quasar | hxxps://cdn[.]discordapp[.]com/attachments/1235717850421788722/1235947394470772736/SeroXen[.]rar?ex=676cb275&is=676b60f5&hm=196ee23fb797b7972d7eef79d4ae0c76cdaa82b260a8ed2629b51d024c404a49&

Analysis

max time kernel
81s
max time network
75s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-12-2024 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1235717850421788722/1235947394470772736/SeroXen.rar?ex=676cb275&is=676b60f5&hm=196ee23fb797b7972d7eef79d4ae0c76cdaa82b260a8ed2629b51d024c404a49&

Score

10^/10

quasar serorox discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

serorox

even-lemon.gl.at.ply.gg:33587

Mutex

$Sxr-g7zaoW2o45E5kvv6fX

Attributes

encryption_key
1mgSFiqbEggxxXXwqgX3
install_name
DLLrunHost.exe
log_directory
Logs
reconnect_delay
1000
startup_key
Discord
subdirectory
Windows

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000300000002a852-162.dat	family_quasar
behavioral1/memory/2820-184-0x0000000000DC0000-0x0000000000E2C000-memory.dmp	family_quasar

Executes dropped EXE 4 IoCs

pid	Process
1424	SeroXen.exe
2820	svchost.exe
4336	SeroXen.exe
3520	DLLrunHost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DLLrunHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133795789408310121"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SeroXen.rar:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4324	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3440	schtasks.exe
3948	SCHTASKS.exe
4640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1936	chrome.exe
1936	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1936	chrome.exe
1936	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeRestorePrivilege	2892	7zG.exe
Token: 35	2892	7zG.exe
Token: SeSecurityPrivilege	2892	7zG.exe
Token: SeSecurityPrivilege	2892	7zG.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
2892	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 5016	1936	chrome.exe	77
PID 1936 wrote to memory of 5016	1936	chrome.exe	77
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 1408	1936	chrome.exe	78
PID 1936 wrote to memory of 2264	1936	chrome.exe	79
PID 1936 wrote to memory of 2264	1936	chrome.exe	79
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80
PID 1936 wrote to memory of 4400	1936	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1235717850421788722/1235947394470772736/SeroXen.rar?ex=676cb275&is=676b60f5&hm=196ee23fb797b7972d7eef79d4ae0c76cdaa82b260a8ed2629b51d024c404a49&
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd42dbcc40,0x7ffd42dbcc4c,0x7ffd42dbcc58
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,3716956540339917908,15335758768879024116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:1408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2088,i,3716956540339917908,15335758768879024116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,3716956540339917908,15335758768879024116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2376 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,3716956540339917908,15335758768879024116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,3716956540339917908,15335758768879024116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4688,i,3716956540339917908,15335758768879024116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4420,i,3716956540339917908,15335758768879024116,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4452

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:772

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SeroXen\" -spe -an -ai#7zMap26756:76:7zEvent395
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2892

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SeroXen\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4324

C:\Users\Admin\Downloads\SeroXen\SeroXen.exe
"C:\Users\Admin\Downloads\SeroXen\SeroXen.exe"
1⤵
- Executes dropped EXE
PID:1424
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2820
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3440
- - C:\Users\Admin\AppData\Roaming\Windows\DLLrunHost.exe
    "C:\Users\Admin\AppData\Roaming\Windows\DLLrunHost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3520
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\DLLrunHost.exe" /rl HIGHEST /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4640
- - C:\Windows\SysWOW64\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "$77svchost.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\svchost.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3948
- C:\Users\Admin\AppData\Local\Temp\SeroXen.exe
  "C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"
  2⤵
  - Executes dropped EXE
  PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d0e65983947c759a0d8452a8c27b6c89

SHA1
37db6ddf800b45f7b8d6466a78c16b767cee2599

SHA256
15f866004f342f4d5fb7d90b81f2c775dc578257ea756c9c017d7dba97b1597f

SHA512
ebada5080936b76e5dcb59b7929689c0667fb9887443408e1e66046076189a044f655c5335122bef4f0d8f79ed7b15727ed6cafbe5abd7a927abdec78630fd00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
cc5864be687974c32a1ea6a75a99ffb2

SHA1
2cd027d16e184c95ef13975dd819495e91850a31

SHA256
b699b3b5704d27d2ad3bb10c7868bc70ab53dd8603ca5a123c16ff82f389dc14

SHA512
0cc0f93cfb14d5302662959586017f49799817172a9bdf1a1b2862d2468d1c785b4cfb56cbeaeedde839a97db13d9e8aae76ae67525b8b9714a7567cff23b8ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
67d0de6a1e8e15f8ac932fcb26efd611

SHA1
331d25d821aef8a1bf886882ed25cc04308af882

SHA256
c257289a0f19f8997e4006aa70c4616ee446cc6563895ecfe29faffaae7fd2ba

SHA512
1a3cf485f6a7505155ac1ecd2486ad098b5d0537f8833cd02177811960093b4e0519d80197e9d7dadfc746e7f27b22e0620c62b416f497f1429f8087c10f1a82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d6a6f5fdb1403a279f4c724d8397b85f

SHA1
7895fd32928aa008ab1ba73df11a94b0de1de21c

SHA256
0cf1bac834b82e50de8fde8f6cdef1457eb5362a94f252aae5124fc0025c6dae

SHA512
2d080b9c7119e5807d54da5014ba75b8e5669d4f9ff40c1e256495de04b2229dd0c6580f1c4369752daacba374b741d1b3ffaf734ff552ccd6a689954c3fcf3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
53c819a9a82a2e193e59ac19fbab4ce5

SHA1
a60fc9bd64c88e202b8872d13f7b79efb07c0f6e

SHA256
09dae187e10ec06dbe1f24908b73a7120e0096d1918abbf4a769e71bc852077b

SHA512
8636aa074ff92557c82828699759c21df1a14930d5ec21ce85ff5b767e9e15baee99e17aa033e29a4d41dbf2c734c8824315acdf8e90cb0413ff22756ac1bbea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a584c2d0f82749c9cc543f82db7c9227

SHA1
a2a08cf7e8cbbf013e9b938d58f80a0dc09467e4

SHA256
a05d9a77682636bae72bf891024bfa530aae84a3552b7ceba626f950dd36d706

SHA512
e101d9adc0911f5caa13aa30d0c95cd8b82bc77d4025fa729ed0bb036024d55cd9cc14a2c24462717c51ac710d664ff74c609177dc3d2092452019236702d929

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c62c75e11a82e315b21982de92593e2f

SHA1
b7f8edf7daac5c3343f6d06113bb34a4fa808066

SHA256
5293a962cbf3cedd2eabba0307c739a4330935aca450ccef98f2b8d930cb8ed3

SHA512
5f88926cfe396b42d3f4742483651e32c6ed01c603b5bf45221b66e7d7511993e2ddd304f5fc63c8abaa3f3046fc9deff8df2bcf7cda639e2745e53ed5c88068

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db3f8df623585e02d59230d1f6b0def9

SHA1
2100315f3aff4569555db9af354f8ce6b636339a

SHA256
5d7dac895eb8597fde6c84d7ff129982a95ffb2c2a8d7d60b63600f8c9a7ea52

SHA512
2546f4000336ef71f0763629fdee775b196b52ad218b2bfca3a85e7e37bdadd8c017bdc9aa18492591d9431683bdcaced5aee534074bd869088c0b3b2db12f17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
7fd32a12045d57b5da0d870266da81fe

SHA1
54d080ed69e5504a2c07c0b6d11bd54d35310253

SHA256
33890331ffc9ff3444aff0c711179877facc897f9e4013bcea15b961372f40ce

SHA512
6feea94f14ceb884fb4e15785228955c2ea366996bdae687b45aefbacd41e3bd3e590baa599165a4b688d0beeca5a82668bd58e3909153de45d3966a4b123a4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
cae7701e026d9f6a0a450e83962a8ddc

SHA1
04b979f97f875108d12dc4533cd2e3ba1ba4b170

SHA256
26e6d754f6885cc3f69a58f52ab3fed5f2b2e8be26e066bf791a6ebe015540de

SHA512
2cc4a6504e0afd3afe8359d7207438f3dfcfefdbe400834cd1ee35735a7bb99709089d38ccfd71686d291db4073a4031db98840ffb18e722436c2069e6895e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SeroXen.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SeroXen.exe

Filesize
334KB

MD5
e9a1163f07012ba9cf0eeaa4f4274cb0

SHA1
e67f4264c87ddee54d19f84b2b27d97c65960f90

SHA256
dfa59e4d9561680fcaa24cd8960f3bb2e0ffd26100c1209f51c1be0f2a500508

SHA512
f65b344b3ba17aa64d43a281e8e28cceb4a571d60dee3fadb1be045e319805da4ab301a809770c5e52223b371306be87c6ad75964eeed2948b23043fc14c3310

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
409KB

MD5
1677c3c75bbea5db030f0c63c4ec7251

SHA1
da6cd86d94bc60b725f33c5ffe8c1660969c4202

SHA256
7882c792d198057c3a7b85d28fb02b82e38ddef24628244dced9226d628cf19d

SHA512
96b20269030d5ae4ae85d5a55de5e5802f761856d649f99d98896c12618a8904c4cde837c6934127756c576506569c9bab79086068433e6e8a65c19ed0af3b0d

Download Submit
C:\Users\Admin\Downloads\SeroXen.rar.crdownload

Filesize
6.9MB

MD5
1212840f1d9145925f070f1b2a082e44

SHA1
c449b5199ddf2a495bad0579dc0227546d71b527

SHA256
76cb130f6e30fd4026b2811e5fc4693293f9d706916dfef747853b7ab1e33908

SHA512
32f9735724681f228362956815d6ed1b68eb5c981eb88131f14c455b088f7fd4122dae3a4ed965a7fb9669a74201d4abfb84e3e1c45c541ebf13945d212a000c

Download Submit
C:\Users\Admin\Downloads\SeroXen.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\SeroXen\README.txt

Filesize
2KB

MD5
c510f911b80804edc6af12f4aef602e7

SHA1
201ae250c870d13a61c31bd5b6be84244f2325ba

SHA256
b3ea2c088a91eaf36d87e5ee8baddfc241d4d008c6e0a5724193d7ebdd3c1cb0

SHA512
dccffe3b7e8ba9d1c4cfc325c3288daa4a49fca71ce2b33f90c9dac6f15b10b99429d7b327071842b1bcf0407edd60fa7d8b863d875e102824f2fc41dbafd434

Download Submit
C:\Users\Admin\Downloads\SeroXen\SeroXen.exe

Filesize
497KB

MD5
53bf4700e20cd16810bd8a1f14815314

SHA1
3b521b2a9888c92e76982e2c6e9906c091356aeb

SHA256
56cb8ca9d9bfd24de19a7240bfb30dd3560096ebccc141868e601a8ea314e9e1

SHA512
fff8e0a0d9c7dc01567312bde220952e05f3402939d2e9ac46c61aaf98951710256c14e08ef871dc4e79138f590c67f3044da631662670eb503cefa527e3e188

Download Submit
memory/1424-139-0x0000000000BD0000-0x0000000000C52000-memory.dmp

Filesize
520KB

Download
memory/2820-187-0x0000000005F00000-0x0000000005F92000-memory.dmp

Filesize
584KB

Download
memory/2820-186-0x00000000063B0000-0x0000000006956000-memory.dmp

Filesize
5.6MB

Download
memory/2820-188-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/2820-189-0x0000000006C00000-0x0000000006C12000-memory.dmp

Filesize
72KB

Download
memory/2820-190-0x0000000007030000-0x000000000706C000-memory.dmp

Filesize
240KB

Download
memory/2820-184-0x0000000000DC0000-0x0000000000E2C000-memory.dmp

Filesize
432KB

Download
memory/3520-207-0x0000000005FC0000-0x0000000005FCA000-memory.dmp

Filesize
40KB

Download
memory/4336-185-0x000002E46A5E0000-0x000002E46A61E000-memory.dmp

Filesize
248KB

Download
memory/4336-183-0x000002E469C70000-0x000002E469CAC000-memory.dmp

Filesize
240KB

Download
memory/4336-182-0x000002E467F70000-0x000002E467FC8000-memory.dmp

Filesize
352KB

Download