd40b43d61185e53990db266a6b4119187bb
SHA256	9371218023c47b44d9133bf4d1b6610bf74d2d954192fb94cf708d848badb838
SHA512	bbbce39d79940f5af5b2cb5eda4de967f226fae06d9923563a46142cc749ef46ff3f02e7ed9ce75bf110e9679322c9a1719b1c18e90aa84e735192333ec11313

memory/2904-24-0x0000000074B30000-0x00000000752E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	0353ff67c8d57ad04574dc8608020243
SHA1	b1d5bc6a497321adfd511b0b1fdf07dd4295ba5c
SHA256	59971f0ae6e7eaf9b88bbc2a8f99b10407c5931f61d7c59be575cd2db38a7d19
SHA512	cf5514d37c2a22bb3b0fd181f6969fed28d45e30fee159d5655d767754e9950ef6da8394165952940923b3f06ce1b1a5d59b6b82a701575cefc919f9894f0702

C:\Users\Admin\AppData\Local\Temp\zxOuHOBX2MOX.bat

MD5	801ec63946e547281ef802433a2f983e
SHA1	e9e35aae7f324d2d3b62e12489319bc2ee7c9814
SHA256	47fc06faf6dc604be3bc15625f6b5453cde89d0737e2f011cedcea9c4a420952
SHA512	daba53c7f99ad03f5a89bf00b64a608ce1e09e5128a323c8b112860d3bcbc1e9eeab1a94441eceeb32322cb2c0c721acab732ebf40bca557a84584da65bf0b6f

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512	cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\GCFhHqSiCAk2.bat

MD5	6d09e018e667eefc7bd5a64b37a30580
SHA1	c21d1d3c883617c80301e2de71e83f0eaa8612a0
SHA256	e53cf16ae5aae848ff111df60ee4bd8a311825fc85a9b4f307257af5d247c4c7
SHA512	fc4fa3bc4b126bffbc336f9448f25ba7dee298023ef9bafd1d3253e92fd0f4bdcce274ce400073f171e381b5ff0d2be5182275c815f70738fde1a806da68da71

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	4b64df39a852084c776f05ab268d1c5f
SHA1	93bfaa9f8205ae8aeb392acfebebea52483c01f6
SHA256	3ac0a991e31c8d4167b2a9986f4f852823be8cbdd85a381688799ee7543ca8e6
SHA512	fcf19f3753cecaa2649478b700920a3b2b9768ebdca4c2b3e948d2241f1b636eff2eefacbbfca29ebf014111bf713b543fdb084068869c10f2b7dee003a18ee5

C:\Users\Admin\AppData\Local\Temp\KtWS8scs8b6t.bat

MD5	53421eeedb270282a8889f12556865b8
SHA1	3aba43acee4b5db9ee9b88b39e04ef3555c12b5a
SHA256	a43e0b92091cb8768c9e3f70b4b23cbd4329ef45b7dff1733427a33489a239e4
SHA512	83ec53ae30404f1278b400ed5b7d73538deae0ced6c45fa96a92d812580b76f45d7d48a4a79287db0b91d03fd3b6cf1bde7022b437af9e59b9846ae786e5cc52

C:\Users\Admin\AppData\Local\Temp\tolvZaumkVXy.bat

MD5	f0d1a7947d010b7b4925d7f1a9321b31
SHA1	8c53030c4b3da36a8a09092dcdbd7b3e7cfe1e33
SHA256	1cee2e253c92edb298be842e4abd3676d711f5d31b135a1066006f81b6fa028a
SHA512	056acefc0742649a60d87d3e97db30dfd617517cedb11f9019c009cc87b7b4aecaf12918e9b63688f0586c59aa41812cc5c929a1af0c675722211362984b07ce

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	9aadae02c98246885f041af00a166652
SHA1	6a61ba9f59eb3b819af28c47ae27cb4a246d500d
SHA256	d4ae0b65b735ea0f438c0e7c398a66c4abb5e8fe68e3c718e9708424067a15b4
SHA512	d9f856b4fb04f7ca03187fa5619c9f8c9269c696de4356967237f35579914ca97a6951020ccb9268c175d55313cb0fbbcddce5f845e648ce2dfb64e3c04d7fc3

C:\Users\Admin\AppData\Local\Temp\lPM4RWBOqU4d.bat

MD5	dee43e7885f0dd3515c65ad620fae1b1
SHA1	847efc04ce6118bb27c8e90bbc754af0264090c7
SHA256	c1c23edd3dc0d36b9ec2671b730ab3b4c4a644b4af1a41a4b75b0eb151145176
SHA512	3e62daeeac4c3aa3bce434bf0f204b69c9ad872dfb81199433eaec21cb45c62cb21ca58814454ae4c3664d391fe55047ee54734914c43dc9ad0ddf73dac07e5c

C:\Users\Admin\AppData\Local\Temp\kafHkbaAZ9rg.bat

MD5	6b3dca641d6ddce5f33ae9dd2562535e
SHA1	0e89b41c55d53d9fc3e53584a5750f78d5916f76
SHA256	fe1f462cebd7c3c437e23c7ca0126948c7e2df4726ad59a2457c9df6692b8f41
SHA512	195d77e18fd610c467a2a8a69215bfd3af9f25fff3c917639c821d983138a68b1065e1c8ecc2f3b3f67a7981c6e5af1842abdd20f72e3d0aef6727d97ee103e4

C:\Users\Admin\AppData\Local\Temp\7PE8ADyVMcSY.bat

MD5	bc3c5b993c4da7794cb9cb7fbd55fc7a
SHA1	0d94d13e78ed01cd16318eeb285158b95dc01832
SHA256	fd9f8efbc1a29bccc5f185be030656a4ac1b27bc59e51d8b0b7f6d047433c2bc
SHA512	88412ec9f521e13fa5306bfeed9c63c292bf7e4ba0a98f068565a12b8b5053ecd2a15853e76a73bec565582bec5fdd3be6ce0f24b8f74037277abe34b0f0ff5c

C:\Users\Admin\AppData\Local\Temp\wz1XFP5nvnHK.bat

MD5	5757f2012a03d1df927f965f72f792c6
SHA1	eeb99424cc10d2dbe8e7662cfd33b04a9433ee4b
SHA256	2939dd2e4b8eeded0dd9f8095d75cd2d3574b688f05d7a678ea8a13953d85926
SHA512	0ec1f89846fac7aae0d3d30cf6b3a4fe00c277e3469b844f1e9c6a7a9647ef70f8a76f48e110154a5bec360f6e31dd6b735d70885026b1ee7aa2e25ddfcbf0e0

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	b73381a4642b5a47a8cb584bd422ce43
SHA1	3a9248e21ba00fb7e9e3ecf9f618c38cf907558f
SHA256	4ad722e533a9d419e60bc9bd0d146b8edb3ed5cc93d4c57df654b8926ebb791b
SHA512	13f15a69bf9f97e8fc92c9d5cf3b405a1412a12d4c373b9c2bf24450762f96e0da9061d075b4b1fc155795287e132d5e1fe0b57df19db06a8cff56122ca38fd8

C:\Users\Admin\AppData\Local\Temp\VuF0g6MhYhiO.bat

MD5	b4c5dfabb5be0bc437ff176ae36ed98c
SHA1	2222811d2edf7ff5a86b2a2e90ee0654fd9d1913
SHA256	0a8b9311fdaf16e12802b24d09a872a734be4f817958c4e5a34cdf043877c34e
SHA512	179a34a821cd5f2845921793c8561121cf63e387db4477b5b6146513f0cd7c71013bd41de31e486797d2dbdb6f61219bf7e17861a048950f15cc9c4c4a1c2bfb

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	487a81712b117e1382d05a2c66f8e37f
SHA1	d8f381a7de7c6618749dc4737964f3048de93447
SHA256	45b403c0c2fe1fd2179a2951daf3ab70339ff28bceb8d72255a37d9e54faf6bd
SHA512	53a307a67805cd5b6e2be44dec06b9fe6e63c333cd80efbea1939546f202b4f6fbf567fb9112fed486bff03a7c6c66c6a1c475f18f830ac6e0448bcfeb31372f

C:\Users\Admin\AppData\Local\Temp\Hv956tX912zg.bat

MD5	1dbbdd51870908a64ddef12ab5eca127
SHA1	33eedf8ba9523219ec40fc3de232e3bb6246e8f5
SHA256	ba5b8648aed458137f71935e68f84a68e07116e16d40d609343a528a6299dfa3
SHA512	6811bad1f851784930a22e4a657771b0bfc5eb974f6e8bb996fa3e140acf9417d8bb82b59fd342253d16cff4fc350fcea32c14a9126cb96dcb9058b71d09c63c

C:\Users\Admin\AppData\Local\Temp\9WkEypol61WL.bat

MD5	069b9f9f37fc556f08c7fb10c65c2b95
SHA1	529c55437356023ee4a88adc2919f7bc576dec17
SHA256	550f230b4889d789783f8689794f2d620f55a5ee4dfc4053037900407360cff5
SHA512	beeea687325036534a470042f45021dc0a3ffafe99a361d172cb9b0c9dbd2fa43302353fd21b0850d6e7833c61498c143937ed5c56e35970cc3b31dd168bd2f2

C:\Users\Admin\AppData\Local\Temp\Ae8fBS25vbKi.bat

MD5	642fb61a26ab58ca0e7b670d1b102db2
SHA1	0a22eea84de1806bccdeab63a292d67225f26a51
SHA256	463504bb9812d135cc96c480187c192cb50878a0f1ac8efbfc8adcdf1cf57032
SHA512	25385ac784cda144f92e8ed8f89757787f27fbddb31729840d105e8f6743c9489d4576adc8e071c706e5b6037c6bac5c65338503940a636f567c62e283dcd242

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	54771e6b9d60860b7034837b65e94bbf
SHA1	d3e29d50c870c65506fe133792f655e2f6c67fd1
SHA256	275ca756d1f09d9f4e95faed0a5b0fdf0f43b143d8cd875e047853b57fded292
SHA512	ef85240c567c7a08cb571906201fc2369b390f5f73637ee0f1506e20654fbeabad1091311af1d893ddf668392f49f50bd8c8331920d5689af4818f1e05b91de5

C:\Users\Admin\AppData\Local\Temp\HMDApEMYMpOU.bat

MD5	69b26fd7d552746ebe71721e3f8ad3f7
SHA1	fbd1f929d55e6e832f2e3ba1eb605931edfd1db7
SHA256	4679ce8ee600428be3dc91836d7bd06549bf4df672e492216e9601900939c83b
SHA512	5ea02e349ea41bc03eb67881423d7a50a56d9793daed0e53ff6ab99224963a08d5a73dc39e2373e7c1e8e806ba7cc8a7ada374a2065fda64e56681eb3aeac08b

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	2e1ac8f2f90a1d7aa82ea67218888257
SHA1	80aaf29d4df08219c694937784582fe83733d394
SHA256	6806ceca8d36245d49fd89ba685a08ed6ae48de14d4ca8b4680cfcddb6801fc0
SHA512	151ca309f4cc49a08a4e1e203d11481a523ba1b4f009240b171c7b300461c4fcac271a9027481cdf6412dc4999d96c758945af26fe0b03ca02d8365a9032fd87

C:\Users\Admin\AppData\Local\Temp\bAxHT6aadUIS.bat

MD5	50f19a4c82d69b04647d0b2bd9aa460f
SHA1	77137f1cc512351b82f58d2aa075a8f266b66e6a
SHA256	a2e53dec28ec1fc45149d10696cefa0b4a7b8b4526d5db1d13817e5a47f932d4
SHA512	bdb591568597f3ddf58759e4d9a430fb1ce53b99a7358105bf06af63f7dc486b8aab2713daea611c796e184e8445407d1c71005b2ea2c6c2cdb539d44eaf391c

C:\Users\Admin\AppData\Local\Temp\kwmI04GpUc1n.bat

MD5	742d080041128cffca351e1ce471c335
SHA1	b6c1d590daa5568fc1d19821bbff42709373b12d
SHA256	1145f6f937be9cf5b5377422174ff758ca4cd0401b45582612204f2f51321180
SHA512	b8c970432e5f4e095581729b65c70750daa7aa779c3657b3dbc6025c35734fd140eac1f053337187d2024bf4899edd97224ddf44a553e1a5a9f413b74f5d3fdd

C:\Users\Admin\AppData\Local\Temp\e2XFdDAWHZRN.bat

MD5	8b7ab6a4a5ecb6572fa9549d3e039213
SHA1	11bc407cbbd6292300b6a99f8876c9fd11bc4e76
SHA256	92b96086c8a583218c49837b55ca5db30bc338d85bd9dd9834f0f6580c35322a
SHA512	9633c90aa07c8eb82971e29f7ca2078ac098582035d6367afb99e1419b68e84c7dfe1e3587e3290a27fa17d0731808eb5173d2a8da5fd32393d7f21bac05f89a

C:\Users\Admin\AppData\Local\Temp\KXTmV3YZX88q.bat

MD5	8ea39ca02c14475cd5e792b3e53eee62
SHA1	b052284bdc1acc5605753bd102e207eb8929058c
SHA256	091e47c638bc5c865ba1928bfbefa6df6103112dddd7e7a18ea144a4e5d66ec9
SHA512	e132d02ca62310a0a4264d979e2b625fc1e0f91d974c53956ad4f1210ccc164d81481ab8f5288a52084ea09d68d09ba55a038c2ae1c9cbb32419bf823960381b

C:\Users\Admin\AppData\Local\Temp\6XNrvri1zSP7.bat

MD5	bd49d33e60e8a5818d2980f57a129f90
SHA1	6b64c06b84641fc80b50a12ae93b3f201156ac3b
SHA256	463a77ea919df4a526ec244d1396f49b30e8fff2c45ce57c3ed8838b167d654b
SHA512	de4e8edc93bd5fcbc854ede49cce8fc4fe9539861f200f2184b836ed37582d9f73965be936c8cc523cd019dde79bb89b9f71e4c7898a6a76bd7168f6737ec07c

C:\Users\Admin\AppData\Local\Temp\WOkS9DGgIjht.bat

MD5	10873dc762ee87cbbf70e7ff38be5162
SHA1	bfeb2bf2f4e1d1f44c6d340104bc87ff165bfa88
SHA256	9a151071c5fd4f73bf6e53ae9af85d5bcd49b6d65ee30854cc21fc767e37050b
SHA512	63b7526e011d58a33f448675a7ae16e0b32e2fe8b2a4fa51e5416620eff94e0914e97e8e9b162dc60c50649d17b16f5628b6c2eb2c30d7dfe1a818113e7a4102

C:\Users\Admin\AppData\Local\Temp\UUJ9Z5KhbVpN.bat

MD5	7555300c7a40a741aa2dadb0a92ef439
SHA1	671f862e2dd5b2792890a41f705ed4e0f9fa12c9
SHA256	18dfb583053ac9bae1cff8b231577eba4238d59d339300f7d30c6384caa648d2
SHA512	175ce2840cd975b4f1b2c45eaca7e34170c387c06631023b85a8b20d2afe4b565a588ceafa409763a5831ca4697c45bccb2b54add5b5bc3f86d76d172a4fe909

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:54

Platform

win7-20240508-en

Max time kernel

597s

Max time network

606s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2980 wrote to memory of 916	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2980 wrote to memory of 916	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2980 wrote to memory of 916	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2980 wrote to memory of 916	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2980 wrote to memory of 2780	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2980 wrote to memory of 2780	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2980 wrote to memory of 2780	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2980 wrote to memory of 2780	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2980 wrote to memory of 2780	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2980 wrote to memory of 2780	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2980 wrote to memory of 2780	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2980 wrote to memory of 2160	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2980 wrote to memory of 2160	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2980 wrote to memory of 2160	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2980 wrote to memory of 2160	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2780 wrote to memory of 2872	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2872	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2872	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2872	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 2064	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2064	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2064	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2064	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 1816	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2064 wrote to memory of 1816	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2064 wrote to memory of 1816	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2064 wrote to memory of 1816	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2064 wrote to memory of 2112	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2064 wrote to memory of 2112	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2064 wrote to memory of 2112	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2064 wrote to memory of 2112	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2064 wrote to memory of 2848	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2064 wrote to memory of 2848	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2064 wrote to memory of 2848	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2064 wrote to memory of 2848	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2064 wrote to memory of 2848	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2064 wrote to memory of 2848	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2064 wrote to memory of 2848	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2848 wrote to memory of 1880	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2848 wrote to memory of 1880	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2848 wrote to memory of 1880	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2848 wrote to memory of 1880	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2848 wrote to memory of 1860	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1860	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1860	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1860	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 1848	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1860 wrote to memory of 1848	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1860 wrote to memory of 1848	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1860 wrote to memory of 1848	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1860 wrote to memory of 864	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1860 wrote to memory of 864	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1860 wrote to memory of 864	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1860 wrote to memory of 864	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1860 wrote to memory of 2220	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1860 wrote to memory of 2220	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1860 wrote to memory of 2220	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1860 wrote to memory of 2220	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1860 wrote to memory of 2220	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1860 wrote to memory of 2220	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1860 wrote to memory of 2220	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2220 wrote to memory of 2704	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 2704	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2220 wrote to memory of 2704	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (103) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tRnXCdhtFhDN.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\08ohXKThKqxa.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\d7X5Lti0XLRZ.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rqBiG4oSe6aa.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\33BQBiNew0ub.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5g9R6obYDKDQ.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\b5AlTEihnBR1.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\rJyDAbQDbtTw.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp

Files

memory/2980-0-0x000000007443E000-0x000000007443F000-memory.dmp

memory/2980-1-0x0000000000890000-0x00000000008FC000-memory.dmp

memory/2980-2-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/2980-3-0x000000007443E000-0x000000007443F000-memory.dmp

memory/2980-4-0x0000000074430000-0x0000000074B1E000-memory.dmp

\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/2780-12-0x0000000000FD0000-0x000000000103C000-memory.dmp

memory/2780-13-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/2780-14-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/2980-15-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/2780-16-0x0000000074430000-0x0000000074B1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tRnXCdhtFhDN.bat

MD5	9b0430d59275f06223f0c510f8fea7a2
SHA1	06c3b173a70d3ceac0f2a8e6f0425a67a34566f8
SHA256	9f9297b7ad9fcf2b2927d94ec480d029d873c0fbfa4283f2e2a0eebeafb75c6c
SHA512	271945e863bb708da9f11045d3152220afc4a0b41d19000545913e352d43fd0e2005d064091f20117458048e64e5dccc36c410c494efbbcba2c1ee3d808c2a43

memory/2780-26-0x0000000074430000-0x0000000074B1E000-memory.dmp

memory/2848-29-0x0000000000FD0000-0x000000000103C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\08ohXKThKqxa.bat

MD5	f472a1f33a7e0bc00076c3cfd8f6ba6f
SHA1	4048c4fee43f101ee655a40479b358913d33a919
SHA256	d82898fe8db189455aaeab1130ec4a450cd5aac8078d13a200245f2dbeef14e0
SHA512	817729fe837510f4009a887aab27512b01b42e1986b7b02d072da5a1c97cb7c625cdb45d2ffc3341f1a69e25b546a64d84d84401d6b9780b699499e38a09b91e

memory/2220-41-0x0000000000FD0000-0x000000000103C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d7X5Lti0XLRZ.bat

MD5	923b04de6418b25ccc0a42f19e33ca1d
SHA1	ccccc476e7482c61c803e2e8e6b0f9e2a582568c
SHA256	4a96bd2e40e4a47be109029228a8f6f876e6c301f20782407dbb8bf4d7295ed3
SHA512	8fad07cd2a78b8df148eab9716df14bbd93c3035d100a835b9bffebe8edc54112fb3e1bae92681e300a322e07c5e0469a20b7bad1152e41659b35731d53f02f6

memory/308-53-0x0000000000FD0000-0x000000000103C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rqBiG4oSe6aa.bat

MD5	a9c240627343f3a7c3bf6d33ad5f4743
SHA1	9d4ebff72c5793898a185da0ad4b1299a77d8960
SHA256	c8109bb3790801135c92952c2e521b2b968c79c2b4049ceead3f1107f7b2f46e
SHA512	1803d4716ba7d90c1cd627a20988b12831be3cbc1dc75f179fa2798daab8af3299c02dd8a46cebd7a8891644bde7df16a634935eb0f666856ebf988b416e000a

memory/1264-65-0x00000000001B0000-0x000000000021C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\33BQBiNew0ub.bat

MD5	33f6b0c23aaebcfd6902fe3c93ce740e
SHA1	c8e6201210836d932c5518c83ccafd6173733b9c
SHA256	4f5165ebec5be6ac7251c36f3c07bfe1c20189e9f44a27e56e1c3cab6ee0bc6c
SHA512	1eeabb000bbad95e523135df0ae7952d4689965409245e449679f07ec47381cd86ea88f5d18a57aa854eb37d9c18a77d29e1180d8f98727d5c0247eb93676c44

memory/620-77-0x0000000000DD0000-0x0000000000E3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5g9R6obYDKDQ.bat

MD5	03aaa9074dc8a82bc407c57d63bd1ba0
SHA1	3aa06ec43f1aac58399e1204da222afb3f8ca197
SHA256	e28f66c10a7fd66303a96f966c86fb0c059f8bc19ec1a8b2a91c110d39cf8639
SHA512	f2c458018d8a5c5211181170452abde761afba64539b6f49b94c588cea3cb96c55770df2ab90a962fb5049dc706b4b7d25c0036d01025b0178b16ca476b81b4c

memory/2668-89-0x0000000000EF0000-0x0000000000F5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b5AlTEihnBR1.bat

MD5	848c459903e8e980fc1348986fbbc21e
SHA1	4b118e1e2bcf3485368a70039f59f9865aa642ae
SHA256	b364e01c64cad5db3c33fd3cc63951596cb1a2d24230b64eacc9d12050d867bf
SHA512	413eef6d32ebd591fff64013a1bae5c6d007ba2eb7e1fe70bd69829055b77668bb03bce93594a02b15032e354606111098faf34f2d47f834b825a9d8f1532f78

memory/2880-101-0x0000000000EF0000-0x0000000000F5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rJyDAbQDbtTw.bat

MD5	0953f3a0100c1c4fc4f09aabb8d7f86c
SHA1	9370ec5eae6c5f0823e7516a64fa019f6ad44da6
SHA256	69f5c4269664741ad34c9376cad83d2defee57a63369e1430bf4f4c18c492daf
SHA512	c5f351305777aa22f2783faa98917cf70f289d202ac397a3b031395f2d14585fdd547fb1fc955c10bf8a5e541d031ee577a58e4ce87b7e9ca42a570207c27595

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:40

Platform

win10v2004-20240611-en

Max time kernel

578s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 5016 wrote to memory of 4316	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 5016 wrote to memory of 4316	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 5016 wrote to memory of 4316	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 5016 wrote to memory of 4212	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 5016 wrote to memory of 4212	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 5016 wrote to memory of 4212	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 5016 wrote to memory of 2932	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 5016 wrote to memory of 2932	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 5016 wrote to memory of 2932	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 4212 wrote to memory of 4888	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4212 wrote to memory of 4888	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4212 wrote to memory of 4888	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
US	8.8.8.8:53	73.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	216.131.50.23.in-addr.arpa	udp
US	8.8.8.8:53	57.169.31.20.in-addr.arpa	udp
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	8.8.8.8:53	github.com	udp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	1.112.95.208.in-addr.arpa	udp
US	8.8.8.8:53	215.156.26.20.in-addr.arpa	udp
US	208.95.112.1:80	ip-api.com	tcp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	206.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	57.15.31.184.in-addr.arpa	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	0.204.248.87.in-addr.arpa	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	30.243.111.52.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	9.173.189.20.in-addr.arpa	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp

Files

memory/5016-0-0x000000007524E000-0x000000007524F000-memory.dmp

memory/5016-1-0x0000000000560000-0x00000000005CC000-memory.dmp

memory/5016-2-0x00000000055D0000-0x0000000005B74000-memory.dmp

memory/5016-3-0x0000000005020000-0x00000000050B2000-memory.dmp

memory/5016-4-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/5016-5-0x0000000004F80000-0x0000000004FE6000-memory.dmp

memory/5016-6-0x0000000005CA0000-0x0000000005CB2000-memory.dmp

memory/5016-7-0x00000000061E0000-0x000000000621C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/4212-13-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4212-14-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/5016-16-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4212-18-0x00000000060F0000-0x00000000060FA000-memory.dmp

memory/4212-19-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4212-20-0x0000000075240000-0x00000000759F0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:48

Platform

win10v2004-20240611-en

Max time kernel

579s

Max time network

606s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4936 wrote to memory of 1348	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4936 wrote to memory of 1348	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4936 wrote to memory of 1348	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4936 wrote to memory of 1208	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4936 wrote to memory of 1208	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4936 wrote to memory of 1208	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4936 wrote to memory of 3508	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 4936 wrote to memory of 3508	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 4936 wrote to memory of 3508	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1208 wrote to memory of 2528	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1208 wrote to memory of 2528	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1208 wrote to memory of 2528	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (100) - Copy - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
NL	23.62.61.97:443	www.bing.com	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	71.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	144.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
US	8.8.8.8:53	97.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	8.8.8.8:53	github.com	udp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	1.112.95.208.in-addr.arpa	udp
US	8.8.8.8:53	215.156.26.20.in-addr.arpa	udp
US	208.95.112.1:80	ip-api.com	tcp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	100.58.20.217.in-addr.arpa	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	169.117.168.52.in-addr.arpa	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp

Files

memory/4936-0-0x000000007453E000-0x000000007453F000-memory.dmp

memory/4936-1-0x0000000000B20000-0x0000000000B8C000-memory.dmp

memory/4936-2-0x00000000059B0000-0x0000000005F54000-memory.dmp

memory/4936-3-0x00000000054A0000-0x0000000005532000-memory.dmp

memory/4936-4-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/4936-5-0x0000000005540000-0x00000000055A6000-memory.dmp

memory/4936-6-0x0000000005980000-0x0000000005992000-memory.dmp

memory/4936-7-0x0000000006680000-0x00000000066BC000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/1208-13-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/1208-14-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/4936-16-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/1208-18-0x0000000006980000-0x000000000698A000-memory.dmp

memory/1208-19-0x0000000074530000-0x0000000074CE0000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:48

Platform

win7-20240508-en

Max time kernel

597s

Max time network

607s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2204 wrote to memory of 2444	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 2444	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 2444	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 2444	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 1156	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2204 wrote to memory of 1156	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2204 wrote to memory of 1156	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2204 wrote to memory of 1156	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2204 wrote to memory of 1156	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2204 wrote to memory of 1156	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2204 wrote to memory of 1156	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2204 wrote to memory of 1088	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2204 wrote to memory of 1088	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2204 wrote to memory of 1088	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2204 wrote to memory of 1088	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1156 wrote to memory of 2868	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1156 wrote to memory of 2868	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1156 wrote to memory of 2868	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1156 wrote to memory of 2868	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1156 wrote to memory of 2652	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 2652	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 2652	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 2652	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1288	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2652 wrote to memory of 1288	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2652 wrote to memory of 1288	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2652 wrote to memory of 1288	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2652 wrote to memory of 1936	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2652 wrote to memory of 1936	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2652 wrote to memory of 1936	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2652 wrote to memory of 1936	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2652 wrote to memory of 2132	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2652 wrote to memory of 2132	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2652 wrote to memory of 2132	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2652 wrote to memory of 2132	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2652 wrote to memory of 2132	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2652 wrote to memory of 2132	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2652 wrote to memory of 2132	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2132 wrote to memory of 1812	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2132 wrote to memory of 1812	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2132 wrote to memory of 1812	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2132 wrote to memory of 1812	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2132 wrote to memory of 1640	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1640	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1640	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1640	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 568	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1640 wrote to memory of 568	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1640 wrote to memory of 568	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1640 wrote to memory of 568	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1640 wrote to memory of 2300	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 2300	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 2300	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 2300	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1640 wrote to memory of 1736	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1640 wrote to memory of 1736	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1640 wrote to memory of 1736	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1640 wrote to memory of 1736	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1640 wrote to memory of 1736	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1640 wrote to memory of 1736	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1640 wrote to memory of 1736	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1736 wrote to memory of 2992	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1736 wrote to memory of 2992	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1736 wrote to memory of 2992	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (100) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ErOvjtpXDqIm.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EWocV6IiHNeB.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Jigx5aTSfYVU.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\NqonnsIQdqhC.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\2mbOUzLHwGDW.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vsn85OdSU0Ec.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\vz7EzwI7wUiR.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\CHfCZWMPA6Pw.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp

Files

memory/2204-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/2204-1-0x0000000001010000-0x000000000107C000-memory.dmp

memory/2204-2-0x0000000074B10000-0x00000000751FE000-memory.dmp

memory/2204-3-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/2204-4-0x0000000074B10000-0x00000000751FE000-memory.dmp

\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/1156-12-0x0000000074B10000-0x00000000751FE000-memory.dmp

memory/1156-13-0x00000000011B0000-0x000000000121C000-memory.dmp

memory/1156-14-0x0000000074B10000-0x00000000751FE000-memory.dmp

memory/2204-15-0x0000000074B10000-0x00000000751FE000-memory.dmp

memory/1156-16-0x0000000074B10000-0x00000000751FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ErOvjtpXDqIm.bat

MD5	da255af32ff6f2755fa8c493f703e129
SHA1	6aacd2cbbe53f447d0fa9926e7741d6297853f71
SHA256	b6bb76e5a0fabaaf06972bb017890d7328ee6c472213e1f1cee69dc440239099
SHA512	f1807ea482ad3ee74b1fa356acd8653bc00a9245246897bd4278b47ce2a541068a5ba649dd4d511377df9f8a694782328afe2742b9375e2650da3e5d8f263b92

memory/1156-25-0x0000000074B10000-0x00000000751FE000-memory.dmp

memory/2132-29-0x0000000000220000-0x000000000028C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EWocV6IiHNeB.bat

MD5	3570cb0b9d720908e808ff43f68b0653
SHA1	e456fc4c21b1d28b779d77ee69f791bdb6fc37db
SHA256	360fd3525acaa03022713725329983f7bdbe25d5936b12c745f9d84aec804f35
SHA512	e1763deff63ac5f1f47771cc8c716962d24a8cf2850249f1c88d019c8d526bfe0058dec903fa3dc6985a6097df060b3845b372dd616271a054e8fff00b1d0974

memory/1736-41-0x0000000000A60000-0x0000000000ACC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Jigx5aTSfYVU.bat

MD5	60baf18f8e86fa20850068616bfe389a
SHA1	4a505d0c36179a7bb226f0320ddd57b9dc6b784e
SHA256	623ad67b1fbc6b652c0d554c8ec24bc50932df1fddf57065e523c1bc266701a9
SHA512	dc73bf79665fc7323623b8861ee1160ac7a9fe05d47e07273678a38111716f70828157624e8f38f73b654374e59ad51174b5e390082829a2ba820d126f4b2776

memory/2804-53-0x0000000000C60000-0x0000000000CCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NqonnsIQdqhC.bat

MD5	cd23c31300ea699f1feb36babcc281a0
SHA1	b312632f769c3050dd85ca149479d4219247e7e8
SHA256	f685df3da416e0a8f699389a893d6c0635dbf7de598200fb0252e1951a3d5e5c
SHA512	f8ecdd7b3ee20cb2a0bb2d492cd3d62524893fa677523df8a454093c8205f7cb24f0ed3d4ad0afdc55d2184f1e85a145ec1bd81648a0c6b3ac37d1b2e5506674

memory/2020-65-0x0000000000D30000-0x0000000000D9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2mbOUzLHwGDW.bat

MD5	ca57e341ac6dfb3c390e6338c5beddc7
SHA1	14dc97562760e5ed51ceb6c5731e70835d4f0fc4
SHA256	34811e6c0be0a141d75cf982cf1fcd60ad5d86026e6a168554b054c371fa6af7
SHA512	44f907511b2ddc531c224e6e706e5d67739c95f1187d2f8325bb3e7e7353f955dfcde101f6d7fc7ca16164a0a98e6869afdfc92d852c1d0c2ab956d91cd8876c

memory/544-77-0x0000000000100000-0x000000000016C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vsn85OdSU0Ec.bat

MD5	ac3a76ae77f0a1f6ed4a630fa1f7cb07
SHA1	dc29935eae838d3fe8692aa6616f9d927847f5e4
SHA256	d1d67306bd96f14ac8e4704b3c1c21054b65c893c60cdf3f1c68cc337bde9fa2
SHA512	e868f5300321affe68cc34bd70134c7d599f95f46ee7b00c091a3dc3ed6d3f9378c4d250ae6f55a21cc654f93be5b361d88a664284de7e199bc623cebce760d3

memory/2488-89-0x0000000000940000-0x00000000009AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vz7EzwI7wUiR.bat

MD5	b5ea9559194603e8d0eb78667d3706d4
SHA1	f36af3c9f2dda4219cfdfe519f9116fd1d32c8e4
SHA256	c2a5e5b74e84de7825d17b9c7cb295b6c94309e8b449b3f73ad66c7c2c1d529b
SHA512	d4bfc758f7172011bf2212352331354f7f3e8fcc524293af8cc3c1360b138052c64214203dc2ed877ae808622e444e2c8ed61c0c4345e463caba7631b15440b6

memory/752-101-0x0000000000FB0000-0x000000000101C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CHfCZWMPA6Pw.bat

MD5	f9a84f0631ca0d0ce77138b1c81ed1a0
SHA1	670fa4710e84b332f135e922a5aaefa0eea80ded
SHA256	3c5e0684afc2a87a8ed5ea539fe988d5c8402d08bfcca95f9648c3e85e6c75bf
SHA512	695b1620d16b32fd7bc4f31c5dbcd147cc952693fff37dece6db22acfa51625e0e95e2906adc6dcc80c61a917883f502bfaaa89483be2cfaafe0c219060e5667

memory/2412-113-0x0000000000FB0000-0x000000000101C000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:54

Platform

win10v2004-20240611-en

Max time kernel

579s

Max time network

602s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2288 wrote to memory of 3600	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2288 wrote to memory of 3600	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2288 wrote to memory of 3600	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2288 wrote to memory of 4596	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2288 wrote to memory of 4596	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2288 wrote to memory of 4596	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2288 wrote to memory of 3256	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2288 wrote to memory of 3256	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2288 wrote to memory of 3256	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 4596 wrote to memory of 2472	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4596 wrote to memory of 2472	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4596 wrote to memory of 2472	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (103) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	140.32.126.40.in-addr.arpa	udp
NL	23.62.61.194:443	www.bing.com	tcp
NL	23.62.61.194:443	www.bing.com	tcp
US	8.8.8.8:53	203.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	88.156.103.20.in-addr.arpa	udp
US	8.8.8.8:53	194.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	8.8.8.8:53	github.com	udp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	1.112.95.208.in-addr.arpa	udp
US	8.8.8.8:53	215.156.26.20.in-addr.arpa	udp
US	208.95.112.1:80	ip-api.com	tcp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
US	8.8.8.8:53	18.31.95.13.in-addr.arpa	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	35.15.31.184.in-addr.arpa	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	30.73.42.20.in-addr.arpa	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp

Files

memory/2288-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

memory/2288-1-0x0000000000C80000-0x0000000000CEC000-memory.dmp

memory/2288-2-0x0000000005BF0000-0x0000000006194000-memory.dmp

memory/2288-3-0x0000000005720000-0x00000000057B2000-memory.dmp

memory/2288-4-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/2288-5-0x00000000057C0000-0x0000000005826000-memory.dmp

memory/2288-6-0x0000000006500000-0x0000000006512000-memory.dmp

memory/2288-7-0x0000000006A40000-0x0000000006A7C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/4596-13-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/4596-14-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/2288-16-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/4596-18-0x0000000006DA0000-0x0000000006DAA000-memory.dmp

memory/4596-19-0x0000000074B60000-0x0000000075310000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:58

Platform

win10v2004-20240508-en

Max time kernel

590s

Max time network

608s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A

Enumerates physical storage devices

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 5100 wrote to memory of 2136	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 5100 wrote to memory of 2136	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 5100 wrote to memory of 2136	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 5100 wrote to memory of 2240	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 5100 wrote to memory of 2240	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 5100 wrote to memory of 2240	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 5100 wrote to memory of 4668	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 5100 wrote to memory of 4668	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 5100 wrote to memory of 4668	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2240 wrote to memory of 4540	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2240 wrote to memory of 4540	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2240 wrote to memory of 4540	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2240 wrote to memory of 4864	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 4864	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 4864	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 4864 wrote to memory of 4388	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4864 wrote to memory of 4388	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4864 wrote to memory of 4388	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4864 wrote to memory of 4408	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4864 wrote to memory of 4408	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4864 wrote to memory of 4408	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4864 wrote to memory of 3292	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4864 wrote to memory of 3292	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4864 wrote to memory of 3292	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3292 wrote to memory of 3520	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3292 wrote to memory of 3520	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3292 wrote to memory of 3520	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3292 wrote to memory of 1672	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 1672	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 1672	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 5108	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1672 wrote to memory of 5108	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1672 wrote to memory of 5108	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1672 wrote to memory of 1608	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1672 wrote to memory of 1608	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1672 wrote to memory of 1608	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1672 wrote to memory of 3916	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1672 wrote to memory of 3916	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1672 wrote to memory of 3916	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3916 wrote to memory of 672	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3916 wrote to memory of 672	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3916 wrote to memory of 672	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3916 wrote to memory of 4908	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 3916 wrote to memory of 4908	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 3916 wrote to memory of 4908	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 768	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4908 wrote to memory of 768	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4908 wrote to memory of 768	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4908 wrote to memory of 4280	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4908 wrote to memory of 4280	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4908 wrote to memory of 4280	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4908 wrote to memory of 4624	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4908 wrote to memory of 4624	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4908 wrote to memory of 4624	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4624 wrote to memory of 3156	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4624 wrote to memory of 3156	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4624 wrote to memory of 3156	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4624 wrote to memory of 2956	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 2956	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 4624 wrote to memory of 2956	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 232	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2956 wrote to memory of 232	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2956 wrote to memory of 232	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2956 wrote to memory of 2436	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (104) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWFetlcT41sM.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2240 -ip 2240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1668

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LN0LvCtX4IA3.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3292 -ip 3292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuhpzmxfyL2i.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3916 -ip 3916

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 2172

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gheDqt1NjCFm.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4624 -ip 4624

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1084

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0VOKUlFP0r9l.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1364 -ip 1364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UufFMVkuQzz1.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2280 -ip 2280

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CtkazYl3NWZO.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4536 -ip 4536

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4ULjrU2fTV63.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3484 -ip 3484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OI6qVMGhkA01.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4368 -ip 4368

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1604

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Oe5uAgEhWQn3.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3632 -ip 3632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1624

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\viBVArvVg6YB.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4948 -ip 4948

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 2172

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGqrwL1fr16B.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1056 -ip 1056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\94bzaDFh8g09.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1820 -ip 1820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 2232

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYjmfJURsR0i.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xphbxUmlQWcy.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2696 -ip 2696

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juLCGTHzJkZo.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3700 -ip 3700

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 2236

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JpZfhBYswe0t.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 768 -ip 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 2224

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQBoZ7qU2dXY.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4472 -ip 4472

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kLPHzo7OeXyd.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3664 -ip 3664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 1088

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYdaPn4wnjvJ.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2148 -ip 2148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kw6lUnP8h34f.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4392 -ip 4392

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 2228

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEqkXhLsgkK9.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4880 -ip 4880

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 2144

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OpRtPdcUljqo.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2732 -ip 2732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1688

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWifGfnehADg.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1820 -ip 1820

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1720

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\81eB8VBhwju9.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1676 -ip 1676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 2160

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQ2TKP4gGaE8.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 636 -ip 636

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 2232

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pvy0CFSjW9vb.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1424 -ip 1424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dDkZIAuNa2Ek.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3552 -ip 3552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 2224

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp

Files

memory/5100-0-0x00000000751CE000-0x00000000751CF000-memory.dmp

memory/5100-1-0x0000000000340000-0x00000000003AC000-memory.dmp

memory/5100-2-0x0000000005390000-0x0000000005934000-memory.dmp

memory/5100-3-0x0000000004EC0000-0x0000000004F52000-memory.dmp

memory/5100-4-0x00000000751C0000-0x0000000075970000-memory.dmp

memory/5100-5-0x0000000004F70000-0x0000000004FD6000-memory.dmp

memory/5100-6-0x0000000005D00000-0x0000000005D12000-memory.dmp

memory/5100-7-0x00000000751CE000-0x00000000751CF000-memory.dmp

memory/5100-8-0x00000000751C0000-0x0000000075970000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/2240-15-0x00000000751C0000-0x0000000075970000-memory.dmp

memory/5100-16-0x00000000751C0000-0x0000000075970000-memory.dmp

memory/2240-17-0x00000000751C0000-0x0000000075970000-memory.dmp

memory/2240-19-0x0000000006A70000-0x0000000006A7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zWFetlcT41sM.bat

MD5	4a0a0dca7440e32508f7073bc9bf30f3
SHA1	d70af4ff46ca538eba9f29a1002c78e4a14c8d7e
SHA256	c0033f9298c77b8699421ad9009199936c8b9260c0c6804303f74dfe4799e8fd
SHA512	34b7d8a1f4346d38ab45c10dfe49bf618e6c3eb2d5bfa75a7663fa24dbaa86b85bd13da6eec2ff1da094e7e0c3dadb215b98e28a3ea8bd22745f1fab1cafc312

memory/2240-24-0x00000000751C0000-0x0000000075970000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	602888e48e429e971a235651604e6e99
SHA1	78944e2193f13191799014434286d30e70abe8ac
SHA256	03c421405fb6a79e38fe13af9d48caf220b88d4c6c0ab41eb2f8eec7f6e4692c
SHA512	e2854e9ef4dd7f639885e5ec0fe47b40cc25135323a404a69c01604ca4ce32cdd10b1ba6b9efec530602a194727c752915bad2e9c90ac150bd1c73c242e02f74

C:\Users\Admin\AppData\Local\Temp\LN0LvCtX4IA3.bat

MD5	85125879f2ec8c8c99158ef1613c0e3f
SHA1	80a522197df2c4fb18b9366bca97fd3fb9323d4b
SHA256	871ca6c716926085e3c08e34165234e7c85bad4124dc4062c495690a761b5d27
SHA512	f21d4a7dc1b787d32ca81f73adfc56c4a66a450a048192d1251701f10a0ed6ee308d4853bd2f9789e82277196e1f234e6db9f002488070457fd2df080d1219cd

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512	cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\QuhpzmxfyL2i.bat

MD5	e6a5e34467e04a27002a8e82056a3669
SHA1	e3f8e5f69656e5b576849903d41bf192fce07178
SHA256	9fed1a70e7d9b9a0c0ea11fbce588967e68ac58ca65d0d62a813a406f2b9e888
SHA512	12ae2e8fd84a3f86d1a00398215196f7eebf1661bb8b7d97f805f1219ddb084963b42ce67e4c5ab899a693b6dc3b73437e44b57842a152a9f69ae593c0a8683e

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	2faa6fd5e5a8bf299c3b8640991ffc67
SHA1	5c33ab3d2132dbccc17a8e827e33ed8f4360f987
SHA256	fa5074f3df2d47dffb101cdfa633951691e3382aea24cdd2d73601a225ecf8c0
SHA512	2ab8de1535a4be7275e77a9a2f025c99ea0ac80f2c2549a1c36409f3a127591e094a1d762fa7d36a47e83c5ff30521e737d020894b5999cbae42011e402ce02a

C:\Users\Admin\AppData\Local\Temp\gheDqt1NjCFm.bat

MD5	9f262322a65c9f237e4479ada0593ddc
SHA1	b4c47376d621664ca47aaf099429d4f78098e938
SHA256	b42b5daefbd2e6ae5c37a190d1158ce2499ce06fe73ae994c69387d558240b31
SHA512	f0175f8b8334b595b8ae58e0a6c70778cd7bb05f8cb0fc5c7ba02ebbf1f6af100867e48f6012474eceadc3fcde70e0ad4b5ac58f6b2d9bb6014403f944f8a937

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	45cd9c80cf0cd041077203aa25d80475
SHA1	2dfb03eec23ff0a61465ae9e50b8c77c8e453e63
SHA256	b35fcf25bb78f6fd3d2fdae7df34b6c9e9c8e4ac0b1d90d7877c15f746de19ac
SHA512	8bdedb5af1e8248360c7a3813e337a75edf7087505c7133d3249e8c306f4fddeb00dfc2956ad0d734da7929526aedb0bf2e3ccc7a68a225adc377e9976884b8f

C:\Users\Admin\AppData\Local\Temp\0VOKUlFP0r9l.bat

MD5	f5f7636961f73ba3387c9565565bed40
SHA1	4d42b834c5ee6a7bc7b8bd5a4e45930bee5a2b21
SHA256	1fad6411f57626e2a45a1a7dbb36261c78783f9640ef2c7812fd05124dcd282b
SHA512	4d0b4d1874a49b3c4e2e1847d3870b529257392a55127bcff760fc41c04e046351c97530e2c0882a3b02275ae53647a5e2e6d1c8605fb6e9d602682e2605c80c

C:\Users\Admin\AppData\Local\Temp\UufFMVkuQzz1.bat

MD5	edcca7925b88f31dcd0c8623d06e8090
SHA1	1c71a7177091cfb5ebe60f744b9cf6892d9aacd9
SHA256	4874435d2fc0b684707df9ab38c2abaef73688977b6f3bcb043f72767fa36d35
SHA512	4418672685d5d6be6b5c593c751f3236ff20d6ebd991a40a1adc10d10a65075ac3129ee67663f470fc72b48461f46da3bc87149e0f90f9913bae8ff0014a7022

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	0afdc508b9791bc1d187477af81184ab
SHA1	de24cf6c6c8de831c18d885ee00b0b6652393935
SHA256	c7ec6b0bfb3a337680c5b20ecf55b3b688c5253342b53e4e8df9ba485a6f7cb7
SHA512	3314431bbe5dab80f4a2ffae9708db1db8000c9e1434bf32e35a40cf375dcb3f49ec61377b73c1c7af09bb8adf68ec49f7e8466267f054214670f15160f34a35

C:\Users\Admin\AppData\Local\Temp\4ULjrU2fTV63.bat

MD5	2149ffec1b2c4bbf37ee6e944eeb346c
SHA1	3b43949b7c85bfa094df274cd20128ca6d6363db
SHA256	e247be4933344eff7943306fd0bdbe71c2344aedef363643540a1a6bf494dbf4
SHA512	c876b782222ba51aa8fee11e88d14bc25e6c1b417df39ff2b6b2f0819d7158a29fa20f6151e9305e7f7761ede463bf18b72a5db4827f5b47faac54fc3cdf8907

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	6d89c17f40578db57c5df2c0a11e1f79
SHA1	c1e60ab0ce9c1875fca119897811a99880b97943
SHA256	e10ccb32381e6c99870b5d14a9d5542f50880a1126202130cc93bbffc62cd6a2
SHA512	aeff78c0333446596b9eeecc7927196bfaa6fd31d94fb1656944223392b3cb6b9c11e4d760868d4667571466a5d6142086a42ca8257938422628fd2d3604e712

C:\Users\Admin\AppData\Local\Temp\OI6qVMGhkA01.bat

MD5	737cce646781fef14dcce90bf2787a6d
SHA1	0bdbabc9ed5deebccecdfa45fd028faca4f741f4
SHA256	c51e33d65b88e749a69a9d9135af8e582f58f9e88f28adbb6bd82f8259607964
SHA512	60de1cdca3cd67477d8a132710af6bee6d7a52a8b6fc44105029b252845bfcf5c48520a183999425fe5531c4935aa580f5fc3f2471292142e491be18609596dc

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	1780605460b0251930d2885609ad3587
SHA1	a47a1fd870e41e1b3670643288aba71e91c39e55
SHA256	b90da8948b306be890663f0dac8b5fecb3da9dc87c7c530275f90e604a624ea7
SHA512	745d75a7c5d815cde522e7a07ca8dcf7328559f19d1d8da7b1fcc88d274599e809e87d961bb99e216b7bf49f3e8fdf1e2eab3974191e230374a77d3d6e290b2a

C:\Users\Admin\AppData\Local\Temp\Oe5uAgEhWQn3.bat

MD5	d8513e0eb0ca11d1513b665e33e72eec
SHA1	753bbc77f10483a16dd9f9bb3818497e817e5bc3
SHA256	4a3c6337bedf827560d9e960098e00e499f7397219b486566ea61b60e5a5ab12
SHA512	a89626a32852c0d54a3e03a97054e5e749bb9c789f9401e78124d2d011773428568a4e5301af68555fd930de4cccffe2b9b3f154b536a7979298fdc4c27dbbaf

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	714bd245f9347dac4920ee2335dbfd7e
SHA1	45312b95fb260ce4cc0c9fbba1a16e08d06576bd
SHA256	c5b06265c58d8696dcea688aa5e33da50302b92d2cdcdadac86c0cea16435bb0
SHA512	02a065f51eb1d638111a162fdcc33bb4c117d3c0071d35a44ab6125535466d66f54f70aeded9dd4e42e37e2161f2ac1efbe6fd4bca6e141b5796859eb896accf

C:\Users\Admin\AppData\Local\Temp\viBVArvVg6YB.bat

MD5	c42d62084139ddbc7c0921c6dd8d51f5
SHA1	1902a0439bcc2666126533864afd6a1a4901aa7e
SHA256	7706242c8d477abf3a17188b517ad1441947a0716ebafa8ce49bf7ca31c76aca
SHA512	f6fb1d50b652a12bb186150fae44bd909f79c35f283cc5db20477c8e0fdddff822a94f15e297c266c54b8779e738276a13dbe13e879f2212a076185d4761bc75

C:\Users\Admin\AppData\Local\Temp\pGqrwL1fr16B.bat

MD5	c5e462901097160e5d2333e3d97d146c
SHA1	60b1a9dff62e261af1bad22775b9840f5445443e
SHA256	820806730a2ac8fa7fbe47363ea67cd7d5d4ae84946f072766c7d7dd23ab7f87
SHA512	945906bf09b4b96f0473aaeab20a1d0aa1a16093832f39f883ba7a29a59b5fd68a86638e69fd4376d4f7f460730d4927fc53ea0cdc2e376f1b8da25bf74f8552

C:\Users\Admin\AppData\Local\Temp\94bzaDFh8g09.bat

MD5	9cfa71c181dd38aef769466fb857293a
SHA1	f0453da8342ce01152484a7d53bd2e203ea8e6d2
SHA256	55f81a1ba7c4549e3e35cc03d0c813d3c3d523b4905e4e456d50fe7e8e2cd025
SHA512	0ea05b93192d6d09ba1548d7b3d711f4c08d8209320f256f1ccee13b08e5f46baa0e9ef5ef20448f2275d6ab7fad708948805f6696bacf9b2a772d9a66421670

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	c8484891fe77be6d6e15c2ef6ca16db4
SHA1	19b8526887fa79c0e305b6e55d53d1a4f8aebf73
SHA256	b55c87141f047f26454b995c549f73e0ee35aebf70b19a9597ffb9035ad7e070
SHA512	4b3d709976cf3a427b7deffe710e956fb93b8ee1fdd95d9158f091db983a36fb55d8f884770dbbfc9335aee5612c2f46649c45d7ac7ecd8ae1100bc93ce073ca

C:\Users\Admin\AppData\Local\Temp\mYjmfJURsR0i.bat

MD5	a62215a4af22461af14a702a016b438a
SHA1	f2b9e5548dd5e34ef279c1427f69496b4fecd727
SHA256	1081dfd9f51baa69bd0962a02670c1e23f34e97fe21d3f162c20cb0def2d1caa
SHA512	6106088c97a979b23cf993af4aee6d108d31ff0f4cf24da1425f2ed31b26f70ddd14a67d12ecd5c17411b1f238fa37d929411f73c0b92ed88419b17f6618f8b9

C:\Users\Admin\AppData\Local\Temp\xphbxUmlQWcy.bat

MD5	b93da8f7a877a0ada0265e76353be1be
SHA1	25a10635684cbf9b52012717a918727ca6200ccf
SHA256	7ffb6ed1a80135e5d5c43880f35216073249fb2bb03d7416123262d9735c6dfe
SHA512	1a22c0dd555ecd885812d76caa8299c40716ac2235d5b0e64f02ff2fc0d470e6e6f7cf89efeb70578f1215b188c311d28ae97ce4bd91401ca4b8261d4dab38b4

C:\Users\Admin\AppData\Local\Temp\juLCGTHzJkZo.bat

MD5	c70e3db85b009666735a332af94f1861
SHA1	1017081ccce80ba733e3ac43865327327a3588d7
SHA256	47a2e0844fa2348fb20790bcdcedee0bd7afd12e942012eb31e517a79017a043
SHA512	63f222708b66476f8ff8526f24bb2e7aabfe194de7c6fef80bfd939f13fb9a035d20b156fa8f626810ba4b5ae0b7380bc718764da046c7a36b6a3fdd13d97f1e

C:\Users\Admin\AppData\Local\Temp\JpZfhBYswe0t.bat

MD5	e8c5e2186b8a152fd5a5e6baac0ce3c8
SHA1	b1c7a2a0eea2f59689f96e1f5c474e5fd84a699e
SHA256	e1976068677d950f7f377ad47f11273ca2f9e0864cc7996e1d28decc6d2afd9e
SHA512	2a7295beda4865ca5b1652a7d30106d61553c4113c76809ad0b56534eb387566ae9d9ceccb52d05511910eb2c1788706c857a851a1b16448a02d988c629c0735

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	16cc5f4611804972aaa7d95b2d8d1599
SHA1	72d0f4da0dba2bd658d24d331cb6cd49627fa8f8
SHA256	fbbbd86a41dfa34858eb3fbe1fcd3e6f1ffd834112145da774cd6e59fa3eea9c
SHA512	0e0080ae6b8b694ee7c0921074672c211b4db727461c9ee58d1b66f200aef002c9a1101fbe5740bce2908b9f70b8a9f130a77b165eef5ec4c3bd9417ad81bfbb

C:\Users\Admin\AppData\Local\Temp\BQBoZ7qU2dXY.bat

MD5	d9ca50781f5b853a5da9f27933eccc73
SHA1	8d2656469aa5526cb02eb1313ab339b69886a08f
SHA256	bb8dfd1ad0ff8b65af05302eac32740208180434be728581c664d52ac736860f
SHA512	cf13d6631895cb45d780f3c1020171717e7d8468873258ce642d967139fcde8187446c55a8e6a781b9f959e5bd7e60a17c93d77768b80f8d65d2c474b6386ff5

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	aa2e1f83ac87597b9668aa7ed230e783
SHA1	c0060f11bd38418a2d04775add2674e10bc05485
SHA256	1f4e2bc9a42eae1889ac6a5413c5515b71813c2e1dae97b8c9eb89915b57fd93
SHA512	5478a1a574ceb9a1bb183c89bd6c2a0d3edea87ae7fcf5f01a7bc18015fc335e1bed36a5b2a00c71b0688ad33613c446ff2b8edfae028f6f8658e429b0976d74

C:\Users\Admin\AppData\Local\Temp\kLPHzo7OeXyd.bat

MD5	d8001ae1e106b84281207db447bae264
SHA1	4d9f2a6591a9ee3d7de1c976b1867c9c47197569
SHA256	77f9a607b4b16bc67b4600e4ba307828f5ad432ad7279215d41c0b2f43988fd8
SHA512	2bd2282b93b573942c4b7d9fdb28b73b48340d1658c6d388ed635fbff8d85682543599d794fd6ca607f954dcb80ce43da0fe0b1c699cd6f5975547974337e917

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	2fb4c0b47a0cda04fec4f2a57941d6d8
SHA1	8786f954afb9b6ea2b563bb16e184adebb0dc01e
SHA256	d74c709955a7424e44fcb3cb4cafdeeda6e938b1a6f418d4dde6bd079c4192a9
SHA512	25eb9d12f58d35232c8663b506495e030656b184e1c5e46979617dd93f35fe336f8d08ed62939a63771d8b4498ef9512468b4904f14f921e5824205b758f4621

C:\Users\Admin\AppData\Local\Temp\uYdaPn4wnjvJ.bat

MD5	00c6ad73c6cad65aab65bb3da964ab91
SHA1	36610448485ea8b848424178ab2aceb44dc91569
SHA256	95b089a4eaee57402217f25fc567e7d1d4b68f848fe2fc13536d9747aeded0a9
SHA512	31bfc8a2afd4d9f09d64474c4ced03a4b12a9251d9e63d832e38c11b098923a8afd14ca0a99608c8b35cbfc9ec1560f45b0caca6249df283673bce66138e3bca

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	e2eeacd27d5e3099bbf3b8ef2eef6c8f
SHA1	e24229e12ced1d7b47df7ecfeacd76e6129ddc0f
SHA256	a00326c25eb9b11d52909b5cb1efccd94323db70dbb6aa7f893dd8a61ddd0f65
SHA512	0445a5bbac88c4f45790b9f522f650868decbb693a6293a311b8aa781e2ca975bf74a264d95b61a1da7d1186e8da61d9f8a76f204a00b0a1a7d62855164792bb

C:\Users\Admin\AppData\Local\Temp\Kw6lUnP8h34f.bat

MD5	9b0fe10ccbe6001f5f45c4c34c093704
SHA1	5cfea04af2d58a3442b806a8597af0d4f074a6bf
SHA256	d4e79f5a18c5ce5addedffd63b60d567288451663915c25ea586216c2f5bd0aa
SHA512	f0a98dbc6136c00389fb29792fa90620c421721873f9027d077f193a6a1a86af0dbeb4b48d10c4278dc5990a3ed7eeec70e69e9deef48f97acaa8b376a9ab4b2

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	23dd4e4c97f0eb00f229d299ea8b3802
SHA1	9ec94b9b42a4716582dbd8e70d050848181deb8f
SHA256	1ce49d815c9ae391e78d2e7221229d8afa4f13b8c811ca3d42690537f1d1fd3d
SHA512	6c12a8f114ace61b5e7e9bc9a318cbdc340741d6c6cc4cc366dafb3a84776600948b862393cfa71157c3157d2eb8d53459c92380b0e39005dcae2db8e50cb3ae

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:58

Platform

win7-20240221-en

Max time kernel

578s

Max time network

598s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1848 wrote to memory of 2612	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 2612	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 2612	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 2612	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 2524	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1848 wrote to memory of 2524	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1848 wrote to memory of 2524	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1848 wrote to memory of 2524	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1848 wrote to memory of 2524	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1848 wrote to memory of 2524	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1848 wrote to memory of 2524	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2524 wrote to memory of 2532	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2524 wrote to memory of 2532	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2524 wrote to memory of 2532	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2524 wrote to memory of 2532	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1848 wrote to memory of 2392	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1848 wrote to memory of 2392	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1848 wrote to memory of 2392	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1848 wrote to memory of 2392	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (104) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	208.95.112.1:80	ip-api.com	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	github.com	udp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp

Files

memory/1848-0-0x000000007423E000-0x000000007423F000-memory.dmp

memory/1848-1-0x0000000000910000-0x000000000097C000-memory.dmp

memory/1848-2-0x0000000074230000-0x000000007491E000-memory.dmp

\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/2524-10-0x0000000000BE0000-0x0000000000C4C000-memory.dmp

memory/2524-12-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2524-11-0x0000000074230000-0x000000007491E000-memory.dmp

memory/1848-14-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2524-15-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2524-16-0x0000000074230000-0x000000007491E000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:43

Platform

win7-20240508-en

Max time kernel

597s

Max time network

606s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1632 wrote to memory of 2900	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1632 wrote to memory of 2900	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1632 wrote to memory of 2900	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1632 wrote to memory of 2900	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1632 wrote to memory of 992	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1632 wrote to memory of 992	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1632 wrote to memory of 992	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1632 wrote to memory of 992	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1632 wrote to memory of 992	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1632 wrote to memory of 992	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1632 wrote to memory of 992	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1632 wrote to memory of 1648	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1632 wrote to memory of 1648	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1632 wrote to memory of 1648	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1632 wrote to memory of 1648	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 992 wrote to memory of 1412	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 992 wrote to memory of 1412	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 992 wrote to memory of 1412	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 992 wrote to memory of 1412	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 992 wrote to memory of 2208	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 2208	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 2208	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 2208	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2172	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2208 wrote to memory of 2172	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2208 wrote to memory of 2172	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2208 wrote to memory of 2172	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2208 wrote to memory of 1196	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2208 wrote to memory of 1196	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2208 wrote to memory of 1196	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2208 wrote to memory of 1196	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2208 wrote to memory of 1084	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2208 wrote to memory of 1084	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2208 wrote to memory of 1084	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2208 wrote to memory of 1084	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2208 wrote to memory of 1084	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2208 wrote to memory of 1084	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2208 wrote to memory of 1084	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1084 wrote to memory of 1228	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1084 wrote to memory of 1228	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1084 wrote to memory of 1228	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1084 wrote to memory of 1228	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1084 wrote to memory of 896	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 896	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 896	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 896	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 680	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 896 wrote to memory of 680	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 896 wrote to memory of 680	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 896 wrote to memory of 680	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 896 wrote to memory of 2844	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 896 wrote to memory of 2844	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 896 wrote to memory of 2844	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 896 wrote to memory of 2844	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 896 wrote to memory of 1560	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 896 wrote to memory of 1560	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 896 wrote to memory of 1560	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 896 wrote to memory of 1560	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 896 wrote to memory of 1560	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 896 wrote to memory of 1560	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 896 wrote to memory of 1560	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1560 wrote to memory of 3004	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1560 wrote to memory of 3004	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1560 wrote to memory of 3004	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\L0giNaFjdD0w.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\QCY4y5QT1OrE.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\auOy6WNacLJL.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZWZFFsQANruF.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\4rq3i5CYXoTH.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EZfxrW9g8luO.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zs1eErNHsAJn.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Bn0W9DGpfn7C.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp

Files

memory/1632-0-0x000000007495E000-0x000000007495F000-memory.dmp

memory/1632-1-0x0000000001020000-0x000000000108C000-memory.dmp

memory/1632-2-0x0000000074950000-0x000000007503E000-memory.dmp

memory/1632-3-0x000000007495E000-0x000000007495F000-memory.dmp

memory/1632-4-0x0000000074950000-0x000000007503E000-memory.dmp

\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/992-12-0x0000000000A80000-0x0000000000AEC000-memory.dmp

memory/992-14-0x0000000074950000-0x000000007503E000-memory.dmp

memory/992-13-0x0000000074950000-0x000000007503E000-memory.dmp

memory/1632-15-0x0000000074950000-0x000000007503E000-memory.dmp

memory/992-16-0x0000000074950000-0x000000007503E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\L0giNaFjdD0w.bat

MD5	f6c8eba5aa3511bd068e734848f992a8
SHA1	67702cea15b08497ef3d4fe3503acb0d2a70a47f
SHA256	9956cbed16a764446cda09792d5f07a213b2d7b5a6a6ec2b92d32977944390c2
SHA512	5f3231d03a5cea097b3f7bdf82cada30ead30feaf7c1bcc8f50e470e168cd56af29c99d8cb496e1975e163ddf271f37b94b09640f99f1987fa3601e5ea2951ee

memory/992-26-0x0000000074950000-0x000000007503E000-memory.dmp

memory/1084-29-0x0000000000D60000-0x0000000000DCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QCY4y5QT1OrE.bat

MD5	5b02680bedc2623a9b411746e9abf50b
SHA1	92a05bf4aab14bf012b93dcca9422d75ec0213ce
SHA256	892aac02988e67a926b22dea531c6f3a5cc245102443a7e26a5256f297a1cfe7
SHA512	0a757e10388f26a5dd4cc06a45629d51d2d0b2004f2dde997ab54b4d687bc4400a27760ba7ea0df53a5edaa10e3baeee348c55c529df8da8d9f5d78c18ce32d0

memory/1560-41-0x00000000003E0000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\auOy6WNacLJL.bat

MD5	3b2ead8139067cdb8425e05da7d87439
SHA1	880ef0cc1a9fe4117f31cf3795b60d3420f05a99
SHA256	d3701aa356b1e57bed04fd969d27a98b408fcfa3e42a4755672426b6314ed84f
SHA512	ac7d1f4b90d1e9e8aec662347d7098a3c1248e2509a2d11f96d062d53b476d597f2e0602d48c1d70ffd5a68c2a7bf0fc09af3578a0ff91bda4752571869c2aff

memory/1852-53-0x0000000000E20000-0x0000000000E8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZWZFFsQANruF.bat

MD5	d055a5ba15c2217d2da0e320e083c88d
SHA1	e98a4860b210b416d85746b78cc744c72e37b242
SHA256	48f839b4054ff36757988a515cec622f31c192b50b48b04a61c59853ca495c70
SHA512	63aa7030343a91a7427a580428979dbcd2ae7f6c4134729355c64d83cb5425e33eca8224fa8c23e1e7b53c5c147aa4d71e5941415ce04427ad39a6b79423a5c3

memory/2172-65-0x0000000001190000-0x00000000011FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4rq3i5CYXoTH.bat

MD5	fe908a4d6701d9086d8390ea243c27d9
SHA1	4793c983edcae2bcabfcfe4ae836b26b9ce097cc
SHA256	0386291cd927eec70e4e724410c7b3e891f6f0a013e39526acc59254c1b534a1
SHA512	df593a62ccc10a0ba9e9cbfb71beed32b4538327c8b796df9a347bd99bdf5042a1ac05da19d8a505125215e33c1f3c7f1bfc14fc5cc9c1444f043685ce30cadb

memory/1660-77-0x0000000001190000-0x00000000011FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EZfxrW9g8luO.bat

MD5	bb75eb894e023e31c467dadfe329bc41
SHA1	731b3e6acba2cf6b42931b04b008dd70d901bdb7
SHA256	70c09df9e66094171f28a17ab4426fa03869ec66be95e4122b6e99b720907db3
SHA512	b932cd6cd15df655d5fc505eff3c4e6c7207c56db1f9e75ff56a2aa6812471243723a0abffbbcae1524662f320fc45ed6a0009b6102d3caa07c071bd4e68c79c

C:\Users\Admin\AppData\Local\Temp\Zs1eErNHsAJn.bat

MD5	4ff2730bc570c1d9c6331ff570b32914
SHA1	78d90ff9d48c2b072094d1cd4a74db69db4c3369
SHA256	6f62b0d3f5a909022b3cadcdcfe575e719f169d06f1a0a168d5b3343b5b4430d
SHA512	c0ad77c80f036a0ae0168d6304e62985da59025e0a579a93b1ed4be848b0f36d0c4d94413a77f5668eb5965966db6b453249de9a871215d4d35a82424d1469e8

C:\Users\Admin\AppData\Local\Temp\Bn0W9DGpfn7C.bat

MD5	03e4999fd49aa6750356434452f51fda
SHA1	a7aefcd7a3acddf419a3b7631f66bc24a0bc38a3
SHA256	61eff2aec8ee89d99b5aaf69ee3256a02731f3966fe8c675394e8e37bdd89c97
SHA512	f465eec8cdbae3c1b4574454637cb8559b59223beb8efec6bd120c91d80c5fb5892a6857a4a75453a1a86b27671f1f5cf82fae7a6a758750cc10c915c351ce64

memory/904-111-0x00000000001A0000-0x000000000020C000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:51

Platform

win7-20231129-en

Max time kernel

581s

Max time network

597s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1188 wrote to memory of 320	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1188 wrote to memory of 320	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1188 wrote to memory of 320	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1188 wrote to memory of 320	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1188 wrote to memory of 2796	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1188 wrote to memory of 2796	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1188 wrote to memory of 2796	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1188 wrote to memory of 2796	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1188 wrote to memory of 2796	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1188 wrote to memory of 2796	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1188 wrote to memory of 2796	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2796 wrote to memory of 2564	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2796 wrote to memory of 2564	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2796 wrote to memory of 2564	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2796 wrote to memory of 2564	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1188 wrote to memory of 2464	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1188 wrote to memory of 2464	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1188 wrote to memory of 2464	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1188 wrote to memory of 2464	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (101) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	208.95.112.1:80	ip-api.com	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	github.com	udp
GB	20.26.156.215:443	github.com	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp

Files

memory/1188-0-0x000000007498E000-0x000000007498F000-memory.dmp

memory/1188-1-0x0000000000F00000-0x0000000000F6C000-memory.dmp

memory/1188-2-0x0000000074980000-0x000000007506E000-memory.dmp

\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/2796-11-0x0000000074980000-0x000000007506E000-memory.dmp

memory/2796-12-0x0000000074980000-0x000000007506E000-memory.dmp

memory/2796-10-0x0000000001150000-0x00000000011BC000-memory.dmp

memory/1188-14-0x0000000074980000-0x000000007506E000-memory.dmp

memory/2796-15-0x0000000074980000-0x000000007506E000-memory.dmp

memory/2796-16-0x0000000074980000-0x000000007506E000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:53

Platform

win7-20240220-en

Max time kernel

578s

Max time network

595s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2172 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2172 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2172 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2172 wrote to memory of 2552	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2172 wrote to memory of 2664	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2172 wrote to memory of 2664	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2172 wrote to memory of 2664	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2172 wrote to memory of 2664	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2172 wrote to memory of 2664	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2172 wrote to memory of 2664	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2172 wrote to memory of 2664	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2664 wrote to memory of 2160	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2664 wrote to memory of 2160	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2664 wrote to memory of 2160	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2664 wrote to memory of 2160	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2172 wrote to memory of 2452	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2172 wrote to memory of 2452	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2172 wrote to memory of 2452	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2172 wrote to memory of 2452	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (102) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	208.95.112.1:80	ip-api.com	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	github.com	udp
GB	20.26.156.215:443	github.com	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp

Files

memory/2172-0-0x000000007406E000-0x000000007406F000-memory.dmp

memory/2172-1-0x0000000000A70000-0x0000000000ADC000-memory.dmp

memory/2172-2-0x0000000074060000-0x000000007474E000-memory.dmp

\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/2664-11-0x0000000074060000-0x000000007474E000-memory.dmp

memory/2664-10-0x0000000000110000-0x000000000017C000-memory.dmp

memory/2664-12-0x0000000074060000-0x000000007474E000-memory.dmp

memory/2172-14-0x0000000074060000-0x000000007474E000-memory.dmp

memory/2664-15-0x0000000074060000-0x000000007474E000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:57

Platform

win10v2004-20240508-en

Max time kernel

591s

Max time network

608s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A

Enumerates physical storage devices

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1948 wrote to memory of 4324	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1948 wrote to memory of 4324	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1948 wrote to memory of 4324	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1948 wrote to memory of 4252	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1948 wrote to memory of 4252	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1948 wrote to memory of 4252	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1948 wrote to memory of 4784	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1948 wrote to memory of 4784	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1948 wrote to memory of 4784	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 4252 wrote to memory of 3404	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4252 wrote to memory of 3404	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4252 wrote to memory of 3404	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4252 wrote to memory of 2356	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 4252 wrote to memory of 2356	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 4252 wrote to memory of 2356	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 3588	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2356 wrote to memory of 3588	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2356 wrote to memory of 3588	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2356 wrote to memory of 944	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2356 wrote to memory of 944	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2356 wrote to memory of 944	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2356 wrote to memory of 4332	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2356 wrote to memory of 4332	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2356 wrote to memory of 4332	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4332 wrote to memory of 2916	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4332 wrote to memory of 2916	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4332 wrote to memory of 2916	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4332 wrote to memory of 4224	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 4224	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 4224	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 4224 wrote to memory of 4324	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4224 wrote to memory of 4324	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4224 wrote to memory of 4324	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 4224 wrote to memory of 3164	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4224 wrote to memory of 3164	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4224 wrote to memory of 3164	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 4224 wrote to memory of 4128	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4224 wrote to memory of 4128	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4224 wrote to memory of 4128	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4128 wrote to memory of 2672	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4128 wrote to memory of 2672	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4128 wrote to memory of 2672	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4128 wrote to memory of 2368	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 4128 wrote to memory of 2368	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 4128 wrote to memory of 2368	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 4440	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2368 wrote to memory of 4440	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2368 wrote to memory of 4440	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2368 wrote to memory of 1640	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2368 wrote to memory of 1640	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2368 wrote to memory of 1640	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2368 wrote to memory of 2408	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2368 wrote to memory of 2408	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2368 wrote to memory of 2408	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2408 wrote to memory of 944	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2408 wrote to memory of 944	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2408 wrote to memory of 944	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2408 wrote to memory of 2192	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2192	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2192	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 1880	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2192 wrote to memory of 1880	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2192 wrote to memory of 1880	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2192 wrote to memory of 2852	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4276,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4056 /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (103) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cRWhMUPHm7O6.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4252 -ip 4252

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1652

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zpvIPTEZbFTn.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4332 -ip 4332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1084

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pfZkZDW9Q72g.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4128 -ip 4128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1624

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J4pfRx1eqFtx.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 2244

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nl6QJzComgFo.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4132 -ip 4132

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\idb3p3lbTEpM.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1948 -ip 1948

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 2224

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqpNF2iAbQm2.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 832 -ip 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 2224

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c4ZvNnzsbqPj.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 808 -ip 808

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 2220

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2S16ToK4VAZ5.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4012 -ip 4012

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pXfhmnqHOOVv.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3124 -ip 3124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OStACV7B0Iw0.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1852 -ip 1852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1688

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGeHqMLDHxqy.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 740 -ip 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1672

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hRxU9Sky0cc2.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4416 -ip 4416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yyo78BgpfiU7.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 116 -ip 116

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 2236

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7t3aZtxjIbvC.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1008 -ip 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 1708

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eJ7EEOcXEYTM.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4864 -ip 4864

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1096

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TtveIakqojI7.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4128 -ip 4128

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1712

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9OrBAQ8t4Iza.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 396 -ip 396

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 2212

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6UQsaJCtM364.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 692 -ip 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 1732

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3996,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwQdMhPVhXpr.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2024 -ip 2024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1656

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PvObgb1AlKvV.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2280 -ip 2280

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAFOf4IMv8Hz.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4416 -ip 4416

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 2224

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dHo65wLMDtOT.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1896 -ip 1896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1660

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IHrrgypb4DtA.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 456 -ip 456

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1640

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymnOYoEfKmad.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4740 -ip 4740

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1732

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuAplRRy8LO1.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3228 -ip 3228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 2232

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rVmydNjaELvg.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2784 -ip 2784

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	ip-api.com	udp

Files

memory/1948-0-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

memory/1948-1-0x0000000000AE0000-0x0000000000B4C000-memory.dmp

memory/1948-2-0x0000000005B40000-0x00000000060E4000-memory.dmp

memory/1948-3-0x00000000056A0000-0x0000000005732000-memory.dmp

memory/1948-4-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/1948-5-0x0000000005590000-0x00000000055F6000-memory.dmp

memory/1948-6-0x0000000006360000-0x0000000006372000-memory.dmp

memory/1948-7-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

memory/1948-8-0x0000000074AF0000-0x00000000752A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/1948-16-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/4252-15-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/4252-17-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/4252-19-0x0000000006400000-0x000000000640A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cRWhMUPHm7O6.bat

MD5	d95118b857bd1e1a69c0dbe09ea42302
SHA1	40c864f693a0fe10b26dd2fe2197cfcdba0fcaad
SHA256	f97c3865887f989548253898f25e2010fb7df600625b951965d7c94eda0a2d1a
SHA512	20f1b3615038caea8ece8e3400c2fa314c4667ff4677d69945e8a007688e9b9d27ba076155b304e8d0143efd6dcce8f98421508cb13c3042eebd7e7197a2665f

memory/4252-24-0x0000000074AF0000-0x00000000752A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	819f1026afe56ecb196b4a806f4339e7
SHA1	95f5f570a4881e7e4a356b24d521e2a03b28dc8d
SHA256	b2dd3910515099b3a84cc1ee0354accdfea89399a7e05eda2cc8ad5f17f5ade3
SHA512	0846d30fac0ebc3f5c587ca94da80223367fa595562319dfc36bd28aae6db5e13689b7c13089801fc250ad16ad5ab7c5c96e39d06d5aa14a4348384059f3187e

C:\Users\Admin\AppData\Local\Temp\zpvIPTEZbFTn.bat

MD5	6b5408acaf3e731b9ad49e9d243414da
SHA1	45422f048f4bd34f5ce6ff29cfe24d0bb9d5cfcb
SHA256	58973ae9e9c5c2af818e3aaa6b04ccaa0cb1297871e2f4d8b15c1da1ebc00043
SHA512	a67b36247088ea34119048f79c33abf843956c082142112794f7c3b77d3c58f36d8f3f1736322368cbc7af9ab9a45bc5665aac0b679c1c4f972dd6d91bbd2562

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	2493a7bfde6526a68b9366e476a10149
SHA1	5cd0bd5981099ab6a6778ce468bf25b9e4687164
SHA256	4594426989bd35efafbf237d4203f8fdd187a035e329d5619a71986a488ac52d
SHA512	f083eba036b3c4eb83bd9ba7cfa712e3264880653400ef5c2d3ba82af456c4dc51557ec51b8d91e91d0a731ced9e2c15a20f895449d6374c62a542cdca0345ee

C:\Users\Admin\AppData\Local\Temp\pfZkZDW9Q72g.bat

MD5	d0e4eeefee9aa53a9ab6c37a1dd21154
SHA1	5379a90f14442c1f73bb8f3362259c5d608b6ad2
SHA256	b4a03d45b4f4712534cc9265a788297a88ec9d94bf2c50f45f5698a533256284
SHA512	5c7d7e29eade02dada7645b1ad852d3acf31187e957068e50038b82d1bded8a7d7e2a00768015c18257c8b4c4faac1b6e2f0c02361fbd39bf7888fb2202840c0

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512	cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\J4pfRx1eqFtx.bat

MD5	b3fa5dd56e287274e8204d6307842139
SHA1	be4642473cfa58234f8053d271b72261440c1b09
SHA256	4547e59ec93e272dfe199b8bfea4b9f40daff85af195fd203883f65892b6ecad
SHA512	5685dc227233902229836946a3d1b4528cae5ed2f8ded788a0639767cb97640e8a2f9844366ffe740b3140c9c79468cbc0e27c65d6d6c7c5419535ca86eb00b4

C:\Users\Admin\AppData\Local\Temp\Nl6QJzComgFo.bat

MD5	fca918401b9f049ba5b5d4539bbb417f
SHA1	2cdeb9d54acc29a51a98f4bc859673c5ec786879
SHA256	684e02e766fa1f723388f802c7f5a15df9258467c5abcab7a483457f681220ad
SHA512	29acf29a6cccda64ce38f2d6dab7697d765cc14306c46e54e2f79f1a12f7def33d7fc192c12a684e1619872334adab6e93840c5b05e6a66279e65138a1b829e7

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	8984a14320fb5ce25909461c71420f9a
SHA1	d0913d6d8d48c109c6977796e99f50f96aebb830
SHA256	bdcc74a2ee8d0dd9b01f9d27a4fbb0467a07d75684ddfb8dec077ba2a7d29a51
SHA512	a6f6506f3e417d5fd1161280d249a7b98eb88184db0dc5be26be3f618880b05af3e2d2a832fd5f8f4e19c0501d0e293d0f9d9506550adb1ef716dfc3ea1fd08c

C:\Users\Admin\AppData\Local\Temp\idb3p3lbTEpM.bat

MD5	c01cea741fba5ec596b5ff417d97190a
SHA1	2a10b9e8e6467127f6cd7d3e553ca6243b9d9676
SHA256	155179710b067b1d7dfda6ff6f2e91a573df0d2a2821530b2f95df8f90a0da72
SHA512	d1b4d4638ed7dad8373efee8194d97ecd562ff8afa7ca4f789b6cb613335fe7abdaa88f70a03d56b5d6aef2f31ed3ea8361e930fcf3c23877acf20bdabb54820

C:\Users\Admin\AppData\Local\Temp\sqpNF2iAbQm2.bat

MD5	b869a3d0b6981f1d1514658a5ad4cd9b
SHA1	93bcc26f4fe819b4f6f479f5a903065eeb5d60f8
SHA256	12c53092c7fb58eb51335f4eef32c9521ce75213c56573096eae19944168cb85
SHA512	b06bef2804f94542094564327decc5afcaed1c3b1f354eb5e5f7ba107f25dcdbee8d7af0e3e5d296494cd495b8bcec9acb6484acd63314ebd4e6f4222edd4c3a

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	c88d6ba5563d5a68651978f332af39f1
SHA1	e484e2567b4029028f18623e0ea9143db70ad4e9
SHA256	18d17d375ab8ec8b0e7edc709b94f8fe99630e8561edd5dc6ef6d33bf670ba05
SHA512	5c34c0391c41e2a7712578358273f84fc10b4456bbe3c7e16efe05d6b184fec6a541aa6ba49c4eaace633a05a68a1b326473c911fd9c3cd0c079eb35505d3994

C:\Users\Admin\AppData\Local\Temp\c4ZvNnzsbqPj.bat

MD5	48d12fd1ae07d7269a73393b682ea758
SHA1	ed939e758f5e0d0e9ad70bfc386c0dcbcfa5f5d6
SHA256	639c94070837f04c49349465920265234f44d652d5eb45cfed076c3845c0e28d
SHA512	cf24fba9f49a2aee9d37ba3b5cb55e621d20ed689b3b448c7f2bc759ba3a65fe57491def969911ccb23622135a153b7e46c8442aebe73e89165f169109d775c0

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	7e26abc758469dc21cbc5bbb29636a5f
SHA1	67a0840e698404f21d9b18d7abfbb6825789adfa
SHA256	449b59bb7258954d89ae85b856c26ae6911f3aae6edd389078dd44035b09f532
SHA512	df5ed2fbceb618b0bbfca1400214c44d6cac0f788af91c130d8706d2cbd45ebbdb9baee9800971b9971b2b7940d83c072b9ce7d2aa6c7224bc05233fe7eb7fd5

C:\Users\Admin\AppData\Local\Temp\2S16ToK4VAZ5.bat

MD5	1d8d6f35569fdd49d1621fa2cd6725d6
SHA1	88de4bf3ae37d597859053d35b7a771e5c04efe2
SHA256	23a857956d412040e098c192909b6d990d8923928a173edb2fca9450ea4ffcaa
SHA512	ef443a643e511146f8e3070c5ffb1c1269244f358be7dc9e019f602c8c827958784662abd4c11fc67263566f17bc72d4b123237d3ee6ed6d15bcc03111ddc3a4

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	9322cdec542295ed36d7f619aab30d69
SHA1	58108cdc24af65d5f1827fda88d12057fe490b15
SHA256	17f4b929d13688934d96f80d0e59e62c177c17d574aabb6f2a541dfdac443c14
SHA512	2f2e7510b21b23894b636ec7828c5f7b5af48ff67f507ced68d0b3660e9964a36db088adb557eeb2658b8a9b6bb2efd667da57cb434b234684b38c6ca12903ee

C:\Users\Admin\AppData\Local\Temp\pXfhmnqHOOVv.bat

MD5	a4e5c723180ea3f28a13f4d17723181f
SHA1	52c4c8e624ea8099bcad3c3ba174206e3cbe9ded
SHA256	66faca97f1bfc10298985acc1163acd50f789152a2d3dbed0ee4af4d3c53873a
SHA512	8ec33f237ea592ef81234e1e10bfca56aac414d6a8b72ccf893ce8aa78036ccecf6cb08ba3a96a5480c2669345f31933ae466a4eadc8aaf0b6ecccbe9cf1e813

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	add94d62a61c16efcb697a34557befcd
SHA1	d80bbe2c548504dd5c42b4f875c361aff5af7e28
SHA256	c4707e1c06f2a759bf5faaac78aca9949acaef0c21908c6a02210e48994a7cb4
SHA512	72326cfd1a0c9c2234c74d992ece35ae0e4e54d56cc312cd811b0b301caf984fa6dee4faed1671cfcf1ecbc26f8c8a4fa77ef4cca1a0d1221fc49d9db857b00f

C:\Users\Admin\AppData\Local\Temp\OStACV7B0Iw0.bat

MD5	a968198b10748a203e7969c38e05ea6c
SHA1	87a90b371f6a9be3924fcef3b257c2f155a9e476
SHA256	494f4bf03380da93d22ea861431da410338866e44af30a502b7879b272b48e1a
SHA512	c79e392128476f990b11a9f524391e14f6123800689d2383c971af10ccc48e806aca092d8632f411b3e92affc0fe03ef7706440b323ac4912ca781ecc90ca5be

C:\Users\Admin\AppData\Local\Temp\iGeHqMLDHxqy.bat

MD5	99d5af4285175f83b77b722d544d9b5d
SHA1	8769c4de09e3f453fcf5f30da51e0ca75079fa1b
SHA256	827f930de140e62111559acac68d85664094def94f7e8c4477c985c183e8f8f9
SHA512	66654605890be86ce351e31c219e185bc79aaf34df6c9bc0b9f6b61f0a39c16e65a0e1f36a2a523236ac3efd0c4a972de88d811299f4e3879b3f1cd1e6361523

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	0ab82601d182bd111d39a4fbfb051fd2
SHA1	c07ab6c602cf4d81633626be0fcb83c6ad6859c0
SHA256	d9965c381124c307679b34a8e17595576ebb2709401b40174546b9f49795bfc2
SHA512	23eae67cece3fc20843a02d8abceb190b5e4acbb35812d3d2b87d6c71d236fb68f2691e282f79346548a1d33d535866849b3f7599135c4c0cec01308b3fe76b9

C:\Users\Admin\AppData\Local\Temp\hRxU9Sky0cc2.bat

MD5	6bbd6e156cb6cc3a00d028f47cbf5c34
SHA1	6302ff77e88c28136a3cf14c6c113b6e19b02f90
SHA256	32ba7d463beac44baa7a5291a07c64089ba5c5df08d1bad02c89834b3e66ab78
SHA512	76f624c8c7a08b2864364ec7ac713d7c3b2123c6c802e1c826fbfa5a32102bf66bfd203ccf83e5644d5b39e66a5e4bd26b8bb37c81ecbcf35b01e87e97a41528

C:\Users\Admin\AppData\Local\Temp\Yyo78BgpfiU7.bat

MD5	8b4e08f9f9fc82bb2373353a0b0d59aa
SHA1	3922b573c613ad3f3b0021f779527bc6f840406d
SHA256	2dc9efbc8850bd908af368f218f2a2694fce76bee92a0a0bf391bb3b62211a14
SHA512	d39a753e2d1aeb42d0b1bc6d0805f6894ac9549743754cf97c666ea4cd0ece32f7733d8347d869276268edb01bc28ed911e5ca580f311a98b1efd3fca2696f61

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	d6fd0e3146f4a0de2af7f9005be2f2e5
SHA1	b491edd0efdffbdfdab56fa4c980b431f4563b04
SHA256	96fec9a8fe919dc0b472b1e38d4922e84edabf9ec8b41bb4c3828f128fdc177c
SHA512	69968bdb37d42e274a1e06e2a487e927c8da057880861103d37592f64248dad2888b62e4d9f0c5f8ebc16477a58cef6b04bcae0ff91de68d51a57fe79d9f0694

C:\Users\Admin\AppData\Local\Temp\7t3aZtxjIbvC.bat

MD5	962dc1a962f9f02fd54a6c7f26ff11ce
SHA1	3e082806f592ee7c2b9815726b30d74491493d6b
SHA256	8f73dd8158c2b771821305ca651524c73c3d8bb161ef606a54ab1b1e45d2b4e2
SHA512	8a7b780e007e661de81da0235b3b742e0479ac56d9faa9ed4d485a4ea60f798ca5f6da1bf70ab8452a82b4f813f52dfff85dbe8cb2b3a92990095bbabe4c2829

C:\Users\Admin\AppData\Local\Temp\eJ7EEOcXEYTM.bat

MD5	24cdc1ea54c3a068b90f906c0696e10f
SHA1	320a7fe0dab4bf1cacad74cd7a7a5f6df02d6282
SHA256	47c6b64b3ca84388ad932962569b1b3224e46e9bb944b617be7f7eba632f5264
SHA512	b111bc218695f7e7d7f2768ae74e713c3fc52343f01e643b61c0920daf295e74c59de38a6ad0bbbc68c2259f3f3a1bb6e114aa1cec7e64fe95bb171ecdddd9ea

C:\Users\Admin\AppData\Local\Temp\9OrBAQ8t4Iza.bat

MD5	eb9e83a6fa063c1f8d12107b7d29c003
SHA1	e7d26de54c746de3e1f7e011cb2dbdbb2ed9fa9b
SHA256	f9a2589871b858464df160b55e17ac0e7712df3c7a8cf91c213e09fc29b309a9
SHA512	4d0ce24bcf20e0361548d5c5f0e4b38ddc1a3769ece76c032f74382aa4227ce35c0a6a98464aa6c249dc26b7c1f2ca39fd36501a8bbd4bb92462b1e718c4393b

C:\Users\Admin\AppData\Local\Temp\6UQsaJCtM364.bat

MD5	3f4f6b07fab9a12744e50d5225183195
SHA1	ed3be2f788c37fd49d52a49a99772b7d2f568af9
SHA256	ffd9ed359ba749193ebc0fda7ac8eda839da7f3ba9e00ad67d357e58099c00cc
SHA512	2774864e29484cedb6ce588b270026691741af016a4350f6fa6f591f72f3a2ff22a2a089ec03c4c0f7b2dca5a2fe09c3061c8f4a6889b8955dfed177b982feff

C:\Users\Admin\AppData\Local\Temp\pwQdMhPVhXpr.bat

MD5	a379c1c1602cd339a5f09e4d935b5406
SHA1	273c9d5abbfab5c883a2ea9faeaa64e5b5e26b90
SHA256	c400260513b7a239b43d698af99eafb8034e2b122188570b89706bc2c68d2ae2
SHA512	5004db845f4a453f60305f7b3e33f3304df94986e42b079f1f55c02c28e118167bdfaf5f2873b11922bf2a50244298429323bdbb0ab8bcf707792c9040198b47

C:\Users\Admin\AppData\Local\Temp\PvObgb1AlKvV.bat

MD5	06c35436c03e176de76407836b571ad3
SHA1	9c1a9cb18a7dfb5c833eb8a283112cec1b7e717d
SHA256	7f91b9ce8acba3a9f20204cb0806d915b3b9aadcd2ff7855f55ce8dee4fb5c4a
SHA512	82e557c852e8b1a635f37fc33bde541068734eee498ab4c61cf5368b0318dcb0d6f8d4a62fcc5d2caa8fa05b9628357ca1d49e58ed69f6c8f65ce9d94270253a

C:\Users\Admin\AppData\Roaming\Logs\06-15-2024

MD5	430f6a6e9f4bae46a75b8f7f28ee8e29
SHA1	5f75b1a95eba84d26351ebba563ac96b54eea967
SHA256	91428ece2e914cda2c52d1f77f529921e9371b975f85edca044317060b80d6f6
SHA512	451622e010176590f1e716427d0f837d4e6aa7e135f1fff036a4d90f257c338c923e2e11705e53206275399ed6c3350ca8213e6894565394e27551ea1426d517

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:49

Platform

win7-20240508-en

Max time kernel

596s

Max time network

606s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1924 wrote to memory of 2520	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1924 wrote to memory of 2520	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1924 wrote to memory of 2520	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1924 wrote to memory of 2520	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1924 wrote to memory of 1636	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1924 wrote to memory of 1636	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1924 wrote to memory of 1636	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1924 wrote to memory of 1636	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1924 wrote to memory of 1636	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1924 wrote to memory of 1636	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1924 wrote to memory of 1636	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1924 wrote to memory of 2156	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1924 wrote to memory of 2156	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1924 wrote to memory of 2156	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1924 wrote to memory of 2156	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 1636 wrote to memory of 2364	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1636 wrote to memory of 2364	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1636 wrote to memory of 2364	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1636 wrote to memory of 2364	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1636 wrote to memory of 2688	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 2688	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 2688	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 2688	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2328	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2688 wrote to memory of 2328	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2688 wrote to memory of 2328	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2688 wrote to memory of 2328	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2688 wrote to memory of 1208	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2688 wrote to memory of 1208	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2688 wrote to memory of 1208	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2688 wrote to memory of 1208	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2688 wrote to memory of 332	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2688 wrote to memory of 332	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2688 wrote to memory of 332	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2688 wrote to memory of 332	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2688 wrote to memory of 332	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2688 wrote to memory of 332	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2688 wrote to memory of 332	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 332 wrote to memory of 1524	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 332 wrote to memory of 1524	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 332 wrote to memory of 1524	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 332 wrote to memory of 1524	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 332 wrote to memory of 1084	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 332 wrote to memory of 1084	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 332 wrote to memory of 1084	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 332 wrote to memory of 1084	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1084 wrote to memory of 2888	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1084 wrote to memory of 2888	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1084 wrote to memory of 2888	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1084 wrote to memory of 2888	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1084 wrote to memory of 1460	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1084 wrote to memory of 1460	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1084 wrote to memory of 1460	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1084 wrote to memory of 1460	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1084 wrote to memory of 1820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1084 wrote to memory of 1820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1084 wrote to memory of 1820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1084 wrote to memory of 1820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1084 wrote to memory of 1820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1084 wrote to memory of 1820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1084 wrote to memory of 1820	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1820 wrote to memory of 1952	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1820 wrote to memory of 1952	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1820 wrote to memory of 1952	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (100) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sADVVufWFxWI.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zrFfrbRKK5GV.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VGGzE1YTuwU6.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\s4lVMYO9LJlP.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qgvmVuSj6pNK.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\hiO0C6O9Egjq.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\52YRMBm4Uuo9.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\2ayCcKUspWkT.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp

Files

memory/1924-0-0x000000007446E000-0x000000007446F000-memory.dmp

memory/1924-1-0x0000000000C20000-0x0000000000C8C000-memory.dmp

memory/1924-2-0x0000000074460000-0x0000000074B4E000-memory.dmp

memory/1924-3-0x000000007446E000-0x000000007446F000-memory.dmp

memory/1924-4-0x0000000074460000-0x0000000074B4E000-memory.dmp

\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/1636-12-0x0000000000D40000-0x0000000000DAC000-memory.dmp

memory/1636-13-0x0000000074460000-0x0000000074B4E000-memory.dmp

memory/1636-14-0x0000000074460000-0x0000000074B4E000-memory.dmp

memory/1924-15-0x0000000074460000-0x0000000074B4E000-memory.dmp

memory/1636-16-0x0000000074460000-0x0000000074B4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sADVVufWFxWI.bat

MD5	30a94107738ee27a6ba761241dfe33ff
SHA1	1c4a1e807fa0a3d70b275df8b4dc08862cbb31e3
SHA256	b34da337979645b74588aad65e4c7c3d9d2b325dc79c67fda8653d01319611b1
SHA512	0909a4f776cb9cba28a894d4705fe943f5f94da22d962ca776177b271125e4cb0d0260f34cbfc4bd51de899e637df977d78551f177772d36a66b261eaf4db90c

memory/1636-25-0x0000000074460000-0x0000000074B4E000-memory.dmp

memory/332-29-0x00000000013B0000-0x000000000141C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zrFfrbRKK5GV.bat

MD5	8f1a33081cf8970e3fc5c3aed978ee85
SHA1	fcc6396c3aa7bb49f3542057220409a1c3a92aaf
SHA256	875857ee899e2d1e65a0c4e01935ae814ae835bce92242fae79f90db6d47ac51
SHA512	4a11bb24fb8d09aa35827a911d1ddf88c1249fd1e8779fa71d064f2e59c9792312160aed25f4119a039d1458208cecf62a250e05dfe9143ecbf74b006a966746

memory/1820-41-0x00000000013B0000-0x000000000141C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VGGzE1YTuwU6.bat

MD5	1cbfe735f208063f2edd8554c18268ed
SHA1	2e7d0b6c926f1f7262b0d92b4259b1d01bff642d
SHA256	ea51aa882ffd3fd202182ba9217dd41c63ac5763a61b3bd0a0c39590f7dc5b28
SHA512	e1cf2d854635a3b36da6b1ff48eebb08698d5f2fd43df69abe975ea1139b14caa3204e03221f94cab567b11f9bf4015ae914f73def15dc46a581f2a53730040f

C:\Users\Admin\AppData\Local\Temp\s4lVMYO9LJlP.bat

MD5	3234f24b331cf0561b4647a0b3831075
SHA1	c3170bbe5a78913d9fd2437cb7ec195cebd52340
SHA256	3e90508b0e251988bdb143b25865eb236e3d60d29d7c42e37f59caba7e046bb7
SHA512	89221d7b777cb8f780908defbd1d729f7051e5770cf89589acdf0517a80b5cc0fb6cb992591b0683021e00cea2810d185f3cca94c54cfc7d59741edb29487e4b

C:\Users\Admin\AppData\Local\Temp\qgvmVuSj6pNK.bat

MD5	eccb913cc2fa8de35527af2fdd457f27
SHA1	91beb3025632f1697b2fccd92acce36fd20b01d6
SHA256	8a4cc434861e7dd861616e07571925ba51267647de1ee20e867b234a8f932430
SHA512	a3dc5d947e905c1157afd44c27cc75ef6be58ec9080ca65358dd89597a0b645199b7ecd7b465412b0b56e8f6d37b96ba5f0d61939d297bd67bf50b48f7538d9b

C:\Users\Admin\AppData\Local\Temp\hiO0C6O9Egjq.bat

MD5	51464b5bf97c5dd5aaf742bc7f3e101e
SHA1	e8924997a0819e72a2fd0ddefebe1a552ad307ce
SHA256	7adf0988371faba58ffbbb554a7271c07ae3f24cadaa1dbc5731ecc130735c10
SHA512	5f543541c0c1a5c5e466a9d023c4323b97828d948187870a2e2a80e84ea19c13a8f6d8161bcf1ad21f5b80df932a06fdb17b2feb2029ba6f61f356eb8525d8df

C:\Users\Admin\AppData\Local\Temp\52YRMBm4Uuo9.bat

MD5	cdb812d1ea5827e8bc70da24058655c5
SHA1	11acef92bb12278b8610bf2583cb894df375c522
SHA256	2f836e0a084086134def59363a6e627e00def7044fd5c3be2248c004da5b76fa
SHA512	9169f61373288c74f2686b71625d928ac216fb357ae0464d327b7fc80ee32a4f4622ddf6b05880f27ad507536bf5eb1bad89ae43267f69a1db6c2c059b7734eb

memory/1232-97-0x0000000000120000-0x000000000018C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ayCcKUspWkT.bat

MD5	0b4500202563fcffbcd991fd614a9ab5
SHA1	c4b14b3df095c69687b18bda7f86637fa312be97
SHA256	70f7dfb9e35d0d9dae1da9ed31bf9d843801ab07a18bfb22870f6dc57f1e6e94
SHA512	d20e0e235d84ff748f0f356ec749bda82a29d049eec6eb9a589f0f96a19316a6ab696aa8e92bf6d0679a281a40d5f29f0361311e59ff0952debd41d41e68f77a

memory/2380-109-0x0000000000D60000-0x0000000000DCC000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:54

Platform

win7-20240611-en

Max time kernel

579s

Max time network

594s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	ip-api.com	N/A	N/A

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2560 wrote to memory of 2588	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2588	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2588	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2588	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2560 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2560 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2560 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2560 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2560 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2560 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2560 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2560 wrote to memory of 2624	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2560 wrote to memory of 2624	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2560 wrote to memory of 2624	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2560 wrote to memory of 2624	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2676 wrote to memory of 2752	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 2752	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 2752	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2676 wrote to memory of 2752	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (102) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	208.95.112.1:80	ip-api.com	tcp
US	8.8.8.8:53	github.com	udp
GB	20.26.156.215:443	github.com	tcp
US	208.95.112.1:80	ip-api.com	tcp
GB	20.26.156.215:443	github.com	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:57059	panel-slave.gl.at.ply.gg	tcp
US	147.185.221.19:27892	panel-slave.gl.at.ply.gg	tcp

Files

memory/2560-0-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

memory/2560-1-0x0000000000CD0000-0x0000000000D3C000-memory.dmp

memory/2560-2-0x0000000073F50000-0x000000007463E000-memory.dmp

\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/2676-10-0x0000000000BC0000-0x0000000000C2C000-memory.dmp

memory/2676-11-0x0000000073F50000-0x000000007463E000-memory.dmp

memory/2676-12-0x0000000073F50000-0x000000007463E000-memory.dmp

memory/2560-13-0x0000000073F50000-0x000000007463E000-memory.dmp

memory/2676-15-0x0000000073F50000-0x000000007463E000-memory.dmp

memory/2676-16-0x0000000073F50000-0x000000007463E000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-15 07:35

Reported

2024-06-15 08:58

Platform

win7-20240508-en

Max time kernel

596s

Max time network

606s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	api.ipify.org	N/A	N/A
N/A	ip-api.com	N/A	N/A
N/A	ip-api.com	N/A	N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\SCHTASKS.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2196 wrote to memory of 1576	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 1576	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 1576	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 1576	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 2276	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2196 wrote to memory of 2276	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2196 wrote to memory of 2276	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2196 wrote to memory of 2276	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2196 wrote to memory of 2276	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2196 wrote to memory of 2276	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2196 wrote to memory of 2276	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2196 wrote to memory of 2280	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2196 wrote to memory of 2280	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2196 wrote to memory of 2280	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2196 wrote to memory of 2280	N/A	C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe	C:\Windows\SysWOW64\SCHTASKS.exe
PID 2276 wrote to memory of 2356	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2276 wrote to memory of 2356	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2276 wrote to memory of 2356	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2276 wrote to memory of 2356	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2276 wrote to memory of 2100	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2100	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2100	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2100	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 1260	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2100 wrote to memory of 1260	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2100 wrote to memory of 1260	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2100 wrote to memory of 1260	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 2100 wrote to memory of 2264	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2100 wrote to memory of 2264	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2100 wrote to memory of 2264	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2100 wrote to memory of 2264	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2100 wrote to memory of 2092	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2100 wrote to memory of 2092	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2100 wrote to memory of 2092	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2100 wrote to memory of 2092	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2100 wrote to memory of 2092	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2100 wrote to memory of 2092	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2100 wrote to memory of 2092	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2092 wrote to memory of 1368	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2092 wrote to memory of 1368	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2092 wrote to memory of 1368	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2092 wrote to memory of 1368	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2092 wrote to memory of 1924	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 1924	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 1924	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 1924	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 572	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1924 wrote to memory of 572	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1924 wrote to memory of 572	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1924 wrote to memory of 572	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\chcp.com
PID 1924 wrote to memory of 2324	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1924 wrote to memory of 2324	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1924 wrote to memory of 2324	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1924 wrote to memory of 2324	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 1924 wrote to memory of 2212	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1924 wrote to memory of 2212	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1924 wrote to memory of 2212	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1924 wrote to memory of 2212	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1924 wrote to memory of 2212	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1924 wrote to memory of 2212	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1924 wrote to memory of 2212	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2212 wrote to memory of 2768	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2212 wrote to memory of 2768	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2212 wrote to memory of 2768	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe

"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77Uni - Copy (104) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Nq5cDvyjLNju.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qEICnbvZPQGc.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\oqSTvxz8AvrW.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UmG5d320TMNq.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\l4n2De6Hhx4L.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Q0aevl99zOaf.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\qputq299wZYs.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\SktllO2hjBNI.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp
US	8.8.8.8:53	panel-slave.gl.at.ply.gg	udp
US	8.8.8.8:53	github.com	udp
US	8.8.8.8:53	ip-api.com	udp
US	8.8.8.8:53	freegeoip.net	udp
US	8.8.8.8:53	api.ipify.org	udp

Files

memory/2196-0-0x00000000746DE000-0x00000000746DF000-memory.dmp

memory/2196-1-0x0000000000BD0000-0x0000000000C3C000-memory.dmp

memory/2196-2-0x00000000746D0000-0x0000000074DBE000-memory.dmp

memory/2196-3-0x00000000746DE000-0x00000000746DF000-memory.dmp

memory/2196-4-0x00000000746D0000-0x0000000074DBE000-memory.dmp

\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5	b70fdac25a99501e3cae11f1b775249e
SHA1	3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256	51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512	43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

memory/2276-13-0x00000000746D0000-0x0000000074DBE000-memory.dmp

memory/2276-14-0x00000000746D0000-0x0000000074DBE000-memory.dmp

memory/2276-12-0x0000000000170000-0x00000000001DC000-memory.dmp

memory/2196-15-0x00000000746D0000-0x0000000074DBE000-memory.dmp

memory/2276-16-0x00000000746D0000-0x0000000074DBE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Nq5cDvyjLNju.bat

MD5	bc00fcd9f02032baa66251f7b144921c
SHA1	8f847cb8f8e1a3ebc52ded2c8bbf985e1d0be915
SHA256	93cf94bdd7a739d01e2c1142a87894a99ff175160711489821bf865e18fc73fc
SHA512	a471cc8fee0f7fe7238fee9483028b3a713b1475ae7749afd33b7c31d200b26097570220d654a17a6a578c59489dbe663b89c0552c7c3143cc13f1cc336a2e5d

memory/2276-25-0x00000000746D0000-0x0000000074DBE000-memory.dmp

memory/2092-29-0x00000000001C0000-0x000000000022C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qEICnbvZPQGc.bat

MD5	d9a304e6ba48389296fb1acc82ffe257
SHA1	b8499d94470c40069de470af2198c3421ffa14ae
SHA256	c9e5e977596fecbeee69b5bf5ebf4ce319461962ed9bb51a0b158c1ae368e2de
SHA512	c8d8865a8e3a07e829fb4e415275c6944764aafaee3ba380ca730f0c42e1b519e3c87b71f7b2836e3220843b0a124aff22db2937e9d6299bbe54193d741df595

memory/2212-41-0x0000000000380000-0x00000000003EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oqSTvxz8AvrW.bat

MD5	cf65173cfaf212ce09cb6ffc42ac1c01
SHA1	3af972d312ac8d2c9053709de1cfb59859b60062
SHA256	3e234657b132f9feefbff9d48abf3c8a1599397808d57f5cc758dce39d8d8caa
SHA512	df15d05e2120ff0d0706456fd16a5899f20b6fdf29e7352c591f425def5dfaaaf02e7cd500af5325b524bb0dbb0d90636abf7a74d547354e0d798e797a0c5670

memory/2848-53-0x0000000000AC0000-0x0000000000B2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UmG5d320TMNq.bat

MD5	66e9b406875a4f0ba90e8a177bb16cc7
SHA1	0cf41ed7ac9d0bf9c191f3b27a334768e6de7386
SHA256	11060773b86e15afe0e70f09615cd238c613c550087f1e995fc2974d0fa12395
SHA512	746c9428e5c416c514d6239f3cfb0f62d363e36fb2bd9b4c58b2fb457dbebfadceafc90afaa3b0fa4d1c03fbc749e26428c1f026d691f51faba7b0d8fc10190b

memory/1988-65-0x0000000001250000-0x00000000012BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\l4n2De6Hhx4L.bat

MD5	3194c4238030920959e872238220565d
SHA1	740295542b3e69cfc1b3ce1b21a6b9b364b95712
SHA256	754a7fff9d598f64b68ecae00756841811f75249f8a20fe7f385f802a1734b90
SHA512	7aee318919ab1fad6705de5890396917b9eb962344328241edd6ca58e6045df516a7c58ac44aed7d51ce8877bb349c3d04a8a4a28ecb8cc5c52e133541a40311

memory/1048-77-0x0000000001250000-0x00000000012BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Q0aevl99zOaf.bat

MD5	603f0c1f23dfdd4176bfe9bc183a9cf1
SHA1	73b13baacca70accd43939586db9c38c9c463d2a
SHA256	2bcd8b7c750cee9560d8c3874303365fcc64f46a12962b2f394471e32c90da36
SHA512	3a72a31c1bc39c63c9ea211062e6e42d813da0df2c26fcea23a62565ac3e6a77d39b345ff756d06d7f11c1fc31a17c2b6341e2f1c13d8535d3c5a09a70eb243d

C:\Users\Admin\AppData\Local\Temp\qputq299wZYs.bat

MD5	fb987d72d46df57269fdb1a24744d8f1
SHA1	cf137e277d142fd551876b35c1fb856296dbf55f
SHA256	31bb3a3889dcebd70ee0d5579e1121cd6b99937b49a529f12615b9eccb862af0
SHA512	d89ebd70070f098dcb0dcc164387f15b3fddf4922bf223d7e3f675c34c8e86c940d3cf06e538cd271a4b153e723bf45f6d1f85d25fabf91957525544e847c18d

C:\Users\Admin\AppData\Local\Temp\SktllO2hjBNI.bat

MD5	07768a2ba46cc4d467ef875b00c770bf
SHA1	b00a20160021b41d6f95563b724028a1ac1302cd
SHA256	94a41f0c5906e3cda5cb0661032233726464f08e692899b4462c58ab7bca8d11
SHA512	cff6d610eaf95cd768ba10831ae53ea0edf07540d1608590986cae2696ea04222cdee438b9a6473c263bce1a3db7eda4241caa0a035a174660c8bf0f7e4a543d

Sample ID	240615-jeym4swdmj
Target	uni.zip
SHA256	1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58
Tags	quasar seroxen spyware trojan persistence

Malware Analysis Report

2024-08-06 11:25

Table of Contents