quasar | 34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40

Analysis

max time kernel
1799s
max time network
1800s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Celex.exe
Size

3.1MB
MD5

483d0a45f61e108b7a89c6707e138d62
SHA1

da16e84ef741a6a82038468da5990b25e3bf751c
SHA256

34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40
SHA512

5c6da715cdafda98a37b6eaa455d5c12148b1048f5e038f9482d0f51f5e247cf75ff1c8439d3a75b6f674daa843a8ecd21aab23663b6bdd6bc7bac0fce606492
SSDEEP

49152:Wvxt62XlaSFNWPjljiFa2RoUYIiyTCD8foGdIoTHHB72eh2NT:Wv762XlaSFNWPjljiFXRoUYIiyTCc

Score

10^/10

quasar beamed celex spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Beamed Celex

192.168.2.102:5145

Nixon:5145

Mutex

a9d8efa6-449f-415c-bad7-c7fbd83156d2

Attributes

encryption_key
288C4AC276CDC9ADD45AEABDE642A8A88681F7BB
install_name
Celex.exe
log_directory
Logs
reconnect_delay
1
startup_key
Celex
subdirectory
Celex

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5016-1-0x00000000003A0000-0x00000000006C4000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Celex\Celex.exe	family_quasar

Checks computer location settings 2 TTPs 52 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Celex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exeCelex.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Celex.exe

Executes dropped EXE 53 IoCs

Processes:

pid	process
3092	Celex.exe
1888	Celex.exe
2372	Celex.exe
3600	Celex.exe
4844	Celex.exe
2240	Celex.exe
4380	Celex.exe
1832	Celex.exe
4488	Celex.exe
2808	Celex.exe
592	Celex.exe
2724	Celex.exe
1476	Celex.exe
736	Celex.exe
4880	Celex.exe
1336	Celex.exe
3480	Celex.exe
1472	Celex.exe
1604	Celex.exe
4904	Celex.exe
1704	Celex.exe
624	Celex.exe
2792	Celex.exe
4388	Celex.exe
1528	Celex.exe
728	Celex.exe
2756	Celex.exe
1172	Celex.exe
5080	Celex.exe
3340	Celex.exe
824	Celex.exe
1232	Celex.exe
2148	Celex.exe
4744	Celex.exe
668	Celex.exe
3984	Celex.exe
1732	Celex.exe
1920	Celex.exe
4908	Celex.exe
3036	Celex.exe
3524	Celex.exe
2896	Celex.exe
4376	Celex.exe
2116	Celex.exe
2804	Celex.exe
740	Celex.exe
4348	Celex.exe
3580	Celex.exe
4900	Celex.exe
3660	Celex.exe
532	Celex.exe
3748	Celex.exe
1540	Celex.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4388	schtasks.exe
3700	schtasks.exe
1088	schtasks.exe
3588	schtasks.exe
3088	schtasks.exe
3360	schtasks.exe
1908	schtasks.exe
5028	schtasks.exe
5016	schtasks.exe
2788	schtasks.exe
3096	schtasks.exe
1576	schtasks.exe
1092	schtasks.exe
4908	schtasks.exe
4364	schtasks.exe
2588	schtasks.exe
4624	schtasks.exe
1004	schtasks.exe
3048	schtasks.exe
3024	schtasks.exe
2864	schtasks.exe
1500	schtasks.exe
4268	schtasks.exe
1232	schtasks.exe
116	schtasks.exe
4636	schtasks.exe
2996	schtasks.exe
4980	schtasks.exe
4636	schtasks.exe
4796	schtasks.exe
4452	schtasks.exe
452	schtasks.exe
1464	schtasks.exe
3132	schtasks.exe
1536	schtasks.exe
3360	schtasks.exe
1492	schtasks.exe
4344	schtasks.exe
2136	schtasks.exe
4352	schtasks.exe
5064	schtasks.exe
1812	schtasks.exe
64	schtasks.exe
5104	schtasks.exe
3084	schtasks.exe
2652	schtasks.exe
2932	schtasks.exe
1580	schtasks.exe
216	schtasks.exe
2644	schtasks.exe
4228	schtasks.exe
2888	schtasks.exe
3956	schtasks.exe
3416	schtasks.exe

Runs ping.exe 1 TTPs 52 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3388	PING.EXE
4268	PING.EXE
4236	PING.EXE
2628	PING.EXE
3384	PING.EXE
3264	PING.EXE
4128	PING.EXE
3280	PING.EXE
880	PING.EXE
1644	PING.EXE
2604	PING.EXE
2868	PING.EXE
3484	PING.EXE
1444	PING.EXE
3784	PING.EXE
1408	PING.EXE
3524	PING.EXE
4640	PING.EXE
3664	PING.EXE
2176	PING.EXE
2600	PING.EXE
3336	PING.EXE
2176	PING.EXE
1364	PING.EXE
3392	PING.EXE
1280	PING.EXE
2572	PING.EXE
2208	PING.EXE
708	PING.EXE
2676	PING.EXE
1684	PING.EXE
4928	PING.EXE
908	PING.EXE
3080	PING.EXE
2312	PING.EXE
4572	PING.EXE
2800	PING.EXE
4992	PING.EXE
1356	PING.EXE
1920	PING.EXE
4896	PING.EXE
1692	PING.EXE
1464	PING.EXE
4392	PING.EXE
4500	PING.EXE
3712	PING.EXE
216	PING.EXE
1828	PING.EXE
4892	PING.EXE
468	PING.EXE
4720	PING.EXE
2228	PING.EXE

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	5016	Celex.exe
Token: SeDebugPrivilege	3092	Celex.exe
Token: SeDebugPrivilege	1888	Celex.exe
Token: SeDebugPrivilege	2372	Celex.exe
Token: SeDebugPrivilege	3600	Celex.exe
Token: SeDebugPrivilege	4844	Celex.exe
Token: SeDebugPrivilege	2240	Celex.exe
Token: SeDebugPrivilege	4380	Celex.exe
Token: SeDebugPrivilege	1832	Celex.exe
Token: SeDebugPrivilege	4488	Celex.exe
Token: SeDebugPrivilege	2808	Celex.exe
Token: SeDebugPrivilege	592	Celex.exe
Token: SeDebugPrivilege	2724	Celex.exe
Token: SeDebugPrivilege	1476	Celex.exe
Token: SeDebugPrivilege	736	Celex.exe
Token: SeDebugPrivilege	4880	Celex.exe
Token: SeDebugPrivilege	1336	Celex.exe
Token: SeDebugPrivilege	3480	Celex.exe
Token: SeDebugPrivilege	1472	Celex.exe
Token: SeDebugPrivilege	1604	Celex.exe
Token: SeDebugPrivilege	4904	Celex.exe
Token: SeDebugPrivilege	1704	Celex.exe
Token: SeDebugPrivilege	624	Celex.exe
Token: SeDebugPrivilege	2792	Celex.exe
Token: SeDebugPrivilege	4388	Celex.exe
Token: SeDebugPrivilege	1528	Celex.exe
Token: SeDebugPrivilege	728	Celex.exe
Token: SeDebugPrivilege	2756	Celex.exe
Token: SeDebugPrivilege	1172	Celex.exe
Token: SeDebugPrivilege	5080	Celex.exe
Token: SeDebugPrivilege	3340	Celex.exe
Token: SeDebugPrivilege	824	Celex.exe
Token: SeDebugPrivilege	1232	Celex.exe
Token: SeDebugPrivilege	2148	Celex.exe
Token: SeDebugPrivilege	4744	Celex.exe
Token: SeDebugPrivilege	668	Celex.exe
Token: SeDebugPrivilege	3984	Celex.exe
Token: SeDebugPrivilege	1732	Celex.exe
Token: SeDebugPrivilege	1920	Celex.exe
Token: SeDebugPrivilege	4908	Celex.exe
Token: SeDebugPrivilege	3036	Celex.exe
Token: SeDebugPrivilege	3524	Celex.exe
Token: SeDebugPrivilege	2896	Celex.exe
Token: SeDebugPrivilege	4376	Celex.exe
Token: SeDebugPrivilege	2116	Celex.exe
Token: SeDebugPrivilege	2804	Celex.exe
Token: SeDebugPrivilege	740	Celex.exe
Token: SeDebugPrivilege	4348	Celex.exe
Token: SeDebugPrivilege	3580	Celex.exe
Token: SeDebugPrivilege	4900	Celex.exe
Token: SeDebugPrivilege	3660	Celex.exe
Token: SeDebugPrivilege	532	Celex.exe
Token: SeDebugPrivilege	3748	Celex.exe
Token: SeDebugPrivilege	1540	Celex.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

pid	process
3092	Celex.exe
1888	Celex.exe
2372	Celex.exe
3600	Celex.exe
4844	Celex.exe
2240	Celex.exe
4380	Celex.exe
1832	Celex.exe
4488	Celex.exe
2808	Celex.exe
592	Celex.exe
2724	Celex.exe
1476	Celex.exe
736	Celex.exe
4880	Celex.exe
1336	Celex.exe
3480	Celex.exe
1472	Celex.exe
1604	Celex.exe
4904	Celex.exe
1704	Celex.exe
624	Celex.exe
2792	Celex.exe
4388	Celex.exe
1528	Celex.exe
728	Celex.exe
2756	Celex.exe
1172	Celex.exe
5080	Celex.exe
3340	Celex.exe
824	Celex.exe
1232	Celex.exe
2148	Celex.exe
4744	Celex.exe
668	Celex.exe
3984	Celex.exe
1732	Celex.exe
1920	Celex.exe
4908	Celex.exe
3036	Celex.exe
3524	Celex.exe
2896	Celex.exe
4376	Celex.exe
2116	Celex.exe
2804	Celex.exe
740	Celex.exe
4348	Celex.exe
3580	Celex.exe
4900	Celex.exe
3660	Celex.exe
532	Celex.exe
3748	Celex.exe
1540	Celex.exe

Suspicious use of SendNotifyMessage 53 IoCs

Processes:

pid	process
3092	Celex.exe
1888	Celex.exe
2372	Celex.exe
3600	Celex.exe
4844	Celex.exe
2240	Celex.exe
4380	Celex.exe
1832	Celex.exe
4488	Celex.exe
2808	Celex.exe
592	Celex.exe
2724	Celex.exe
1476	Celex.exe
736	Celex.exe
4880	Celex.exe
1336	Celex.exe
3480	Celex.exe
1472	Celex.exe
1604	Celex.exe
4904	Celex.exe
1704	Celex.exe
624	Celex.exe
2792	Celex.exe
4388	Celex.exe
1528	Celex.exe
728	Celex.exe
2756	Celex.exe
1172	Celex.exe
5080	Celex.exe
3340	Celex.exe
824	Celex.exe
1232	Celex.exe
2148	Celex.exe
4744	Celex.exe
668	Celex.exe
3984	Celex.exe
1732	Celex.exe
1920	Celex.exe
4908	Celex.exe
3036	Celex.exe
3524	Celex.exe
2896	Celex.exe
4376	Celex.exe
2116	Celex.exe
2804	Celex.exe
740	Celex.exe
4348	Celex.exe
3580	Celex.exe
4900	Celex.exe
3660	Celex.exe
532	Celex.exe
3748	Celex.exe
1540	Celex.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Celex.exeCelex.execmd.exeCelex.execmd.exeCelex.execmd.exeCelex.execmd.exeCelex.execmd.exeCelex.execmd.exe

description	pid	process	target process
PID 5016 wrote to memory of 216	5016	Celex.exe	schtasks.exe
PID 5016 wrote to memory of 216	5016	Celex.exe	schtasks.exe
PID 5016 wrote to memory of 3092	5016	Celex.exe	Celex.exe
PID 5016 wrote to memory of 3092	5016	Celex.exe	Celex.exe
PID 3092 wrote to memory of 64	3092	Celex.exe	schtasks.exe
PID 3092 wrote to memory of 64	3092	Celex.exe	schtasks.exe
PID 3092 wrote to memory of 3080	3092	Celex.exe	cmd.exe
PID 3092 wrote to memory of 3080	3092	Celex.exe	cmd.exe
PID 3080 wrote to memory of 3940	3080	cmd.exe	chcp.com
PID 3080 wrote to memory of 3940	3080	cmd.exe	chcp.com
PID 3080 wrote to memory of 1920	3080	cmd.exe	PING.EXE
PID 3080 wrote to memory of 1920	3080	cmd.exe	PING.EXE
PID 3080 wrote to memory of 1888	3080	cmd.exe	Celex.exe
PID 3080 wrote to memory of 1888	3080	cmd.exe	Celex.exe
PID 1888 wrote to memory of 3132	1888	Celex.exe	schtasks.exe
PID 1888 wrote to memory of 3132	1888	Celex.exe	schtasks.exe
PID 1888 wrote to memory of 3000	1888	Celex.exe	cmd.exe
PID 1888 wrote to memory of 3000	1888	Celex.exe	cmd.exe
PID 3000 wrote to memory of 3052	3000	cmd.exe	chcp.com
PID 3000 wrote to memory of 3052	3000	cmd.exe	chcp.com
PID 3000 wrote to memory of 2604	3000	cmd.exe	PING.EXE
PID 3000 wrote to memory of 2604	3000	cmd.exe	PING.EXE
PID 3000 wrote to memory of 2372	3000	cmd.exe	Celex.exe
PID 3000 wrote to memory of 2372	3000	cmd.exe	Celex.exe
PID 2372 wrote to memory of 3088	2372	Celex.exe	schtasks.exe
PID 2372 wrote to memory of 3088	2372	Celex.exe	schtasks.exe
PID 2372 wrote to memory of 2724	2372	Celex.exe	cmd.exe
PID 2372 wrote to memory of 2724	2372	Celex.exe	cmd.exe
PID 2724 wrote to memory of 2312	2724	cmd.exe	chcp.com
PID 2724 wrote to memory of 2312	2724	cmd.exe	chcp.com
PID 2724 wrote to memory of 1364	2724	cmd.exe	PING.EXE
PID 2724 wrote to memory of 1364	2724	cmd.exe	PING.EXE
PID 2724 wrote to memory of 3600	2724	cmd.exe	Celex.exe
PID 2724 wrote to memory of 3600	2724	cmd.exe	Celex.exe
PID 3600 wrote to memory of 2644	3600	Celex.exe	schtasks.exe
PID 3600 wrote to memory of 2644	3600	Celex.exe	schtasks.exe
PID 3600 wrote to memory of 3776	3600	Celex.exe	cmd.exe
PID 3600 wrote to memory of 3776	3600	Celex.exe	cmd.exe
PID 3776 wrote to memory of 3916	3776	cmd.exe	chcp.com
PID 3776 wrote to memory of 3916	3776	cmd.exe	chcp.com
PID 3776 wrote to memory of 4128	3776	cmd.exe	PING.EXE
PID 3776 wrote to memory of 4128	3776	cmd.exe	PING.EXE
PID 3776 wrote to memory of 4844	3776	cmd.exe	Celex.exe
PID 3776 wrote to memory of 4844	3776	cmd.exe	Celex.exe
PID 4844 wrote to memory of 3956	4844	Celex.exe	schtasks.exe
PID 4844 wrote to memory of 3956	4844	Celex.exe	schtasks.exe
PID 4844 wrote to memory of 4276	4844	Celex.exe	cmd.exe
PID 4844 wrote to memory of 4276	4844	Celex.exe	cmd.exe
PID 4276 wrote to memory of 4624	4276	cmd.exe	chcp.com
PID 4276 wrote to memory of 4624	4276	cmd.exe	chcp.com
PID 4276 wrote to memory of 3392	4276	cmd.exe	PING.EXE
PID 4276 wrote to memory of 3392	4276	cmd.exe	PING.EXE
PID 4276 wrote to memory of 2240	4276	cmd.exe	Celex.exe
PID 4276 wrote to memory of 2240	4276	cmd.exe	Celex.exe
PID 2240 wrote to memory of 5104	2240	Celex.exe	schtasks.exe
PID 2240 wrote to memory of 5104	2240	Celex.exe	schtasks.exe
PID 2240 wrote to memory of 3376	2240	Celex.exe	cmd.exe
PID 2240 wrote to memory of 3376	2240	Celex.exe	cmd.exe
PID 3376 wrote to memory of 3856	3376	cmd.exe	chcp.com
PID 3376 wrote to memory of 3856	3376	cmd.exe	chcp.com
PID 3376 wrote to memory of 468	3376	cmd.exe	PING.EXE
PID 3376 wrote to memory of 468	3376	cmd.exe	PING.EXE
PID 3376 wrote to memory of 4380	3376	cmd.exe	Celex.exe
PID 3376 wrote to memory of 4380	3376	cmd.exe	Celex.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Celex.exe
"C:\Users\Admin\AppData\Local\Temp\Celex.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:216

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2pD8PgU4uFoE.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:3940

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1920

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uT8tkBMgXJVV.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:3052

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2604

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f9xyajHjF21d.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:2312

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1364

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\30oqtRYFz11V.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:3916

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4128

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:3956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qj9zovuSevqD.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:4624

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3392

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mZS0eif0PzkR.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:3856

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:468

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4380

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hb048pTU8viV.bat" "
15⤵
PID:1496

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:3000

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:216

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1832

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Krngi2Qy14AF.bat" "
17⤵
PID:1692

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:3088

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2868

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4488

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3jfL4yKgvbXq.bat" "
19⤵
PID:4264

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:3192

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1280

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2808

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCE1GM8IDqqM.bat" "
21⤵
PID:4728

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:1508

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:2628

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:592

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ebkNEelodBJM.bat" "
23⤵
PID:532

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:4536

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:4896

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2724

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcFVql4Kvldq.bat" "
25⤵
PID:1244

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:2604

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:2600

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1476

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sd6SNzaPsBfm.bat" "
27⤵
PID:1816

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:1988

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:3336

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:736

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6FHFgSlr0aNb.bat" "
29⤵
PID:3992

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:4680

C:\Windows\system32\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:3384

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4880

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jto4Tov1FOoB.bat" "
31⤵
PID:3392

C:\Windows\system32\chcp.com
chcp 65001
32⤵
PID:4144

C:\Windows\system32\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:3080

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1336

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9q0bx6DmycN1.bat" "
33⤵
PID:3280

C:\Windows\system32\chcp.com
chcp 65001
34⤵
PID:4484

C:\Windows\system32\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:708

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3480

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lV0GXA5nDPB7.bat" "
35⤵
PID:876

C:\Windows\system32\chcp.com
chcp 65001
36⤵
PID:2196

C:\Windows\system32\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:2312

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1472

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcPiycBcdUKK.bat" "
37⤵
PID:4800

C:\Windows\system32\chcp.com
chcp 65001
38⤵
PID:3032

C:\Windows\system32\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:2676

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1604

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\olowI1h7bTDf.bat" "
39⤵
PID:3096

C:\Windows\system32\chcp.com
chcp 65001
40⤵
PID:3660

C:\Windows\system32\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:3484

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4904

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UrLjQw7PbOtj.bat" "
41⤵
PID:5048

C:\Windows\system32\chcp.com
chcp 65001
42⤵
PID:3436

C:\Windows\system32\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:3784

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1704

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
43⤵
- Creates scheduled task(s)
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FRqNrAv7ugOo.bat" "
43⤵
PID:5064

C:\Windows\system32\chcp.com
chcp 65001
44⤵
PID:4360

C:\Windows\system32\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:3264

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:624

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sq2LhdisfybH.bat" "
45⤵
PID:1672

C:\Windows\system32\chcp.com
chcp 65001
46⤵
PID:4404

C:\Windows\system32\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:3280

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2792

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2A8GiKSbxVv3.bat" "
47⤵
PID:2156

C:\Windows\system32\chcp.com
chcp 65001
48⤵
PID:3360

C:\Windows\system32\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:1828

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4388

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
49⤵
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kCPUzbUs40F9.bat" "
49⤵
PID:1696

C:\Windows\system32\chcp.com
chcp 65001
50⤵
PID:972

C:\Windows\system32\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:4892

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1528

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2xVz43aiR2wC.bat" "
51⤵
PID:1400

C:\Windows\system32\chcp.com
chcp 65001
52⤵
PID:2364

C:\Windows\system32\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:1644

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:728

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EiHdqpdudY8J.bat" "
53⤵
PID:3992

C:\Windows\system32\chcp.com
chcp 65001
54⤵
PID:3624

C:\Windows\system32\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:1692

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
55⤵
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1nb8Cl6VNspv.bat" "
55⤵
PID:1040

C:\Windows\system32\chcp.com
chcp 65001
56⤵
PID:3080

C:\Windows\system32\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:1464

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
56⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1172

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
57⤵
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IJAs2HZRWp2O.bat" "
57⤵
PID:3556

C:\Windows\system32\chcp.com
chcp 65001
58⤵
PID:4404

C:\Windows\system32\PING.EXE
ping -n 10 localhost
58⤵
- Runs ping.exe
PID:1444

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
58⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5080

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
59⤵
- Creates scheduled task(s)
PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K4Qbl0rDtpM9.bat" "
59⤵
PID:2448

C:\Windows\system32\chcp.com
chcp 65001
60⤵
PID:4272

C:\Windows\system32\PING.EXE
ping -n 10 localhost
60⤵
- Runs ping.exe
PID:3524

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
60⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3340

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
61⤵
- Creates scheduled task(s)
PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQBS7C3n1I4d.bat" "
61⤵
PID:908

C:\Windows\system32\chcp.com
chcp 65001
62⤵
PID:2996

C:\Windows\system32\PING.EXE
ping -n 10 localhost
62⤵
- Runs ping.exe
PID:1684

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
62⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:824

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
63⤵
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lmnr070Iz6WG.bat" "
63⤵
PID:2028

C:\Windows\system32\chcp.com
chcp 65001
64⤵
PID:4724

C:\Windows\system32\PING.EXE
ping -n 10 localhost
64⤵
- Runs ping.exe
PID:2572

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
64⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1232

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
65⤵
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c15E9YgaGkHU.bat" "
65⤵
PID:2984

C:\Windows\system32\chcp.com
chcp 65001
66⤵
PID:2380

C:\Windows\system32\PING.EXE
ping -n 10 localhost
66⤵
- Runs ping.exe
PID:4992

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
66⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2148

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
67⤵
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bxK55pFnNdsu.bat" "
67⤵
PID:2420

C:\Windows\system32\chcp.com
chcp 65001
68⤵
PID:1188

C:\Windows\system32\PING.EXE
ping -n 10 localhost
68⤵
- Runs ping.exe
PID:4392

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
68⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4744

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
69⤵
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\odLN7JkjEHoI.bat" "
69⤵
PID:4508

C:\Windows\system32\chcp.com
chcp 65001
70⤵
PID:2524

C:\Windows\system32\PING.EXE
ping -n 10 localhost
70⤵
- Runs ping.exe
PID:4500

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
70⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:668

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
71⤵
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XAmIH8eU8A0K.bat" "
71⤵
PID:4948

C:\Windows\system32\chcp.com
chcp 65001
72⤵
PID:4540

C:\Windows\system32\PING.EXE
ping -n 10 localhost
72⤵
- Runs ping.exe
PID:3388

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
72⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3984

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
73⤵
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rbdh50Bx7kTG.bat" "
73⤵
PID:2568

C:\Windows\system32\chcp.com
chcp 65001
74⤵
PID:3304

C:\Windows\system32\PING.EXE
ping -n 10 localhost
74⤵
- Runs ping.exe
PID:2208

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
74⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1732

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
75⤵
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2dRzzbX3ncCg.bat" "
75⤵
PID:4704

C:\Windows\system32\chcp.com
chcp 65001
76⤵
PID:1640

C:\Windows\system32\PING.EXE
ping -n 10 localhost
76⤵
- Runs ping.exe
PID:4268

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
76⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1920

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
77⤵
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pL6ByhVYEx3Z.bat" "
77⤵
PID:3528

C:\Windows\system32\chcp.com
chcp 65001
78⤵
PID:1400

C:\Windows\system32\PING.EXE
ping -n 10 localhost
78⤵
- Runs ping.exe
PID:1408

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
78⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4908

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
79⤵
- Creates scheduled task(s)
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMk9xe0HNYgj.bat" "
79⤵
PID:3784

C:\Windows\system32\chcp.com
chcp 65001
80⤵
PID:556

C:\Windows\system32\PING.EXE
ping -n 10 localhost
80⤵
- Runs ping.exe
PID:4640

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
80⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3036

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
81⤵
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7xtnx4GgEfiN.bat" "
81⤵
PID:4540

C:\Windows\system32\chcp.com
chcp 65001
82⤵
PID:4244

C:\Windows\system32\PING.EXE
ping -n 10 localhost
82⤵
- Runs ping.exe
PID:2176

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
82⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3524

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
83⤵
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9qaiGQLcVPU5.bat" "
83⤵
PID:2156

C:\Windows\system32\chcp.com
chcp 65001
84⤵
PID:440

C:\Windows\system32\PING.EXE
ping -n 10 localhost
84⤵
- Runs ping.exe
PID:908

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
84⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
85⤵
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oojv0npu66S3.bat" "
85⤵
PID:4960

C:\Windows\system32\chcp.com
chcp 65001
86⤵
PID:3132

C:\Windows\system32\PING.EXE
ping -n 10 localhost
86⤵
- Runs ping.exe
PID:4236

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
86⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4376

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
87⤵
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6IumkfB5fIgL.bat" "
87⤵
PID:4368

C:\Windows\system32\chcp.com
chcp 65001
88⤵
PID:3096

C:\Windows\system32\PING.EXE
ping -n 10 localhost
88⤵
- Runs ping.exe
PID:4572

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
88⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2116

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
89⤵
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PjUHOyhAs1sS.bat" "
89⤵
PID:1212

C:\Windows\system32\chcp.com
chcp 65001
90⤵
PID:4144

C:\Windows\system32\PING.EXE
ping -n 10 localhost
90⤵
- Runs ping.exe
PID:4720

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
90⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2804

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
91⤵
- Creates scheduled task(s)
PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pbtn9GyjJivN.bat" "
91⤵
PID:3288

C:\Windows\system32\chcp.com
chcp 65001
92⤵
PID:3708

C:\Windows\system32\PING.EXE
ping -n 10 localhost
92⤵
- Runs ping.exe
PID:2176

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
92⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:740

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
93⤵
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qXq60KO8iUjM.bat" "
93⤵
PID:2956

C:\Windows\system32\chcp.com
chcp 65001
94⤵
PID:1168

C:\Windows\system32\PING.EXE
ping -n 10 localhost
94⤵
- Runs ping.exe
PID:880

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
94⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4348

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
95⤵
- Creates scheduled task(s)
PID:452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pFUNfyfq9Wuq.bat" "
95⤵
PID:3968

C:\Windows\system32\chcp.com
chcp 65001
96⤵
PID:4120

C:\Windows\system32\PING.EXE
ping -n 10 localhost
96⤵
- Runs ping.exe
PID:4928

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
96⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3580

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
97⤵
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOOEAhfQK4fl.bat" "
97⤵
PID:4236

C:\Windows\system32\chcp.com
chcp 65001
98⤵
PID:4604

C:\Windows\system32\PING.EXE
ping -n 10 localhost
98⤵
- Runs ping.exe
PID:3712

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
98⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4900

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
99⤵
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W19ZcDJXs9LU.bat" "
99⤵
PID:4572

C:\Windows\system32\chcp.com
chcp 65001
100⤵
PID:1912

C:\Windows\system32\PING.EXE
ping -n 10 localhost
100⤵
- Runs ping.exe
PID:3664

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
100⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3660

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
101⤵
- Creates scheduled task(s)
PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NuoN5DPuD3Ai.bat" "
101⤵
PID:4312

C:\Windows\system32\chcp.com
chcp 65001
102⤵
PID:4012

C:\Windows\system32\PING.EXE
ping -n 10 localhost
102⤵
- Runs ping.exe
PID:2228

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
102⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:532

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
103⤵
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pTwdwunBLlKR.bat" "
103⤵
PID:3000

C:\Windows\system32\chcp.com
chcp 65001
104⤵
PID:2176

C:\Windows\system32\PING.EXE
ping -n 10 localhost
104⤵
- Runs ping.exe
PID:1356

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
104⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3748

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
105⤵
- Creates scheduled task(s)
PID:116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\edozSKPyNb8Y.bat" "
105⤵
PID:3296

C:\Windows\system32\chcp.com
chcp 65001
106⤵
PID:2072

C:\Windows\system32\PING.EXE
ping -n 10 localhost
106⤵
- Runs ping.exe
PID:2800

C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
"C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
106⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1540

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
107⤵
- Creates scheduled task(s)
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Celex.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\1nb8Cl6VNspv.bat
Filesize
205B

MD5
9ca3582f410c90fad1d369d56cf556c5

SHA1
1399be7f86852597104a25f92b514971d081b16a

SHA256
058533da1ee4dfdf5bb342361cf8ec2d79d6512aa59e1c1390f1a47dcee5cd34

SHA512
a2bf62697a24d9dd813bbe2c12cfa29bece1e657c862fa440770ea78d21b78f2bbdd3a4a72ff1f6a9fcb6eb3ac1acc77b6fa75a67dea04567bea0d257e292fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A8GiKSbxVv3.bat
Filesize
205B

MD5
450293081f9e85544e785a93318d2290

SHA1
5768371570fb29606bdf3c2f941d2a9f940cf41e

SHA256
52ed7148362e31d04a98ec0248bafe57274f81fee7d1849efbd383bea6b7c177

SHA512
92fb338836288e50449ea427442315cb70dd952124526f4b4a5032b304229b461af2d4e2316b16cf9db975187f4d8d2a009f8059c6964c68a3d2b18f65afe65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2pD8PgU4uFoE.bat
Filesize
205B

MD5
29519a20b5e665bbf610648916f43a93

SHA1
9a9af42dc1dd00f6b33ff4aeb97d3a31b1a114e8

SHA256
a68ea1917ffdaa31f45c13df99ceb39a99af63a91c43f5067071dae7a9f6fbdb

SHA512
920ced7742c2100a2bba44b2785a14a8d6ad54e68f4e9a8bd695baf05d90b6a0c2bfb5b8c1df20a55e5e7aa9c0af409df35f364f540e669970b4e735a8819b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\2xVz43aiR2wC.bat
Filesize
205B

MD5
e7d1b2cf7d6042374eddd195107c6b91

SHA1
b08bf6d7b2905efc024c0dc6b8a7b07dcc6f525a

SHA256
90a524ef43603a120275371fc29b497027f732351ddda9f146d730f3859453e0

SHA512
dd101f3b00316ab417d94b22e3223db2858a71cba580a259f681a11ecf05dbde05d59112e77055af8a0a402736aed43b918b306f38d1e04af6c63437c798d3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\30oqtRYFz11V.bat
Filesize
205B

MD5
e99fd5a43e9aa938e166de8c946008b7

SHA1
a6b0f10f9a3d04d0d61096574fcd58aed7f298e5

SHA256
3f46949e792e42d38e8a1672a8b29cce830914b563aa25b54662284b15d85651

SHA512
6a7b682d71d03eb3bd500a96bdfef69b2d0ee87f44fd370b994b868ac345afe1e849e3dde52a16167fa9fa834d1367e90f37dbcc43b206029084ab2367a0542b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3jfL4yKgvbXq.bat
Filesize
205B

MD5
f9f90f6ad9696b10c388c64c6fd69add

SHA1
0da831f51570465c1b3e01f474f623887f48b3e6

SHA256
e6ae641f68f0cfedd2a01502a53f2063a3a0e0ddba9e2bde9307eef77e1dab4e

SHA512
02aa24b0e9724f6ed4a99c8a350cd85ce9d400b7a95d78aa1828c8306461e1e9fb4732254a32fd44856fc6777fb8ed11988ead799a42c45f17e75b3896e145c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FHFgSlr0aNb.bat
Filesize
205B

MD5
4f65d6331b8e07934a1cd00639ac56df

SHA1
d33093b85ddaad0cecc6f8f4003631ea9cd0a218

SHA256
1b6d91c6b384df1538e11865cfd87be4f76169172702a9c91bcc502c9e0669d6

SHA512
b04cb7a238b099c01cfa2f610f33ec01a06bfa9f4ce707c87511e8c2c3f336e5a51ba07b2aca96381efac4d18a450e0fba2b7d13b7bd377c38c2cbf1264a06b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9q0bx6DmycN1.bat
Filesize
205B

MD5
9d3e1ba080d6b7e0e59e8a053c5498c6

SHA1
0d686d19e3d3cc71824d9a512bbf8200292438e1

SHA256
839745d812ae6cce110076c628e3c6ce685601bf83d13560a7f0858b0c1bc93e

SHA512
ca346dd20f44ad27bb36cdae9c67ed8c60a9c967c3a3bbad3c2c73ce0798398ffd6fe6ee50fc463e523b969fcd62fb8be273f7643c2c1f9e284c11c67f897b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\EiHdqpdudY8J.bat
Filesize
205B

MD5
18a28ae12a013791a35134d12b13498e

SHA1
de738a6303daf6da43ad27455c9603b899cedbfd

SHA256
f9302d4a3eac314056fa72097daef969190f767dec60c5e3f5dfff1439c4985d

SHA512
38126fd0cbd371d67debfeb9d13886a2d9a9fe7816f0aa4fd930a8895e971b13e987430742e4bef3e616ec9211e46078cb67a82e02f3d4b4c8fd5dee745595b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FRqNrAv7ugOo.bat
Filesize
205B

MD5
15e83e351b011c9a786a9c89135d4a48

SHA1
3c3efae0c105ed4025fc41404ac5e8a279843230

SHA256
f5fdff099e26e9754fe07e1ee92a20e99ea769fc49fbb931db3beb779e7e8f01

SHA512
f09e0a97a0f3e43dada30a7835a4192c04342a95fb11881d0cd127779ea4d7ea2e4287f259cd5bb5eb8e581905a4ca6737143cbb00548cbf1044c72d125422c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IJAs2HZRWp2O.bat
Filesize
205B

MD5
541162fd8200dd98a07a0e1b98cbb187

SHA1
24ce495c42b214ba15461141be9ee51fe7cf4e77

SHA256
317fefc3fc300b4537104ccb613e77d0ca79f199842d5a0b357baff8917a931a

SHA512
d4f2b5d263c3a8240f00da45ffe9500849f321c58c37e7040f5e8feaa25ca57780d433a4448d38ab621ab8545912b6f2505e13e2010bca49a1a16fc8fabf62be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jto4Tov1FOoB.bat
Filesize
205B

MD5
42bd1a423877d1092e416c2cded700b4

SHA1
f39a81acd95464a3a3744082483f4c32dfd221d5

SHA256
289294b3e009b0d6d7695c830017b2e694fe93466c56c96b6986c79a33025bfe

SHA512
b7a3a14575b8e9e801e42e3e8d95dcdcb91e1d068858a5247a75b7e7059d2c799f2da13bac3f7f5560612dc73ec19610fa85596709cd228ece15431cf1d9ab8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\K4Qbl0rDtpM9.bat
Filesize
205B

MD5
6d430b017c9796d7873eeccb864debc1

SHA1
8f3722e7da1296965c70c386fade7bf288029576

SHA256
c8a5f9f110b0a00f1ca49d80ad6d9b720bdb3949f6562f3117da0cc4a8feac59

SHA512
d479048491e0abd09012aece1a0be5a1ccf8782eba9a3273c3ecab6423a012efaac488284c07adfc9fd8550857ed788d21b6a31891e1c09c64658b01363d8f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Krngi2Qy14AF.bat
Filesize
205B

MD5
136ecd6c859aa305136b2d4ff95bd87c

SHA1
04fbc1d63d2e163f9b17116bc18e8d92f7264f21

SHA256
cb1a2971710ee86e38dec8b1b0c4bab82587560bd06367bdd60d24c51fb4933a

SHA512
f4db92ec3c7f386407a739998bd8f4e517b07229f6f8bf1b4f819dd7a749bdd039a13b83afc5a985bac2c787a29ee2b54689151083c118e3438417bc4a90f845

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lmnr070Iz6WG.bat
Filesize
205B

MD5
b1d41891d360bdc7513b78295a6f652e

SHA1
5c32da4e22a2c5a45fe445ef0348ccdb71bd25d8

SHA256
9e2dd2a00bc05a82c71bf740bb4b4f744f84969e93d5e82b2d1fea45d4a89241

SHA512
3b30329fc85056e5102fd3cab076f071305e1eb9e8c3881e8b598a48cb01cc13b0295140ae14ac208f0fe0383de05e7489cee719cb4da36acd5f99603bd0011c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qj9zovuSevqD.bat
Filesize
205B

MD5
35da6597fcc7bdbbb234f57706215dae

SHA1
e90723cff6343852f50e2186edee4b1659912d4d

SHA256
8f17cbc495f47c2ed40f8b2647b88aeef73c41ebbf61032d2351a1a15306a579

SHA512
b5e05f87e05a0b1e90ae872d583c43c79a2d9bd6601fa344f4e7cea75c91d2fe29cbe43e90fd480f1353b7a43615eb20d311c6f85126d0d108fdb604af0eb9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sd6SNzaPsBfm.bat
Filesize
205B

MD5
94b098ef1d6940dfdd5116ff95b86faa

SHA1
cc63e7ab3a8202191d09fb0bfb1dd1eae8d681c6

SHA256
fb58a9710239aedc54ce3a4a570fb0a75e44b0551fb961585915544eff6555a6

SHA512
e44db6653beccca2c3b4f5c3e939949eddd3dcc944593b4740e18552b6237d1b0f0806e2a42cdc40673565c4a973852a619633fed280fca971baf4c8cb9974fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\UrLjQw7PbOtj.bat
Filesize
205B

MD5
513ec1cb418d2ad1f73404b629d0fccf

SHA1
453ef6429bfc8a724bf8b3603f7a44af9340bce3

SHA256
053b35aa4443bd48d546e3f2d38111e4a461a8039e79520bf122caf36fe52ae8

SHA512
39a7208340c044e59dc374771d159f1fa16ccb3c6abb1ea9236dc0d5628e3c9fcb57ab9b806f747e55742f88330df028f079255b577cb846d730dd1bb1a403ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\dQBS7C3n1I4d.bat
Filesize
205B

MD5
32e7913eaf235a890d61af3026a04b03

SHA1
a43110e5c2cdacae1fd0585d75de9c08ab590345

SHA256
d7c6f11ceef3c57ab4a657b0ed30d2deb8633f7668044d206b500fb9d1f99d85

SHA512
080438cdffd79133e3722b83593fac59011e30df583f4179437288aef7e9031b228edb0da982b696ca3e53dfd7f662ffa20f5dfc1eb34eef11c995eb1f4b6bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebkNEelodBJM.bat
Filesize
205B

MD5
56bfdd0ded781aa4cefab31da2515c97

SHA1
e690a77946f9dc14f739df2b4f002f24ab2afe5e

SHA256
9f447cf9cacecf924d62472fe01b8371c2de51596f08aab458dc018edd908c1c

SHA512
758d6d37d3186bd96cc54f5d83867739bfa535687f08c9562447c55352b0ed612c78f5dbb6394de06d0ca5ddd7754bbbb3aa6b7c4bdad309857c3d007afa8708

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9xyajHjF21d.bat
Filesize
205B

MD5
f517984ffe37f322585b559bd60cd753

SHA1
6c8a31f9beff13a8c0e2307bd0794ea875acc105

SHA256
8e1ba826755efb61e766962b050d0643bbbbb296a8829ead31edd5b7078a347d

SHA512
7c6f82f2d4994a6a57d91123bc7ccf16831b584a62a9e842bafab3abef4a38c876edbd5c50ad7e0d14a0af29f089333ee455ce06c0d6fda6eb881bddb8cfaded

Download Submit
C:\Users\Admin\AppData\Local\Temp\hb048pTU8viV.bat
Filesize
205B

MD5
22508aefdd505142c7ce70fff9f33cdf

SHA1
9a6838322c912bc98e313047b6211668182d6738

SHA256
f61bf2f4be11fc5b50b83dfd3912356023717cd611da2b0f9b35da7e09463e8b

SHA512
d0d932fa0f84eb6feb7d17284955dc2c4dbc26fca4d29cf58b4516d725c67c48e7c414e4ad8c662805547ee9ab80e507901aeb31fd7fa1399734578cd1b8a43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hcPiycBcdUKK.bat
Filesize
205B

MD5
cf532b60e44898b9d73c7d4043a4e4ea

SHA1
31cfeabd4864d3e59e2131f4ed962bf82cf01cc1

SHA256
f68e9c95914e72d28469c162ff1132741e7e9315478890775515169420e86383

SHA512
f7b2096698c484e8b143cf8413c92b22d06d6797faf8f183b420a7a040f3b45dcbf16d745a125e945038cfaff07c99734d44cf5655ab3abe28ea0806023afd89

Download Submit
C:\Users\Admin\AppData\Local\Temp\kCPUzbUs40F9.bat
Filesize
205B

MD5
8dc454d94d601206272971fccd645cb9

SHA1
ff1ab91b2fa7f7bff9050150a69c34e1190132d6

SHA256
d9795c4a17b2c70b004d90028bd71910e23bef786037d2823b4b331f61870111

SHA512
168c5ca5ace6982136186e40eddc4f0cd617659992c6687d6cd821a26cb872b45a03cfa9c4cffdd9718db6664d6925311a9e904791bd64134a61170cc7527888

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcFVql4Kvldq.bat
Filesize
205B

MD5
a5477a55bbaf2040270d20f3d4333e08

SHA1
1d771fb7d00e0fd99b4b0361e4a8163d24ceefdb

SHA256
314a03874918c7b0fd226c3597af62ff50fd43e3f1e056d966e27ee6eb48bd43

SHA512
bb0fb4827cbb123b5e29ce29b66397a2c21102275e59cf8653cdb59fb1634f957dcd66bd98e917f5519300611fd8803d556463b0bd50f9418d14ca6d70051ed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lCE1GM8IDqqM.bat
Filesize
205B

MD5
4ff3073afdddbe75d86db549a16a1409

SHA1
1dd0655cf820a688e93f8967fa429eede5d602a4

SHA256
4433e3c85c062b38e68b05fa5caa78dd6f4e50966a45e1f0666f1a345dfdc889

SHA512
e8ded99a2ccfa386c1861d9c4a001b70cc54fbcaebc84f1e068fd93f30574f7b39935458a2d8252ead5358fbfbd42ee5a71175ed419c05969ca6edfe76812529

Download Submit
C:\Users\Admin\AppData\Local\Temp\lV0GXA5nDPB7.bat
Filesize
205B

MD5
72fb8ef06e9718f31fdd6a38967e796e

SHA1
a45cd6b36f99fa8d70af11ef3b69cb47e4751d89

SHA256
6f7e0083da909ec6a9dd55511dc48c277f99e3ed7eb4c5ff41c85a6b5ee1a9fe

SHA512
d85e3695e205f00daae0853f7883da9808185cb41caf726df1a9597f7fa9018e991c6c5544e79b3ef6d3dc64cb490d49cd9b29d9d5775b5b258d10cb184524d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mZS0eif0PzkR.bat
Filesize
205B

MD5
da463282abb4e654e62c60a90ce9a928

SHA1
de4411eff4c43ab91e317cf40017284d3b008981

SHA256
a61e1c9b6af38a8eadcc651166969d1c1d16101809e9225c9fb9db21be626e9d

SHA512
27e64866b8cc47bfa030b796222047c95b26f270f05c29d99c125502a6dbf34857b949c2270687106ca409490de1f6d2f1076ed1453e742e43d8123754459d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\olowI1h7bTDf.bat
Filesize
205B

MD5
cb07e1fe0c26a6382efdfc8d8cd89508

SHA1
35e3eee2b2278d469895fd8145f7f1267958352c

SHA256
6441c918ec0b606735253e41175914f2c76b06be657721571d37f12b4274fd38

SHA512
dd529726b74bf34bb42825243150bdc5383d7a671ca617910cc65cd4cd1074bc8e51185dd2f2d29aa5049e1cad92f835c5b903f067bec9fde1b0c544a96c229e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sq2LhdisfybH.bat
Filesize
205B

MD5
608cff459723bea09a0eedb85e0eceaa

SHA1
b0bd33c13bf17da5e04d090ee99a9af0ef3aa016

SHA256
0300416fbb78efea4b28da404c8e32f9d08f3da3e02246215aa0ded3f5691dc6

SHA512
d23c6337a626238ebf3be1d83f69c8aa88a5cfb4313b27922494fe26997f44b871e0cba34ff96c6e0caeef90d42346e6c7af5f7a5fbfb98243f9a9b99c2269fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uT8tkBMgXJVV.bat
Filesize
205B

MD5
cf58bbfb68ac2f114cfacab4f80b5b11

SHA1
5ebb51e0280890bcba2e9042b36efc78e765df00

SHA256
fffb109b7a5fb63690dfcc45fde6d3e9a9540e4fa5a9c871d6da5b854bc07982

SHA512
1cfd252e82801be78dbd3144a0aad87ac4a7329ba36486a75fc36624a38cff4238db10bb3ac79744f77f069b4600970b0e78af51400492704c037880cdea8a65

Download Submit
C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
Filesize
3.1MB

MD5
483d0a45f61e108b7a89c6707e138d62

SHA1
da16e84ef741a6a82038468da5990b25e3bf751c

SHA256
34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40

SHA512
5c6da715cdafda98a37b6eaa455d5c12148b1048f5e038f9482d0f51f5e247cf75ff1c8439d3a75b6f674daa843a8ecd21aab23663b6bdd6bc7bac0fce606492

Download Submit
memory/3092-12-0x000000001BF50000-0x000000001BFA0000-memory.dmp

Filesize
320KB

Download
memory/3092-14-0x00007FFCB5940000-0x00007FFCB6401000-memory.dmp

Filesize
10.8MB

Download
memory/3092-13-0x000000001C060000-0x000000001C112000-memory.dmp

Filesize
712KB

Download
memory/3092-11-0x00007FFCB5940000-0x00007FFCB6401000-memory.dmp

Filesize
10.8MB

Download
memory/3092-10-0x00007FFCB5940000-0x00007FFCB6401000-memory.dmp

Filesize
10.8MB

Download
memory/3092-18-0x00007FFCB5940000-0x00007FFCB6401000-memory.dmp

Filesize
10.8MB

Download
memory/5016-0-0x00007FFCB5943000-0x00007FFCB5945000-memory.dmp

Filesize
8KB

Download
memory/5016-9-0x00007FFCB5940000-0x00007FFCB6401000-memory.dmp

Filesize
10.8MB

Download
memory/5016-2-0x00007FFCB5940000-0x00007FFCB6401000-memory.dmp

Filesize
10.8MB

Download
memory/5016-1-0x00000000003A0000-0x00000000006C4000-memory.dmp

Filesize
3.1MB

Download