quasar | 1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58

Analysis

max time kernel
295s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (101) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral18/memory/2064-1-0x0000000000A00000-0x0000000000A6C000-memory.dmp family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar

resource	yara_rule
behavioral18/memory/2064-1-0x0000000000A00000-0x0000000000A6C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 14 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1900	Client.exe
724	Client.exe
3668	Client.exe
4384	Client.exe
1128	Client.exe
5092	Client.exe
2468	Client.exe
3760	Client.exe
4116	Client.exe
2060	Client.exe
864	Client.exe
4164	Client.exe
392	Client.exe
1012	Client.exe

Looks up external IP address via web service 14 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 ip-api.com
28 ip-api.com
14 ip-api.com
30 ip-api.com
3 ip-api.com
16 ip-api.com
18 ip-api.com
22 ip-api.com
34 ip-api.com
12 api.ipify.org
24 ip-api.com
32 ip-api.com
36 ip-api.com
20 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
26	ip-api.com
28	ip-api.com
14	ip-api.com
30	ip-api.com
3	ip-api.com
16	ip-api.com
18	ip-api.com
22	ip-api.com
34	ip-api.com
12	api.ipify.org
24	ip-api.com
32	ip-api.com
36	ip-api.com
20	ip-api.com

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1764	1900	WerFault.exe	Client.exe
764	724	WerFault.exe	Client.exe
4668	3668	WerFault.exe	Client.exe
2364	4384	WerFault.exe	Client.exe
4224	1128	WerFault.exe	Client.exe
876	5092	WerFault.exe	Client.exe
4636	2468	WerFault.exe	Client.exe
2264	3760	WerFault.exe	Client.exe
4364	4116	WerFault.exe	Client.exe
876	2060	WerFault.exe	Client.exe
4260	864	WerFault.exe	Client.exe
3344	4164	WerFault.exe	Client.exe
3672	392	WerFault.exe	Client.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

4636 PING.EXE
432 PING.EXE
3272 PING.EXE
4532 PING.EXE
2436 PING.EXE
4500 PING.EXE
1796 PING.EXE
2996 PING.EXE
2584 PING.EXE
4256 PING.EXE
448 PING.EXE
680 PING.EXE
1520 PING.EXE

pid	process
4636	PING.EXE
432	PING.EXE
3272	PING.EXE
4532	PING.EXE
2436	PING.EXE
4500	PING.EXE
1796	PING.EXE
2996	PING.EXE
2584	PING.EXE
4256	PING.EXE
448	PING.EXE
680	PING.EXE
1520	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3552	schtasks.exe
4584	schtasks.exe
2692	schtasks.exe
1116	schtasks.exe
4504	schtasks.exe
4072	schtasks.exe
4104	schtasks.exe
5052	SCHTASKS.exe
3952	schtasks.exe
4864	schtasks.exe
3576	schtasks.exe
2596	schtasks.exe
3576	schtasks.exe
1336	schtasks.exe
1580	schtasks.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

Uni - Copy (101) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2064	Uni - Copy (101) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	1900	Client.exe
Token: SeDebugPrivilege	724	Client.exe
Token: SeDebugPrivilege	3668	Client.exe
Token: SeDebugPrivilege	4384	Client.exe
Token: SeDebugPrivilege	1128	Client.exe
Token: SeDebugPrivilege	5092	Client.exe
Token: SeDebugPrivilege	2468	Client.exe
Token: SeDebugPrivilege	3760	Client.exe
Token: SeDebugPrivilege	4116	Client.exe
Token: SeDebugPrivilege	2060	Client.exe
Token: SeDebugPrivilege	864	Client.exe
Token: SeDebugPrivilege	4164	Client.exe
Token: SeDebugPrivilege	392	Client.exe
Token: SeDebugPrivilege	1012	Client.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid process

1900 Client.exe
724 Client.exe
3668 Client.exe
4384 Client.exe
1128 Client.exe
5092 Client.exe
2468 Client.exe
3760 Client.exe
4116 Client.exe
2060 Client.exe
864 Client.exe
4164 Client.exe
392 Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (101) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 2064 wrote to memory of 3552	2064	Uni - Copy (101) - Copy - Copy - Copy.exe	schtasks.exe
PID 2064 wrote to memory of 3552	2064	Uni - Copy (101) - Copy - Copy - Copy.exe	schtasks.exe
PID 2064 wrote to memory of 3552	2064	Uni - Copy (101) - Copy - Copy - Copy.exe	schtasks.exe
PID 2064 wrote to memory of 1900	2064	Uni - Copy (101) - Copy - Copy - Copy.exe	Client.exe
PID 2064 wrote to memory of 1900	2064	Uni - Copy (101) - Copy - Copy - Copy.exe	Client.exe
PID 2064 wrote to memory of 1900	2064	Uni - Copy (101) - Copy - Copy - Copy.exe	Client.exe
PID 2064 wrote to memory of 5052	2064	Uni - Copy (101) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 2064 wrote to memory of 5052	2064	Uni - Copy (101) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 2064 wrote to memory of 5052	2064	Uni - Copy (101) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 1900 wrote to memory of 3952	1900	Client.exe	schtasks.exe
PID 1900 wrote to memory of 3952	1900	Client.exe	schtasks.exe
PID 1900 wrote to memory of 3952	1900	Client.exe	schtasks.exe
PID 1900 wrote to memory of 3132	1900	Client.exe	cmd.exe
PID 1900 wrote to memory of 3132	1900	Client.exe	cmd.exe
PID 1900 wrote to memory of 3132	1900	Client.exe	cmd.exe
PID 3132 wrote to memory of 460	3132	cmd.exe	chcp.com
PID 3132 wrote to memory of 460	3132	cmd.exe	chcp.com
PID 3132 wrote to memory of 460	3132	cmd.exe	chcp.com
PID 3132 wrote to memory of 1520	3132	cmd.exe	PING.EXE
PID 3132 wrote to memory of 1520	3132	cmd.exe	PING.EXE
PID 3132 wrote to memory of 1520	3132	cmd.exe	PING.EXE
PID 3132 wrote to memory of 724	3132	cmd.exe	Client.exe
PID 3132 wrote to memory of 724	3132	cmd.exe	Client.exe
PID 3132 wrote to memory of 724	3132	cmd.exe	Client.exe
PID 724 wrote to memory of 4864	724	Client.exe	schtasks.exe
PID 724 wrote to memory of 4864	724	Client.exe	schtasks.exe
PID 724 wrote to memory of 4864	724	Client.exe	schtasks.exe
PID 724 wrote to memory of 4588	724	Client.exe	cmd.exe
PID 724 wrote to memory of 4588	724	Client.exe	cmd.exe
PID 724 wrote to memory of 4588	724	Client.exe	cmd.exe
PID 4588 wrote to memory of 1080	4588	cmd.exe	chcp.com
PID 4588 wrote to memory of 1080	4588	cmd.exe	chcp.com
PID 4588 wrote to memory of 1080	4588	cmd.exe	chcp.com
PID 4588 wrote to memory of 2436	4588	cmd.exe	PING.EXE
PID 4588 wrote to memory of 2436	4588	cmd.exe	PING.EXE
PID 4588 wrote to memory of 2436	4588	cmd.exe	PING.EXE
PID 4588 wrote to memory of 3668	4588	cmd.exe	Client.exe
PID 4588 wrote to memory of 3668	4588	cmd.exe	Client.exe
PID 4588 wrote to memory of 3668	4588	cmd.exe	Client.exe
PID 3668 wrote to memory of 4504	3668	Client.exe	schtasks.exe
PID 3668 wrote to memory of 4504	3668	Client.exe	schtasks.exe
PID 3668 wrote to memory of 4504	3668	Client.exe	schtasks.exe
PID 3668 wrote to memory of 4488	3668	Client.exe	cmd.exe
PID 3668 wrote to memory of 4488	3668	Client.exe	cmd.exe
PID 3668 wrote to memory of 4488	3668	Client.exe	cmd.exe
PID 4488 wrote to memory of 3312	4488	cmd.exe	chcp.com
PID 4488 wrote to memory of 3312	4488	cmd.exe	chcp.com
PID 4488 wrote to memory of 3312	4488	cmd.exe	chcp.com
PID 4488 wrote to memory of 4636	4488	cmd.exe	PING.EXE
PID 4488 wrote to memory of 4636	4488	cmd.exe	PING.EXE
PID 4488 wrote to memory of 4636	4488	cmd.exe	PING.EXE
PID 4488 wrote to memory of 4384	4488	cmd.exe	Client.exe
PID 4488 wrote to memory of 4384	4488	cmd.exe	Client.exe
PID 4488 wrote to memory of 4384	4488	cmd.exe	Client.exe
PID 4384 wrote to memory of 3576	4384	Client.exe	schtasks.exe
PID 4384 wrote to memory of 3576	4384	Client.exe	schtasks.exe
PID 4384 wrote to memory of 3576	4384	Client.exe	schtasks.exe
PID 4384 wrote to memory of 1492	4384	Client.exe	cmd.exe
PID 4384 wrote to memory of 1492	4384	Client.exe	cmd.exe
PID 4384 wrote to memory of 1492	4384	Client.exe	cmd.exe
PID 1492 wrote to memory of 1320	1492	cmd.exe	chcp.com
PID 1492 wrote to memory of 1320	1492	cmd.exe	chcp.com
PID 1492 wrote to memory of 1320	1492	cmd.exe	chcp.com
PID 1492 wrote to memory of 4256	1492	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MHBXuOZvQ2eJ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:460

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1520

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g6goIyQN8IBW.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:1080

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2436

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\efAurChrp0RP.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:3312

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4636

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMRgiEr1kRoH.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:1320

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4256

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1128

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y9O3aMvjVI0L.bat" "
11⤵
PID:2072

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:1764

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4500

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PzldniTOoZJ7.bat" "
13⤵
PID:4920

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:3196

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:1796

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2468

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tg1PfjeYkzgz.bat" "
15⤵
PID:1108

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:4264

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2996

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3760

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6A9CkqsIUkfY.bat" "
17⤵
PID:372

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:4416

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:448

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4116

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tzi3BSGdHDGQ.bat" "
19⤵
PID:2596

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:1952

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:432

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BznOoUGmDkqn.bat" "
21⤵
PID:1948

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:4992

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:3272

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:864

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUjvgLfpTJXG.bat" "
23⤵
PID:1704

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:3144

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:680

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4164

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lt0qY6ALtROW.bat" "
25⤵
PID:828

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:2700

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:2584

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:392

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3t5BC9ATqxxt.bat" "
27⤵
PID:3956

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:1776

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:4532

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 2236
27⤵
- Program crash
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 1092
25⤵
- Program crash
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 1688
23⤵
- Program crash
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 1708
21⤵
- Program crash
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1708
19⤵
- Program crash
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 1092
17⤵
- Program crash
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 1712
15⤵
- Program crash
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1660
13⤵
- Program crash
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 2252
11⤵
- Program crash
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 1724
9⤵
- Program crash
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 1708
7⤵
- Program crash
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 2180
5⤵
- Program crash
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 2184
3⤵
- Program crash
PID:1764

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (101) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1900 -ip 1900
1⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 724 -ip 724
1⤵
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3668 -ip 3668
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4384 -ip 4384
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1128 -ip 1128
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5092 -ip 5092
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2468 -ip 2468
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3760 -ip 3760
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4116 -ip 4116
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2060 -ip 2060
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 864 -ip 864
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4164 -ip 4164
1⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 392 -ip 392
1⤵
PID:5008

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3t5BC9ATqxxt.bat
Filesize
207B

MD5
c838820183a3639133b7f5baa5582aca

SHA1
4bd082a6054aef0b11ebe48111e925c2f65dbedf

SHA256
19ad603a509156f2b79403736fc853eae0f488bd63f00013c362aa20777d8063

SHA512
32e1c61b04cd2cc34659422bce587b760d901395d567483747d43144d2e97aa41b9e0227e3fd83981c22c67e8803383eb0836618f7fbb5dd658ef0a88ce9ef27

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A9CkqsIUkfY.bat
Filesize
207B

MD5
b4b534378e59ed8dbf583fff31d18522

SHA1
654590af8afa94d27d9bba79b5ea1dc931eae4a5

SHA256
55a58400264f8ac5806e01deac1357dd4dddf65497952f8651555ddb28ce25b0

SHA512
d607837ed31d57d925d926a1f5617123e22c2735ef437848a4447f6dfd0a388e70cf0bde0878b49d0722e460311ab1ccb39c55c5ccdb9d7131f4afe02cff1f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\BznOoUGmDkqn.bat
Filesize
207B

MD5
770b93ef16b1195e5db2ac4e31ec2f62

SHA1
ecd5546381f683bd4e4ae1e0875509202dc7a03b

SHA256
362b9252890300b933a4baf7b8425b81d3c774c72290dcf034d8df9337823fc4

SHA512
8a0622d5180cd3b5ffba95b5d5dd7acef025c7d6c3afc831ab97a9d12399b3612b61dead146dd5c843a950dd4208c358d0daf0cd6f85da12b3906af3199de798

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lt0qY6ALtROW.bat
Filesize
207B

MD5
ecd150cc61087abfef658b7878786c32

SHA1
78fd5f5ecda88cc9a0bd7aacc9502861e0000393

SHA256
db27238bc43f1312af5cf3327ab45b2ca99fed82638617b248e7820ba60cfd70

SHA512
115eede44cf47f7fb533133eb2091ec4e6c94b4f6cefc55f9e623810d7dc72ca911d2683d152e2698e7749de6ce12d9dad004cd0bde1df195b0f338c0ea95349

Download Submit
C:\Users\Admin\AppData\Local\Temp\MHBXuOZvQ2eJ.bat
Filesize
207B

MD5
2868a1f99561a4cbded5d8850eaa40cb

SHA1
88616dfb2baf9d926b7e6c34f09401ce8899500d

SHA256
f310b2e536f52aa0af2dc05bf81d76ce93ecd3342066e8207b59c24918804d09

SHA512
aef4f815096ac7eb8d6e2ad89cd135150500c822d175dede64837f24170e28eaa0e5caba410c6e11eec046fa528aa4e727201625cb4bc59a8e1d6d56198cf42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PzldniTOoZJ7.bat
Filesize
207B

MD5
49f3a1ab1dd71bc48f7dee18e9d1a110

SHA1
6ae571f42e3530cfa07b4e71cf2e1fdd4ebfffd1

SHA256
e92cb44efec0e54e292f44c4df23bc957db933ca516d375ab4f21556c82cf2fc

SHA512
38716d7e82e60fe345e1ae7c00d3262e6607ee2848cf0f6a0d3f2f0a6c2d6ebe1d0e271c5fce1d4dd538dfd38c9ee1b4d8b4afeda70f874718676f4cd786f6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tg1PfjeYkzgz.bat
Filesize
207B

MD5
4c50901a331204576bbcdc61bd4906a2

SHA1
0adb0d32330958aedf5620e311cb33e344beda0a

SHA256
1023b0ae26e10b8e2447e32e3bb7ab2e9c5760d4331bd770e156861b27c2d988

SHA512
de46aac79003ac2a0fd69357768dd4cc58f407a143b8d48a020c31d2d49cdb1a44f3a73f0adcdca92d7f6a3408c2f6a1bf9949c7f5ff30d1604dc5a81ee28f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tzi3BSGdHDGQ.bat
Filesize
207B

MD5
2a8f8039143e2e9f61efb5535c6d090d

SHA1
87435c6238d348a9a88b2611def991f7db5c51c9

SHA256
3e23a5955d1164cb915f376fa8d4daa9271229b6acd070716f226e4997bba226

SHA512
d5cac5a7341bc5d35b042fefb1177df84b9380fed8526f948f6fd0e991ac50818c22056150fbb67a32596d5a8cb9c70a9bbcb404580e78a1d8f73f90c3d45e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\efAurChrp0RP.bat
Filesize
207B

MD5
990bc5fc9ce11a76cb9859d9216687fc

SHA1
a4277123f48731455dc02412191b43854560efb8

SHA256
8682a47e3641284dce80eeff2814824c595ee9cbe9b68088e423f610f0f32b0c

SHA512
1e29af123863b61d4fe1a8d1181960fc0dc4a1a5bdae57cfa0039027f01ee1c6b96d4ee25ee8804bf98e03c8499e3105fed1fcf01e4968273efdd0c2795fb0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\g6goIyQN8IBW.bat
Filesize
207B

MD5
ba5d87bb139bcf8e8dec635482179d52

SHA1
416d4e1c3a5bda3d5a958457523de083818b1a4e

SHA256
21c2cd081e91246106b98a0ac0efe16db02f1851642e7890b739b629341281eb

SHA512
235d8b9e2dd988d9929b07ffdc569f54d9dc10881659a0d5bf662ff1eb33fe0210438852e5bb0953b287c45ec2d86cf00a6dd81990943bb7d6b4950d32bdd87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMRgiEr1kRoH.bat
Filesize
207B

MD5
aa0df73f0b9fb70bbadff204352470a5

SHA1
a0d0c29479fc97f1b17eba43f609d4d6fa4b2992

SHA256
65fbb10e9a947f7860eef57eec1411f72840ed78f4b6e2d3128b706bf2f03162

SHA512
9863278dbc7c9a143198d8339cc33c0843a22e649cbf1166ed0879ac631fad9560f570dcdc5b45ff7875bc5ac16cb97b8d96f4ad9bbb7e7bf8d059883d78dd9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUjvgLfpTJXG.bat
Filesize
207B

MD5
f2df2a4f6b5cce23c820f5243a7f7f4a

SHA1
4f9697ee4230f13f88d78ff6fa2ba9412bdcead5

SHA256
40f01deff79b74b7d157e3c1caf1a067963bfdc2d1b8211a88cd98c398a0ca26

SHA512
00f597942528cbf8b152ff19505992db9ba21a254729c5242e7fea5e09b9c6b182d0457dcd9b3b241ba9cddebec3574785954b96d1eecbb71fb0d75fb425ec1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9O3aMvjVI0L.bat
Filesize
207B

MD5
3948262d9046de1ea9d126a8533ee249

SHA1
3824abb47a794e5066d93eca2e9a1cdff7dbaa26

SHA256
3d235862de6c6e14011d0b70600eead31fdefcb1cdbf6be3e6caec4c02f2853a

SHA512
1b78c0edeac3c72e0fc704a7dfb18f51634613b092172acc848d81c5ebf0f9b4c86f57bdff29111e9dd63b5d1656f36ffc6a12ca68607e2197a2e1ef659e8036

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-01-2024
Filesize
224B

MD5
3afae255b4babadc4b96a348bc0d3496

SHA1
5086b3db4912a1a1fdf6e2373b2754dacd6e3cd3

SHA256
b1780321beb01041656599de071262d8a75ec51a56e3ee3ebd4729d045516917

SHA512
7f8f886d318a79955fa2466809b860533d1492a705ef45e12cc61dc622388e81f188837720a851dd70cab576a667a4d6d240f35d7670f8075803487c2942bd01

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-01-2024
Filesize
224B

MD5
cc0b974189f84999efb448db58d7ee27

SHA1
798325c93536a5bee36d91a29facec623d8e7292

SHA256
058683efa6eeb5b1279c128b2e66a372aa266296bfd88f19861e521ff535c4c0

SHA512
06ed6a7cb3163e8c8fb58fb24d1b48a0dcb9c46bf6d0c844dcb54ac3c3e9d80c145efb2a1467ea151e6c6ddda48cff9b327eb6932a963efc8c9203edf6d47d7d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-01-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\07-01-2024
Filesize
224B

MD5
b1f786fb38623e800495b8d5891ee630

SHA1
fc044f1248d63a11e5071c0a4ee3ed8087f2d50e

SHA256
0c061c02750c181ce344ad56dd2d170ccc640547c39a8eb1726bb5af0832888e

SHA512
cfd8cbadff06a909e67fba71e272647d58531f1b426f946dcfe945ca0156887d07c448692bc036eb0f9a74c77c67b61f0938c7e8f9bdc713e0bf10e9f743cea1

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1900-19-0x0000000006940000-0x000000000694A000-memory.dmp

Filesize
40KB

Download
memory/1900-17-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/1900-15-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/1900-24-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/2064-8-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/2064-16-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/2064-0-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/2064-7-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/2064-6-0x0000000006290000-0x00000000062A2000-memory.dmp

Filesize
72KB

Download
memory/2064-5-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/2064-4-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/2064-3-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/2064-2-0x0000000005A80000-0x0000000006024000-memory.dmp

Filesize
5.6MB

Download
memory/2064-1-0x0000000000A00000-0x0000000000A6C000-memory.dmp

Filesize
432KB

Download