quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
591s
max time network
601s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (11) - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral10/memory/1820-1-0x0000000000FF0000-0x000000000105C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 28 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 28 IoCs

Processes:

pid	process
3604	Client.exe
4316	Client.exe
4876	Client.exe
4060	Client.exe
1244	Client.exe
3960	Client.exe
4960	Client.exe
1304	Client.exe
4748	Client.exe
2472	Client.exe
1384	Client.exe
2204	Client.exe
1968	Client.exe
5000	Client.exe
3828	Client.exe
4640	Client.exe
1676	Client.exe
2584	Client.exe
3500	Client.exe
4292	Client.exe
3568	Client.exe
4628	Client.exe
2240	Client.exe
4064	Client.exe
3112	Client.exe
2648	Client.exe
4460	Client.exe
3604	Client.exe

Looks up external IP address via web service 26 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
40	ip-api.com
61	ip-api.com
55	ip-api.com
13	ip-api.com
17	ip-api.com
27	ip-api.com
29	ip-api.com
15	ip-api.com
38	ip-api.com
50	ip-api.com
35	ip-api.com
45	ip-api.com
48	ip-api.com
63	ip-api.com
33	ip-api.com
2	ip-api.com
8	api.ipify.org
21	ip-api.com
57	ip-api.com
59	ip-api.com
19	ip-api.com
23	ip-api.com
25	ip-api.com
53	ip-api.com
31	ip-api.com
43	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 28 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1120	3604	WerFault.exe	Client.exe
1592	4316	WerFault.exe	Client.exe
4604	4876	WerFault.exe	Client.exe
4600	4060	WerFault.exe	Client.exe
2188	1244	WerFault.exe	Client.exe
912	3960	WerFault.exe	Client.exe
524	4960	WerFault.exe	Client.exe
3316	1304	WerFault.exe	Client.exe
3944	4748	WerFault.exe	Client.exe
872	2472	WerFault.exe	Client.exe
4528	1384	WerFault.exe	Client.exe
2760	2204	WerFault.exe	Client.exe
3124	1968	WerFault.exe	Client.exe
4592	5000	WerFault.exe	Client.exe
3832	3828	WerFault.exe	Client.exe
2276	4640	WerFault.exe	Client.exe
1664	1676	WerFault.exe	Client.exe
2344	2584	WerFault.exe	Client.exe
5044	3500	WerFault.exe	Client.exe
1160	4292	WerFault.exe	Client.exe
2356	3568	WerFault.exe	Client.exe
184	4628	WerFault.exe	Client.exe
3576	2240	WerFault.exe	Client.exe
4480	4064	WerFault.exe	Client.exe
2408	3112	WerFault.exe	Client.exe
3676	2648	WerFault.exe	Client.exe
4916	4460	WerFault.exe	Client.exe
864	3604	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4864	schtasks.exe
1136	schtasks.exe
748	schtasks.exe
1692	schtasks.exe
3996	schtasks.exe
2812	schtasks.exe
4584	schtasks.exe
1936	schtasks.exe
2676	schtasks.exe
1716	schtasks.exe
1572	schtasks.exe
1128	schtasks.exe
1988	schtasks.exe
4092	schtasks.exe
2224	schtasks.exe
4136	schtasks.exe
1112	schtasks.exe
4576	schtasks.exe
1212	SCHTASKS.exe
4436	schtasks.exe
4036	schtasks.exe
2708	schtasks.exe
4780	schtasks.exe
4400	schtasks.exe
960	schtasks.exe
4600	schtasks.exe
3280	schtasks.exe
4104	schtasks.exe
4588	schtasks.exe
5016	schtasks.exe

Runs ping.exe 1 TTPs 28 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4472	PING.EXE
3984	PING.EXE
1632	PING.EXE
5000	PING.EXE
4044	PING.EXE
2036	PING.EXE
2036	PING.EXE
3040	PING.EXE
3036	PING.EXE
2324	PING.EXE
2708	PING.EXE
2584	PING.EXE
3616	PING.EXE
1700	PING.EXE
3036	PING.EXE
4148	PING.EXE
4156	PING.EXE
2504	PING.EXE
2408	PING.EXE
3600	PING.EXE
2268	PING.EXE
4944	PING.EXE
4396	PING.EXE
1120	PING.EXE
1948	PING.EXE
1164	PING.EXE
4836	PING.EXE
3324	PING.EXE

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

Uni - Copy (11) - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	1820	Uni - Copy (11) - Copy - Copy.exe
Token: SeDebugPrivilege	3604	Client.exe
Token: SeDebugPrivilege	4316	Client.exe
Token: SeDebugPrivilege	4876	Client.exe
Token: SeDebugPrivilege	4060	Client.exe
Token: SeDebugPrivilege	1244	Client.exe
Token: SeDebugPrivilege	3960	Client.exe
Token: SeDebugPrivilege	4960	Client.exe
Token: SeDebugPrivilege	1304	Client.exe
Token: SeDebugPrivilege	4748	Client.exe
Token: SeDebugPrivilege	2472	Client.exe
Token: SeDebugPrivilege	1384	Client.exe
Token: SeDebugPrivilege	2204	Client.exe
Token: SeDebugPrivilege	1968	Client.exe
Token: SeDebugPrivilege	5000	Client.exe
Token: SeDebugPrivilege	3828	Client.exe
Token: SeDebugPrivilege	4640	Client.exe
Token: SeDebugPrivilege	1676	Client.exe
Token: SeDebugPrivilege	2584	Client.exe
Token: SeDebugPrivilege	3500	Client.exe
Token: SeDebugPrivilege	4292	Client.exe
Token: SeDebugPrivilege	3568	Client.exe
Token: SeDebugPrivilege	4628	Client.exe
Token: SeDebugPrivilege	2240	Client.exe
Token: SeDebugPrivilege	4064	Client.exe
Token: SeDebugPrivilege	3112	Client.exe
Token: SeDebugPrivilege	2648	Client.exe
Token: SeDebugPrivilege	4460	Client.exe
Token: SeDebugPrivilege	3604	Client.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

pid	process
3604	Client.exe
4316	Client.exe
4876	Client.exe
4060	Client.exe
1244	Client.exe
3960	Client.exe
4960	Client.exe
1304	Client.exe
4748	Client.exe
2472	Client.exe
1384	Client.exe
2204	Client.exe
1968	Client.exe
5000	Client.exe
3828	Client.exe
4640	Client.exe
1676	Client.exe
2584	Client.exe
3500	Client.exe
4292	Client.exe
3568	Client.exe
4628	Client.exe
2240	Client.exe
4064	Client.exe
3112	Client.exe
2648	Client.exe
4460	Client.exe
3604	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (11) - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 1820 wrote to memory of 4584	1820	Uni - Copy (11) - Copy - Copy.exe	schtasks.exe
PID 1820 wrote to memory of 4584	1820	Uni - Copy (11) - Copy - Copy.exe	schtasks.exe
PID 1820 wrote to memory of 4584	1820	Uni - Copy (11) - Copy - Copy.exe	schtasks.exe
PID 1820 wrote to memory of 3604	1820	Uni - Copy (11) - Copy - Copy.exe	Client.exe
PID 1820 wrote to memory of 3604	1820	Uni - Copy (11) - Copy - Copy.exe	Client.exe
PID 1820 wrote to memory of 3604	1820	Uni - Copy (11) - Copy - Copy.exe	Client.exe
PID 1820 wrote to memory of 1212	1820	Uni - Copy (11) - Copy - Copy.exe	SCHTASKS.exe
PID 1820 wrote to memory of 1212	1820	Uni - Copy (11) - Copy - Copy.exe	SCHTASKS.exe
PID 1820 wrote to memory of 1212	1820	Uni - Copy (11) - Copy - Copy.exe	SCHTASKS.exe
PID 3604 wrote to memory of 4780	3604	Client.exe	schtasks.exe
PID 3604 wrote to memory of 4780	3604	Client.exe	schtasks.exe
PID 3604 wrote to memory of 4780	3604	Client.exe	schtasks.exe
PID 3604 wrote to memory of 4540	3604	Client.exe	cmd.exe
PID 3604 wrote to memory of 4540	3604	Client.exe	cmd.exe
PID 3604 wrote to memory of 4540	3604	Client.exe	cmd.exe
PID 4540 wrote to memory of 4600	4540	cmd.exe	chcp.com
PID 4540 wrote to memory of 4600	4540	cmd.exe	chcp.com
PID 4540 wrote to memory of 4600	4540	cmd.exe	chcp.com
PID 4540 wrote to memory of 2708	4540	cmd.exe	PING.EXE
PID 4540 wrote to memory of 2708	4540	cmd.exe	PING.EXE
PID 4540 wrote to memory of 2708	4540	cmd.exe	PING.EXE
PID 4540 wrote to memory of 4316	4540	cmd.exe	Client.exe
PID 4540 wrote to memory of 4316	4540	cmd.exe	Client.exe
PID 4540 wrote to memory of 4316	4540	cmd.exe	Client.exe
PID 4316 wrote to memory of 4436	4316	Client.exe	schtasks.exe
PID 4316 wrote to memory of 4436	4316	Client.exe	schtasks.exe
PID 4316 wrote to memory of 4436	4316	Client.exe	schtasks.exe
PID 4316 wrote to memory of 1596	4316	Client.exe	cmd.exe
PID 4316 wrote to memory of 1596	4316	Client.exe	cmd.exe
PID 4316 wrote to memory of 1596	4316	Client.exe	cmd.exe
PID 1596 wrote to memory of 4552	1596	cmd.exe	chcp.com
PID 1596 wrote to memory of 4552	1596	cmd.exe	chcp.com
PID 1596 wrote to memory of 4552	1596	cmd.exe	chcp.com
PID 1596 wrote to memory of 4396	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 4396	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 4396	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 4876	1596	cmd.exe	Client.exe
PID 1596 wrote to memory of 4876	1596	cmd.exe	Client.exe
PID 1596 wrote to memory of 4876	1596	cmd.exe	Client.exe
PID 4876 wrote to memory of 4400	4876	Client.exe	schtasks.exe
PID 4876 wrote to memory of 4400	4876	Client.exe	schtasks.exe
PID 4876 wrote to memory of 4400	4876	Client.exe	schtasks.exe
PID 4876 wrote to memory of 4380	4876	Client.exe	cmd.exe
PID 4876 wrote to memory of 4380	4876	Client.exe	cmd.exe
PID 4876 wrote to memory of 4380	4876	Client.exe	cmd.exe
PID 4380 wrote to memory of 1988	4380	cmd.exe	chcp.com
PID 4380 wrote to memory of 1988	4380	cmd.exe	chcp.com
PID 4380 wrote to memory of 1988	4380	cmd.exe	chcp.com
PID 4380 wrote to memory of 4472	4380	cmd.exe	PING.EXE
PID 4380 wrote to memory of 4472	4380	cmd.exe	PING.EXE
PID 4380 wrote to memory of 4472	4380	cmd.exe	PING.EXE
PID 4380 wrote to memory of 4060	4380	cmd.exe	Client.exe
PID 4380 wrote to memory of 4060	4380	cmd.exe	Client.exe
PID 4380 wrote to memory of 4060	4380	cmd.exe	Client.exe
PID 4060 wrote to memory of 1936	4060	Client.exe	schtasks.exe
PID 4060 wrote to memory of 1936	4060	Client.exe	schtasks.exe
PID 4060 wrote to memory of 1936	4060	Client.exe	schtasks.exe
PID 4060 wrote to memory of 2432	4060	Client.exe	cmd.exe
PID 4060 wrote to memory of 2432	4060	Client.exe	cmd.exe
PID 4060 wrote to memory of 2432	4060	Client.exe	cmd.exe
PID 2432 wrote to memory of 1652	2432	cmd.exe	chcp.com
PID 2432 wrote to memory of 1652	2432	cmd.exe	chcp.com
PID 2432 wrote to memory of 1652	2432	cmd.exe	chcp.com
PID 2432 wrote to memory of 2036	2432	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4584

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t13DzzvAF4Ff.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4600

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2708

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcbmotgsFrhf.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4552

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4396

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3yDe48LqYA5R.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:1988

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4472

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oYxT7IwF29rX.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:1652

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2036

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1244

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCFhHqSiCAk2.bat" "
11⤵
PID:3932

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:772

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3036

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3960

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:2224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4m36M2Z1mMZn.bat" "
13⤵
PID:4316

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:828

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2408

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M5ePEiByM3aq.bat" "
15⤵
PID:1404

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:2764

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3984

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1304

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nl6QJzComgFo.bat" "
17⤵
PID:4200

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:676

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2036

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4748

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zFEEO6QYVRFN.bat" "
19⤵
PID:2076

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2828

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:3040

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vre62msT7ETw.bat" "
21⤵
PID:4552

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:2308

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:3600

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1384

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PozcmBAV8PBm.bat" "
23⤵
PID:4572

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:4460

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2268

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OzIp5HZHr4xq.bat" "
25⤵
PID:3284

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:4916

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:2584

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\emFCwOdzcvAu.bat" "
27⤵
PID:4840

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:3668

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:3036

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5000

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HiHP9q4DldIs.bat" "
29⤵
PID:4940

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:4988

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:4944

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3828

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:5016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qdVsaXL6OXkx.bat" "
31⤵
PID:3048

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:892

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:4148

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4640

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V4htZBOODClq.bat" "
33⤵
PID:4328

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:1124

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:1120

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1676

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:1136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zTynRwtudKc6.bat" "
35⤵
PID:3316

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:4380

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:1948

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3AFZIy44Ylyy.bat" "
37⤵
PID:2812

C:\Windows\SysWOW64\chcp.com
chcp 65001
38⤵
PID:2432

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:3616

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3500

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:2676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vlqiAuMgekVd.bat" "
39⤵
PID:4880

C:\Windows\SysWOW64\chcp.com
chcp 65001
40⤵
PID:4252

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:5000

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4292

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FZbpomZhvPPb.bat" "
41⤵
PID:3156

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:1416

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:1700

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3568

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
43⤵
- Creates scheduled task(s)
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hlilub8nAstZ.bat" "
43⤵
PID:1468

C:\Windows\SysWOW64\chcp.com
chcp 65001
44⤵
PID:5028

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:4156

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4628

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9MKulXQPFsPE.bat" "
45⤵
PID:2960

C:\Windows\SysWOW64\chcp.com
chcp 65001
46⤵
PID:1676

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:1164

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2240

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FzfuX7P7GDoQ.bat" "
47⤵
PID:2436

C:\Windows\SysWOW64\chcp.com
chcp 65001
48⤵
PID:4976

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:1632

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4064

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
49⤵
- Creates scheduled task(s)
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gN75c7kIAXym.bat" "
49⤵
PID:1584

C:\Windows\SysWOW64\chcp.com
chcp 65001
50⤵
PID:3548

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:4836

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3112

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RO1A3uvkdrF3.bat" "
51⤵
PID:1880

C:\Windows\SysWOW64\chcp.com
chcp 65001
52⤵
PID:3832

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:4044

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2648

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smTL8vGwXBOP.bat" "
53⤵
PID:524

C:\Windows\SysWOW64\chcp.com
chcp 65001
54⤵
PID:4560

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:2504

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4460

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
55⤵
- Creates scheduled task(s)
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DexyfzpjFkyx.bat" "
55⤵
PID:916

C:\Windows\SysWOW64\chcp.com
chcp 65001
56⤵
PID:2400

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:2324

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
56⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3604

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
57⤵
- Creates scheduled task(s)
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r59zeds24Pzq.bat" "
57⤵
PID:4912

C:\Windows\SysWOW64\chcp.com
chcp 65001
58⤵
PID:3988

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
58⤵
- Runs ping.exe
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 2248
57⤵
- Program crash
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1712
55⤵
- Program crash
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 1704
53⤵
- Program crash
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 2224
51⤵
- Program crash
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 2220
49⤵
- Program crash
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1076
47⤵
- Program crash
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 2248
45⤵
- Program crash
PID:184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 1708
43⤵
- Program crash
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1708
41⤵
- Program crash
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 2224
39⤵
- Program crash
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 2240
37⤵
- Program crash
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 2240
35⤵
- Program crash
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1688
33⤵
- Program crash
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 1736
31⤵
- Program crash
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 1092
29⤵
- Program crash
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1092
27⤵
- Program crash
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1692
25⤵
- Program crash
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1096
23⤵
- Program crash
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 2228
21⤵
- Program crash
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 1712
19⤵
- Program crash
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 2228
17⤵
- Program crash
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 2252
15⤵
- Program crash
PID:524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 2236
13⤵
- Program crash
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1648
11⤵
- Program crash
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 2200
9⤵
- Program crash
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1092
7⤵
- Program crash
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 1020
5⤵
- Program crash
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 2200
3⤵
- Program crash
PID:1120

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3604 -ip 3604
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4316 -ip 4316
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4876 -ip 4876
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4060 -ip 4060
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1244 -ip 1244
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3960 -ip 3960
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4960 -ip 4960
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1304 -ip 1304
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4748 -ip 4748
1⤵
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2472 -ip 2472
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1384 -ip 1384
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2204 -ip 2204
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1968 -ip 1968
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5000 -ip 5000
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3828 -ip 3828
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4640 -ip 4640
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1676 -ip 1676
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2584 -ip 2584
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3500 -ip 3500
1⤵
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4292 -ip 4292
1⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3568 -ip 3568
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4628 -ip 4628
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2240 -ip 2240
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4064 -ip 4064
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3112 -ip 3112
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2648 -ip 2648
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4460 -ip 4460
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3604 -ip 3604
1⤵
PID:1064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3AFZIy44Ylyy.bat
Filesize
207B

MD5
abb79388ad39f0f5a34df41e53d29583

SHA1
e76c195e2f9eafe2ca28183611537e008710ca48

SHA256
59063634bfaed2d93de52655a83077eb197f98783097ef15b3f9d2d6353f5595

SHA512
615b925855c3c2e912f38b97e484f96a266cae6f60d47737ea8f82694cda34b859e31170ac45188cec89cb0a0c3cdf37f0de17b1df5ed781dbb0e8855eaac555

Download Submit
C:\Users\Admin\AppData\Local\Temp\3yDe48LqYA5R.bat
Filesize
207B

MD5
e834e4a0a112bd4616c039317fc29813

SHA1
3e2d3cd4ece4eb132b2268c486cd219023e08178

SHA256
d9448c070fc333fa3dd8126574f1d721a6e44dbef262fc81443f7202b1a702d6

SHA512
15eb6e7679200ace1147216337d8d4443d00ef338834bd967fc460d58ffd0053e0be563d68fee9489f1ad9fa969788f208cceb73d7491676a4abbd2f518491fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\4m36M2Z1mMZn.bat
Filesize
207B

MD5
efeedd77525e6dc0f8e238fd66b07a24

SHA1
e0ec5533c6386e7a220703b16c196127892c2401

SHA256
d40eff7bd0b737a1abfaeb1923fdb2693cea990d0cc7f756076fb4e152c86c7d

SHA512
cdeb40cf74393ceea073a199bedc288d94deae0ac4ef7c7a580bdf056a1904678065862c3e7420451e38a949877253af2259eef55e988d27a4b07ee825c847ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\FZbpomZhvPPb.bat
Filesize
207B

MD5
ab375664a60ed4220c5a1ee08fa23853

SHA1
3936fe2c2d4b81099f2fed0c910f55685f11f0c0

SHA256
2ade7163e267d4e920081cc7568dfdb9dd95e27be069021adb23d73ff1269b9a

SHA512
f4fd3a42456687994772df29c7c6ec8f3e94545d99ade17862d2971bd4d6669c2104c4a8ebb29b5e90f7a9a0d229978eb844e8212c7988868f93e2263b7ca4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCFhHqSiCAk2.bat
Filesize
207B

MD5
6d09e018e667eefc7bd5a64b37a30580

SHA1
c21d1d3c883617c80301e2de71e83f0eaa8612a0

SHA256
e53cf16ae5aae848ff111df60ee4bd8a311825fc85a9b4f307257af5d247c4c7

SHA512
fc4fa3bc4b126bffbc336f9448f25ba7dee298023ef9bafd1d3253e92fd0f4bdcce274ce400073f171e381b5ff0d2be5182275c815f70738fde1a806da68da71

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiHP9q4DldIs.bat
Filesize
207B

MD5
b9143203b7a94e70059c4650d7b961ff

SHA1
2b1828515498e4c1aa0712cc9c338f694d5ed287

SHA256
cc14604273eccba273ada750ffa27efe4e446173f11a5bb30eb1cadb54b0f9c0

SHA512
67f4d6197e9d85b604c9886e52c6e9689ee5b4918617ba349bdc055156a6555862c33c76a293cb347919de3dc6f92f2dd41b75505111be7e63e82d2ea4d6aa86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hlilub8nAstZ.bat
Filesize
207B

MD5
49a929be6d01a71c95420526e383a239

SHA1
57b15788fb714ca950d675e22de0691419c99346

SHA256
44883eb735cb305f055a9a55aed3a3dc45d6b649f4283eefff23d7837c8ca9ea

SHA512
1b6e75a75865bc8502204c35b0860a585d1c7fa8305942cf65fe841571035f2e1fe03ab5b6520fb2ce607c254e4e97483b4e8276612db7456517579e23b7782e

Download Submit
C:\Users\Admin\AppData\Local\Temp\M5ePEiByM3aq.bat
Filesize
207B

MD5
4e4c6309618f709e031d456241fd89d2

SHA1
eee1bf97af82ad8d85d8aa1af4db7eb87bf8e510

SHA256
91402e6e4354ebd916c155001c6513cc6cba41378686114c8be36abe7026a982

SHA512
75870d14ebf603f17de287bda2a8addfae2ec963b18ad7ca7205eb65dc0b0a6c317d10c3399e1bfde66fe5a7e28264294d2be246070f837f7e88635626eea444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nl6QJzComgFo.bat
Filesize
207B

MD5
fca918401b9f049ba5b5d4539bbb417f

SHA1
2cdeb9d54acc29a51a98f4bc859673c5ec786879

SHA256
684e02e766fa1f723388f802c7f5a15df9258467c5abcab7a483457f681220ad

SHA512
29acf29a6cccda64ce38f2d6dab7697d765cc14306c46e54e2f79f1a12f7def33d7fc192c12a684e1619872334adab6e93840c5b05e6a66279e65138a1b829e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OzIp5HZHr4xq.bat
Filesize
207B

MD5
5af9c3c41e8ff492d6967f90a3429727

SHA1
7ebf7cb9d8e57f1475fad7793eee917cbc90a7e3

SHA256
817c34dee11e6406da886c6658cf33c5eac072027584f28407cdbcabc5b27455

SHA512
8575c3ac705e409c6a3fc0a2156b3cdae9d55c04f09354991ff1829b9f52b85c85806ebf47de20cfe4dfe74bee261c652fef0a8915bf93f7b400c90e0169e06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PozcmBAV8PBm.bat
Filesize
207B

MD5
e64dc0d308f49c9746a53536f216d484

SHA1
a979f38bae858aac53fced9d2668f9ca49b2f226

SHA256
877209995443d0994fd92680a97ada36901446db9da8ce7635ea4733be9fa5a5

SHA512
c53f6d0cd860a59cec32b5128973b7ac6b78c231c8897101574b9409e460097a5fefbe412d91f3ef4693805fa13b5f516aab5caf8154c2acb4db29b56f5f8907

Download Submit
C:\Users\Admin\AppData\Local\Temp\V4htZBOODClq.bat
Filesize
207B

MD5
6306f88530c2bcc5355f19de5bfc8a0e

SHA1
e9ceb1b3159ec84b4d47128ed6409d1e6e16f9b9

SHA256
e4182c7d1cc063320e2e610a3bc03abbb5c901fe50ee45a846eb764972e71512

SHA512
ec2ab80a3902e32b2e50b3c8013439f1b9bd10a9e7ad38eb5aa9d324d974fd2bf57c1d6ba0df43043de1d5e952c030421d3f3a2d42a2671d947cd64db37a1b20

Download Submit
C:\Users\Admin\AppData\Local\Temp\emFCwOdzcvAu.bat
Filesize
207B

MD5
dc657d0e12fa97a9bd389305984727ff

SHA1
d9c29791a8a95e870480565f3f84b1dc5e166ea2

SHA256
629b973c02c0137e70e63c98216ceab6a40a4fdb8337e3aa14dee8e67f7f06dc

SHA512
14d25ea8b5c5b0cef6125eb8647035d133f59c9dde73520103623f305219256e7bd3a176ebbafdf6f3ccd3d71ad3b9aa30e9e5828531ff47e6d7bca1a42a6ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcbmotgsFrhf.bat
Filesize
207B

MD5
0ef6e6deff68a032928ba6748adb85e9

SHA1
be822e4060644b3d9cf39d01603798b4d937dc6b

SHA256
d37efaf5e3c9165b94b5e50de5e18c2f7fb3e277a08a951037c7e180412a4b71

SHA512
2b4f6270c4643b9db1321dd72bbc4a66466b66f982f6850e0d4e2648b6af4200113370d0efcbff0388da93c399ba069af723c0d31978c6e9d538733d4730ce0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYxT7IwF29rX.bat
Filesize
207B

MD5
c5fc4891488e0462a6233c335b537efb

SHA1
b54f22b65639211187c25df76e6ac999fc57e8aa

SHA256
3f69f79ebb97bb35b80648357675d44a6982ef7ca8056193134cfefe2058e71c

SHA512
aa85efba16c0615209cd0215c02ffcbd1172019f506a602aedd6962521565a1f5b995f452acb9854620dd1d9544bb55eee6788513747c9cc7f9e726d0bc4af4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qdVsaXL6OXkx.bat
Filesize
207B

MD5
0d1ab47590f02eda93302a5d49102fe1

SHA1
f022bea6f3e8ca06a62b9cef16ef3eef1e6807f8

SHA256
ae94f8017f6a2616f668baf1c46b0cc6f1f8ea13c648e78d9bfab66b480d1144

SHA512
e417afb7f802122e175f8d841f6f786bcf5f4250ece6d89a6246558ccd1b3eae1898d3cca17b1fe9f9b37f75f2b64afefe9924d2ebc10e07ad9052f636c85a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\t13DzzvAF4Ff.bat
Filesize
207B

MD5
29c5603a7d30cf7dd4322e5fdd5c21af

SHA1
2bb92c03243452d614118a05f9292fb7e5f02865

SHA256
bb2c135044430d9aa28d02f977b7e4ccfdbdee990c739bc793d6fe16b6dcd979

SHA512
cbfc1157d013f120d6eb6459a593b87c0bef6963f60ce209d929083bcb4cac49e340a7b9b6bb6c4a3d086e5f84aa102abe49b1ab44e029703718919ec2e110fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlqiAuMgekVd.bat
Filesize
207B

MD5
35bd1f23e9d160e6e6bc7d46065b2738

SHA1
048aa85a77ed0b11b2b827d9b72b6dbe0ed605ea

SHA256
3b6952074332f0ce29d11d031172493542bc14e4fa29829447456e33af235e01

SHA512
8fe3613990257f5ed2158042240704abdc8756635a03b3ccb02c7cea657193604c39ea4b32a7a8ff3d26f70fe938923beaab3de5d1e0362f244ac8b1fc710123

Download Submit
C:\Users\Admin\AppData\Local\Temp\vre62msT7ETw.bat
Filesize
207B

MD5
2c4e01469abcda3d2f8be3c975b2c1b1

SHA1
dbac3b3509e562b4482cce37a88e58696827fc1f

SHA256
e45116ddad3bb62cd63281107448497f08ddbe244758d17786023a73a1eea6bb

SHA512
f729237e0192c32d03e57810540e9735db2dc1cd77ec34581f7f82b57950db5e9ec26af228a49bb902e05caf7746811c28e1edd3a9976b6ecf5f0df4814fe872

Download Submit
C:\Users\Admin\AppData\Local\Temp\zFEEO6QYVRFN.bat
Filesize
207B

MD5
8a1864eb27efc2adc9cb8385c1a5aa59

SHA1
086d5c385874d69d61efd52f12e982014b4e554f

SHA256
b85d2a8714c8e0692720a3fb888e2b9b7bae647167977489808d821c403fcc08

SHA512
ee545f5cfd56ea8efd79973631e48f933eab7d26281d25dbef6164d78c98486ef089ab355353d6a211b35f81b0c74ef9bce200f0d7ff8114b0b09811ea26cf2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zTynRwtudKc6.bat
Filesize
207B

MD5
4a63a7b087ed3ea15718b44f8f8475e2

SHA1
2ebda307786dce19fb19bbf9c6214a0e2ef5c753

SHA256
9f0eca872ae9980301fd4c1d3269859085fac871fc392b3887559d3e4226f784

SHA512
0f75e46bdc7845c9ee85a056cb9729421e7ae1099f472dc33c12ff56940a0660213f8ff7bcedf6f38c7918b2607388b34e64d28eb105b2138e0c3b1ebcba7538

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
3a7047bd951b00ab9ba6b39a254caebf

SHA1
eeadbb7f4396e5fa78b9225099598e218343a50c

SHA256
d4cb9bb0b85f4356a2d90183c442417b32c00d7c7353ed535aec3afbfd2be9ff

SHA512
7f1ee761724c41398777b878bd8334433079a35c69b00278ff48fb934e45ae009ab6b951b4d1631b1c8a9c9ce7ab739434720e59d44d1178d8c9ac86be0c5ea4

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
c4566ab89d31392e169628fb8a987849

SHA1
b007fec9df9021233be72d64444c9b25afe34496

SHA256
b65407b4595fb697e5a38c7e79c542fa420bc720845333634f1aa08ba419e409

SHA512
54ef09441e472cdfb7a520d52d57dfbee113786783e432eb349286181becf04fe4d30808b343a7286d7735e9910cbde98320fc03d27720d6296a5f227492a034

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
321870357b60a07522d740f19e27eccd

SHA1
76d98f5287370996167811da5fcc7c66b65718f4

SHA256
77ea09e17fd694e7a9ca34bdf6846345279061e1f542818097a9b9bcf504de6a

SHA512
f46b869b7211c99cd9680bf9051766ac4142a1c45bf3f884b48a57ae770ff8cd1fce11c8b4411a1f93209dc23a0e0baf7d6cea24a6ccb110022857c2c5562a22

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
c596a1eab6332042a1d9da06b1b06628

SHA1
f98b118ec4fef947f1c7b9f84a8890191a11afe1

SHA256
461a716b8327911d9c9059c4befe4dcd544e933092e5139e7955afb140b91ebc

SHA512
137d3631bbc5ec1cdf164d4d5827f36182a8ecd026928723b344ff473cd1f49c228109cdb6581fbb884bd2e7ed2f7a240ef5e2cde20ee5d4cec841e62a78ef8c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
5d9e080fb1138db67ed322023e1269c8

SHA1
a7bcc37301c71b2de902f17cb52d8f6e8df4d4a7

SHA256
a2741e53b851ed3744981cbf74cff1a01e499b96f2057e2f83e84cbf21bbac38

SHA512
681fe5829bcf07771a2f415d6dd07b02043395c5a19cff112eba812e5d790797bd114f94bbdf933d397cd16067b7b9461ef4a6a5194da5b357d808b037d9b454

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1820-4-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/1820-0-0x000000007477E000-0x000000007477F000-memory.dmp

Filesize
4KB

Download
memory/1820-7-0x000000007477E000-0x000000007477F000-memory.dmp

Filesize
4KB

Download
memory/1820-6-0x0000000006790000-0x00000000067A2000-memory.dmp

Filesize
72KB

Download
memory/1820-5-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/1820-1-0x0000000000FF0000-0x000000000105C000-memory.dmp

Filesize
432KB

Download
memory/1820-2-0x0000000005F60000-0x0000000006504000-memory.dmp

Filesize
5.6MB

Download
memory/1820-8-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/1820-3-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/1820-16-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/3604-14-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/3604-17-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/3604-24-0x0000000074770000-0x0000000074F20000-memory.dmp

Filesize
7.7MB

Download
memory/3604-19-0x0000000006550000-0x000000000655A000-memory.dmp

Filesize
40KB

Download