quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
598s
max time network
602s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (11) - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral12/memory/1296-1-0x0000000000040000-0x00000000000AC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 28 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 29 IoCs

Processes:

pid	process
5008	Client.exe
4916	Client.exe
1692	Client.exe
848	Client.exe
2876	Client.exe
3408	Client.exe
5092	Client.exe
1120	Client.exe
4964	Client.exe
392	Client.exe
4124	Client.exe
4088	Client.exe
1372	Client.exe
3620	Client.exe
3444	Client.exe
3752	Client.exe
4636	Client.exe
828	Client.exe
3484	Client.exe
1700	Client.exe
4432	Client.exe
4964	Client.exe
916	Client.exe
4700	Client.exe
1648	Client.exe
3020	Client.exe
3408	Client.exe
4784	Client.exe
4960	Client.exe

Looks up external IP address via web service 26 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
45	ip-api.com
55	ip-api.com
61	ip-api.com
79	ip-api.com
88	ip-api.com
11	api.ipify.org
36	ip-api.com
40	ip-api.com
90	ip-api.com
52	ip-api.com
64	ip-api.com
43	ip-api.com
82	ip-api.com
20	ip-api.com
34	ip-api.com
58	ip-api.com
76	ip-api.com
16	ip-api.com
38	ip-api.com
49	ip-api.com
27	ip-api.com
47	ip-api.com
84	ip-api.com
86	ip-api.com
3	ip-api.com
18	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 28 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1648	5008	WerFault.exe	Client.exe
1984	4916	WerFault.exe	Client.exe
2176	1692	WerFault.exe	Client.exe
4324	848	WerFault.exe	Client.exe
2868	2876	WerFault.exe	Client.exe
4140	3408	WerFault.exe	Client.exe
3956	5092	WerFault.exe	Client.exe
3972	1120	WerFault.exe	Client.exe
1316	4964	WerFault.exe	Client.exe
884	392	WerFault.exe	Client.exe
1324	4124	WerFault.exe	Client.exe
4724	4088	WerFault.exe	Client.exe
2684	1372	WerFault.exe	Client.exe
3964	3620	WerFault.exe	Client.exe
3808	3444	WerFault.exe	Client.exe
4516	3752	WerFault.exe	Client.exe
3940	4636	WerFault.exe	Client.exe
2864	828	WerFault.exe	Client.exe
3132	3484	WerFault.exe	Client.exe
2388	1700	WerFault.exe	Client.exe
3020	4432	WerFault.exe	Client.exe
3936	4964	WerFault.exe	Client.exe
4556	916	WerFault.exe	Client.exe
2996	4700	WerFault.exe	Client.exe
852	1648	WerFault.exe	Client.exe
436	3020	WerFault.exe	Client.exe
3616	3408	WerFault.exe	Client.exe
4944	4784	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4524	schtasks.exe
1068	schtasks.exe
4260	schtasks.exe
4696	schtasks.exe
404	schtasks.exe
3096	schtasks.exe
984	schtasks.exe
1148	schtasks.exe
2196	schtasks.exe
984	schtasks.exe
4860	schtasks.exe
4128	schtasks.exe
4208	schtasks.exe
4968	schtasks.exe
2124	schtasks.exe
3864	schtasks.exe
2172	schtasks.exe
3608	schtasks.exe
2076	schtasks.exe
5052	schtasks.exe
1832	schtasks.exe
1996	SCHTASKS.exe
3976	schtasks.exe
428	schtasks.exe
1596	schtasks.exe
3440	schtasks.exe
3672	schtasks.exe
1996	schtasks.exe
4960	schtasks.exe
4740	schtasks.exe

Runs ping.exe 1 TTPs 28 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3780	PING.EXE
3196	PING.EXE
1596	PING.EXE
4860	PING.EXE
988	PING.EXE
1388	PING.EXE
4264	PING.EXE
3872	PING.EXE
4208	PING.EXE
4600	PING.EXE
4348	PING.EXE
3244	PING.EXE
3148	PING.EXE
3376	PING.EXE
1860	PING.EXE
2548	PING.EXE
4088	PING.EXE
220	PING.EXE
4848	PING.EXE
3620	PING.EXE
404	PING.EXE
3244	PING.EXE
2076	PING.EXE
916	PING.EXE
4144	PING.EXE
4476	PING.EXE
3544	PING.EXE
3968	PING.EXE

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

Uni - Copy (11) - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	1296	Uni - Copy (11) - Copy.exe
Token: SeDebugPrivilege	5008	Client.exe
Token: SeDebugPrivilege	4916	Client.exe
Token: SeDebugPrivilege	1692	Client.exe
Token: SeDebugPrivilege	848	Client.exe
Token: SeDebugPrivilege	2876	Client.exe
Token: SeDebugPrivilege	3408	Client.exe
Token: SeDebugPrivilege	5092	Client.exe
Token: SeDebugPrivilege	1120	Client.exe
Token: SeDebugPrivilege	4964	Client.exe
Token: SeDebugPrivilege	392	Client.exe
Token: SeDebugPrivilege	4124	Client.exe
Token: SeDebugPrivilege	4088	Client.exe
Token: SeDebugPrivilege	1372	Client.exe
Token: SeDebugPrivilege	3620	Client.exe
Token: SeDebugPrivilege	3444	Client.exe
Token: SeDebugPrivilege	3752	Client.exe
Token: SeDebugPrivilege	4636	Client.exe
Token: SeDebugPrivilege	828	Client.exe
Token: SeDebugPrivilege	3484	Client.exe
Token: SeDebugPrivilege	1700	Client.exe
Token: SeDebugPrivilege	4432	Client.exe
Token: SeDebugPrivilege	4964	Client.exe
Token: SeDebugPrivilege	916	Client.exe
Token: SeDebugPrivilege	4700	Client.exe
Token: SeDebugPrivilege	1648	Client.exe
Token: SeDebugPrivilege	3020	Client.exe
Token: SeDebugPrivilege	3408	Client.exe
Token: SeDebugPrivilege	4784	Client.exe
Token: SeDebugPrivilege	4960	Client.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

pid	process
5008	Client.exe
4916	Client.exe
1692	Client.exe
848	Client.exe
2876	Client.exe
3408	Client.exe
5092	Client.exe
1120	Client.exe
4964	Client.exe
392	Client.exe
4124	Client.exe
4088	Client.exe
1372	Client.exe
3620	Client.exe
3444	Client.exe
3752	Client.exe
4636	Client.exe
828	Client.exe
3484	Client.exe
1700	Client.exe
4432	Client.exe
4964	Client.exe
916	Client.exe
4700	Client.exe
1648	Client.exe
3020	Client.exe
3408	Client.exe
4784	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (11) - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 1296 wrote to memory of 4128	1296	Uni - Copy (11) - Copy.exe	schtasks.exe
PID 1296 wrote to memory of 4128	1296	Uni - Copy (11) - Copy.exe	schtasks.exe
PID 1296 wrote to memory of 4128	1296	Uni - Copy (11) - Copy.exe	schtasks.exe
PID 1296 wrote to memory of 5008	1296	Uni - Copy (11) - Copy.exe	Client.exe
PID 1296 wrote to memory of 5008	1296	Uni - Copy (11) - Copy.exe	Client.exe
PID 1296 wrote to memory of 5008	1296	Uni - Copy (11) - Copy.exe	Client.exe
PID 1296 wrote to memory of 1996	1296	Uni - Copy (11) - Copy.exe	SCHTASKS.exe
PID 1296 wrote to memory of 1996	1296	Uni - Copy (11) - Copy.exe	SCHTASKS.exe
PID 1296 wrote to memory of 1996	1296	Uni - Copy (11) - Copy.exe	SCHTASKS.exe
PID 5008 wrote to memory of 984	5008	Client.exe	schtasks.exe
PID 5008 wrote to memory of 984	5008	Client.exe	schtasks.exe
PID 5008 wrote to memory of 984	5008	Client.exe	schtasks.exe
PID 5008 wrote to memory of 4972	5008	Client.exe	cmd.exe
PID 5008 wrote to memory of 4972	5008	Client.exe	cmd.exe
PID 5008 wrote to memory of 4972	5008	Client.exe	cmd.exe
PID 4972 wrote to memory of 4596	4972	cmd.exe	chcp.com
PID 4972 wrote to memory of 4596	4972	cmd.exe	chcp.com
PID 4972 wrote to memory of 4596	4972	cmd.exe	chcp.com
PID 4972 wrote to memory of 3544	4972	cmd.exe	PING.EXE
PID 4972 wrote to memory of 3544	4972	cmd.exe	PING.EXE
PID 4972 wrote to memory of 3544	4972	cmd.exe	PING.EXE
PID 4972 wrote to memory of 4916	4972	cmd.exe	Client.exe
PID 4972 wrote to memory of 4916	4972	cmd.exe	Client.exe
PID 4972 wrote to memory of 4916	4972	cmd.exe	Client.exe
PID 4916 wrote to memory of 3976	4916	Client.exe	schtasks.exe
PID 4916 wrote to memory of 3976	4916	Client.exe	schtasks.exe
PID 4916 wrote to memory of 3976	4916	Client.exe	schtasks.exe
PID 4916 wrote to memory of 4964	4916	Client.exe	cmd.exe
PID 4916 wrote to memory of 4964	4916	Client.exe	cmd.exe
PID 4916 wrote to memory of 4964	4916	Client.exe	cmd.exe
PID 4964 wrote to memory of 4336	4964	cmd.exe	chcp.com
PID 4964 wrote to memory of 4336	4964	cmd.exe	chcp.com
PID 4964 wrote to memory of 4336	4964	cmd.exe	chcp.com
PID 4964 wrote to memory of 4600	4964	cmd.exe	PING.EXE
PID 4964 wrote to memory of 4600	4964	cmd.exe	PING.EXE
PID 4964 wrote to memory of 4600	4964	cmd.exe	PING.EXE
PID 4964 wrote to memory of 1692	4964	cmd.exe	Client.exe
PID 4964 wrote to memory of 1692	4964	cmd.exe	Client.exe
PID 4964 wrote to memory of 1692	4964	cmd.exe	Client.exe
PID 1692 wrote to memory of 2076	1692	Client.exe	schtasks.exe
PID 1692 wrote to memory of 2076	1692	Client.exe	schtasks.exe
PID 1692 wrote to memory of 2076	1692	Client.exe	schtasks.exe
PID 1692 wrote to memory of 3504	1692	Client.exe	cmd.exe
PID 1692 wrote to memory of 3504	1692	Client.exe	cmd.exe
PID 1692 wrote to memory of 3504	1692	Client.exe	cmd.exe
PID 3504 wrote to memory of 2560	3504	cmd.exe	chcp.com
PID 3504 wrote to memory of 2560	3504	cmd.exe	chcp.com
PID 3504 wrote to memory of 2560	3504	cmd.exe	chcp.com
PID 3504 wrote to memory of 4848	3504	cmd.exe	PING.EXE
PID 3504 wrote to memory of 4848	3504	cmd.exe	PING.EXE
PID 3504 wrote to memory of 4848	3504	cmd.exe	PING.EXE
PID 3504 wrote to memory of 848	3504	cmd.exe	Client.exe
PID 3504 wrote to memory of 848	3504	cmd.exe	Client.exe
PID 3504 wrote to memory of 848	3504	cmd.exe	Client.exe
PID 848 wrote to memory of 3672	848	Client.exe	schtasks.exe
PID 848 wrote to memory of 3672	848	Client.exe	schtasks.exe
PID 848 wrote to memory of 3672	848	Client.exe	schtasks.exe
PID 848 wrote to memory of 2880	848	Client.exe	cmd.exe
PID 848 wrote to memory of 2880	848	Client.exe	cmd.exe
PID 848 wrote to memory of 2880	848	Client.exe	cmd.exe
PID 2880 wrote to memory of 4972	2880	cmd.exe	chcp.com
PID 2880 wrote to memory of 4972	2880	cmd.exe	chcp.com
PID 2880 wrote to memory of 4972	2880	cmd.exe	chcp.com
PID 2880 wrote to memory of 404	2880	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4128

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wXJjmGGdY3N8.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4596

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3544

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bXLVNIksQNtq.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4336

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4600

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N66KPSLHuMew.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:2560

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4848

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t1HDn76HS31L.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:4972

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:404

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2876

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3b2rHIkKAvLO.bat" "
11⤵
PID:4380

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:1976

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1860

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3408

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sdjgUq4683JZ.bat" "
13⤵
PID:1844

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4616

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:1388

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bhZX15P0VTYW.bat" "
15⤵
PID:4632

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:3812

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4348

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1120

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zo8ERyT0oEf0.bat" "
17⤵
PID:4624

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:1640

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:988

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4964

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n6vnWtvds8zA.bat" "
19⤵
PID:4596

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2176

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4860

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:392

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1OiMcoNHw1IJ.bat" "
21⤵
PID:3652

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:2044

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:2548

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QiQ1ocNhQSn6.bat" "
23⤵
PID:3336

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:4260

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3244

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4088

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PtjE7hlT97Z9.bat" "
25⤵
PID:2228

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:4588

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:2076

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:3608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XbojlT6waLdv.bat" "
27⤵
PID:3852

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:3940

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:916

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3620

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UiNRCMAxt6kO.bat" "
29⤵
PID:1268

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:4464

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:3968

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3444

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oW8YqDOzAleN.bat" "
31⤵
PID:3860

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:2060

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:3244

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3752

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2ov7v8qcEfyW.bat" "
33⤵
PID:4188

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:1840

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:4088

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4636

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:4208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vPWGn57EKeUC.bat" "
35⤵
PID:3408

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:2460

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:4264

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:828

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buSmfvVHZDBe.bat" "
37⤵
PID:984

C:\Windows\SysWOW64\chcp.com
chcp 65001
38⤵
PID:1488

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:4144

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3484

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o8Vqrec9DDpE.bat" "
39⤵
PID:2500

C:\Windows\SysWOW64\chcp.com
chcp 65001
40⤵
PID:5092

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:3780

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1700

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mJo3Aj1vwscI.bat" "
41⤵
PID:5108

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:4128

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:4476

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4432

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
43⤵
- Creates scheduled task(s)
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\67ZAoaFxDXWG.bat" "
43⤵
PID:3608

C:\Windows\SysWOW64\chcp.com
chcp 65001
44⤵
PID:4244

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:3148

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4964

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4mycqqjuXw7Y.bat" "
45⤵
PID:1216

C:\Windows\SysWOW64\chcp.com
chcp 65001
46⤵
PID:3088

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:3196

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:916

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OajjUixwob1W.bat" "
47⤵
PID:2832

C:\Windows\SysWOW64\chcp.com
chcp 65001
48⤵
PID:224

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:1596

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
49⤵
- Creates scheduled task(s)
PID:1832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VIoD8UIPGq5I.bat" "
49⤵
PID:996

C:\Windows\SysWOW64\chcp.com
chcp 65001
50⤵
PID:1184

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:3872

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1648

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uv2qauueNR0l.bat" "
51⤵
PID:3200

C:\Windows\SysWOW64\chcp.com
chcp 65001
52⤵
PID:1388

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:4208

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3020

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JVpFe61xxdpW.bat" "
53⤵
PID:656

C:\Windows\SysWOW64\chcp.com
chcp 65001
54⤵
PID:1156

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:3620

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3408

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
55⤵
- Creates scheduled task(s)
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WjsIrp8pbdU6.bat" "
55⤵
PID:1228

C:\Windows\SysWOW64\chcp.com
chcp 65001
56⤵
PID:4368

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:220

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
56⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4784

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
57⤵
- Creates scheduled task(s)
PID:3864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h0q8A0Q89i6M.bat" "
57⤵
PID:2468

C:\Windows\SysWOW64\chcp.com
chcp 65001
58⤵
PID:932

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
58⤵
- Runs ping.exe
PID:3376

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 2232
57⤵
- Program crash
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2248
55⤵
- Program crash
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 2248
53⤵
- Program crash
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1096
51⤵
- Program crash
PID:852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 2228
49⤵
- Program crash
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 1096
47⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1096
45⤵
- Program crash
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 1708
43⤵
- Program crash
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 2232
41⤵
- Program crash
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1660
39⤵
- Program crash
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 1672
37⤵
- Program crash
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 2248
35⤵
- Program crash
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 1704
33⤵
- Program crash
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 1672
31⤵
- Program crash
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1092
29⤵
- Program crash
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 1672
27⤵
- Program crash
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 2220
25⤵
- Program crash
PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1672
23⤵
- Program crash
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 2232
21⤵
- Program crash
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1668
19⤵
- Program crash
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 1096
17⤵
- Program crash
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1092
15⤵
- Program crash
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1092
13⤵
- Program crash
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 2200
11⤵
- Program crash
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 1632
9⤵
- Program crash
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 1076
7⤵
- Program crash
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1656
5⤵
- Program crash
PID:1984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 2112
3⤵
- Program crash
PID:1648

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4340,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5008 -ip 5008
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4916 -ip 4916
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1692 -ip 1692
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 848 -ip 848
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2876 -ip 2876
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3408 -ip 3408
1⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5092 -ip 5092
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1120 -ip 1120
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4964 -ip 4964
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 392 -ip 392
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4124 -ip 4124
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4088 -ip 4088
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1372 -ip 1372
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3620 -ip 3620
1⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3444 -ip 3444
1⤵
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3752 -ip 3752
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4636 -ip 4636
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 828 -ip 828
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3484 -ip 3484
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1700 -ip 1700
1⤵
PID:1976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4644,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:8
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4432 -ip 4432
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4964 -ip 4964
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 916 -ip 916
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4700 -ip 4700
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1648 -ip 1648
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3020 -ip 3020
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3408 -ip 3408
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4784 -ip 4784
1⤵
PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1OiMcoNHw1IJ.bat
Filesize
207B

MD5
13dc764af096a8ceb47f81b4c502b9d7

SHA1
e61db6cf40dcbd75fc8eb882a268b37be0c58cdd

SHA256
4ae6be149a27a8cb8210f7ceb0b502c806bebeff20763711b960835ac4face24

SHA512
84a844dc69baef62159ccc32ade73f99daf012b9f09c1edc4962c04f3a3b8a46fa29447a7469d5a43cc1d754fc58757acb059379305189cb9cc945a9f8e36015

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ov7v8qcEfyW.bat
Filesize
207B

MD5
4bb5f46fc748da654f01c91b8575ce81

SHA1
9caf4a8c6916614d114aca3d4c902d8cec7aadfe

SHA256
995b75b8a7d9344cd6d58fe41b5e6a89c743cecdc55b261f6ea2925498c8a69f

SHA512
e502a55dba8b4d6067f7fba6b02b0a1dabab9969508f55c624a9b3cd7cdd9be14c6d89e66b1df7617ab22c46da1595a5fabb81bac7c777fa148d432e40502fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b2rHIkKAvLO.bat
Filesize
207B

MD5
8f1049a700dc0a2b02000c75defb4d9d

SHA1
362b75b63b9fc4e475122847cf344aea8f51cdff

SHA256
05c164312f7a0a962c13d846b3c48255630a8faef2a1e12e53c88980b1204a8c

SHA512
baa41455b320d871d421c77ef4c7e5630c81a8e0ee8230a86332be017c53eb43f2a7577c2856080ce490811222f735384d2570004b728a5f7d47af71ad883035

Download Submit
C:\Users\Admin\AppData\Local\Temp\67ZAoaFxDXWG.bat
Filesize
207B

MD5
cb88fcf6929e524c645ed95e660fd5f9

SHA1
d4e158c7d359611643f0acbc9636f86452cb2e9c

SHA256
d0efd755a089c85dd1799a03d569a4561486cca2a70dd3e3bb97d3ca8a736f42

SHA512
b9b407f52606e24a128f340e8b455ea26cc7d4021efddad0f716326e2d5b9e4b460cc376a75a85f830c45ad86638d634cae65b419b65831075656719e988c047

Download Submit
C:\Users\Admin\AppData\Local\Temp\N66KPSLHuMew.bat
Filesize
207B

MD5
a6e1ab0455014b558ab8a6e733f91d7d

SHA1
a14b458824656f8dfebd779c486c979c960ee9ea

SHA256
8ec6332d0f881667d64d3b0c869a0019d5958698f5083120027492f7e04613bd

SHA512
00b09e502dffd4ce3a7cafd9dde1fc89bce8d879d1bd6b9a3d031a4c8685d7f3f0e70cfbffd97b2fe9b9ee3e6c2d30a262dcfcffded9df65f31a44a9634e64c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\PtjE7hlT97Z9.bat
Filesize
207B

MD5
15c12e665ee7e5054edaa9247c847889

SHA1
c3cac93007e1f32e073933fcef47b87eb9db3f31

SHA256
61e46350a0ea47990ef0f5d4b8084302636c67081345cade0ca999ee05905370

SHA512
e68a232df7d9c514160894fdd78a57b17874631243333aa9e9bbbde6e832faa840573f21037ece6d2ae6add332d2298b5318c61cc23f4a4090bd16d823cc8033

Download Submit
C:\Users\Admin\AppData\Local\Temp\QiQ1ocNhQSn6.bat
Filesize
207B

MD5
582c9ee87e9632250d20fc9a50d41bc4

SHA1
8d57d49b678bf4d85000ee715387fe0766bc11cc

SHA256
b68cd70853da5acadb6cc9a6a43ff723fe8c3f8bab60b167e986c21efa368b56

SHA512
d4d24ddfad965b550c306fe4a33bda3f0d37f6db0355392dceb52dc89925901f309d3718b3b4c707820dcc2c5964815287e4c62fe0aee4ff74a688ec65b5f89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UiNRCMAxt6kO.bat
Filesize
207B

MD5
8d17a5065c7013bebe33e4455eaaed0f

SHA1
8e0cc82c51c778dc20deba3cc6f4f1e8649e5504

SHA256
d822c4aa3399f33b7aa40e45745decc1faf01f84aff2e4e964d71eed32680467

SHA512
a38f01269db1b79066c710643ea2b29dc77ba7a007f760cf9539aab85a190cb43e83925e13dde532515378e2725bf887b6f48be3f2fd9e7739c104529e931cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XbojlT6waLdv.bat
Filesize
207B

MD5
0990711ff6fa0602d1a811a9a9dab0da

SHA1
21206befeb5f415632de02904a7e8eab0e4c2709

SHA256
44e4116491d36eee37e0f52029287830325cfab04b2a8dfcf8eb22725f07869d

SHA512
dfa473d504043a8b964c2129648d16e3a9e6c165fad6b3565257de198f7d13d0f17f43c327bd67081c71d22462a2a4bf667324feb9afbb0925e93337aa448400

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zo8ERyT0oEf0.bat
Filesize
207B

MD5
dfb1c63d3e3c8daba6f9cf16575f7389

SHA1
53fd3796e1f46c44d57f2af1db41cc3daf2098ea

SHA256
7bada2d493abefe67e682028a692ad7d917bdda5d645d4d0f44b90073bc0a974

SHA512
5bc3df53cefec6b5172d0d53c48835bf94a01badb6b798c65af9fca50d29e673549c45d4f29df176f57ed3ae4ee80645990fbbfbd1dc37b469721a80f3816423

Download Submit
C:\Users\Admin\AppData\Local\Temp\bXLVNIksQNtq.bat
Filesize
207B

MD5
39df20382fa7ddf3f59925a42e65270c

SHA1
6b264e76426e7a313b7801ad9f9f1b42183240fd

SHA256
6df23e97f3e6589c7d474aff7e9f06773f1df2a1e78c1d6d905da2404baba6ad

SHA512
bbcb2c9f0711debc841b51ff2a3aac71d95db44ad1ec370eef1d8eff87e7936991a68d580895134bbe3a489c9405a6eae080941ec861829e5b9865b1c88b511d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhZX15P0VTYW.bat
Filesize
207B

MD5
4f69ef72a2bfb177e3f8cb90655d7d01

SHA1
4bc76849b8e5ccb80b65c6f719f4680208032cc6

SHA256
62b7aaf2d2eafc6e026b5c125c75d8ec446270aedefbcd7d5d51d1d78043f69d

SHA512
2298f8745a8d2dbf8bc81559646ce622d9e2048a1ec2dd6b058a18cf387cf59162edaa986285bb006a357ced7801a824d2488b0ccc3101a8afa207ac918ac821

Download Submit
C:\Users\Admin\AppData\Local\Temp\buSmfvVHZDBe.bat
Filesize
207B

MD5
f301443353893d193b6da8ab47748d94

SHA1
ef17c7771b5f49b054ac4ee40c447e29717ad4ff

SHA256
bcd261491e661b206de9a17e6b0876eca29e553738a947d8f26157a3f7cdecde

SHA512
e4eb12592d14586af58a31fd77effa60a77c0cbc482695d1f84ed4daaa305d1cca950fdade38485b2c359fe6bc7e0bbb7428aee01bca6338d55bb4032bea9d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJo3Aj1vwscI.bat
Filesize
207B

MD5
b927f1f76ab1f1c363cbae1dca7dede9

SHA1
57eef137d31b7c9e25f14479cac6c8adbe06f955

SHA256
439aabdd40251ef203cdef2dd342f990add9cd43202900d01bfdad5f6236e007

SHA512
c909565b9c8eaae22897c2f5c1a51cc2f259aacecedcc3ac0a72c5ceef2511495da7c73ce30d6445eeda7f8510fb622c9903d1ab76dd926c62f3508e75a6fd27

Download Submit
C:\Users\Admin\AppData\Local\Temp\n6vnWtvds8zA.bat
Filesize
207B

MD5
3d44e79363db3f17c32aea5983941804

SHA1
72cbc4dc8687570cb6c45da96706b550452c40ec

SHA256
e2623e8e37445c26f94db71309274e7e992ec873f4355f1a4ed10b80884c409c

SHA512
baaf611ce646ca8d8509fc32071b6ecd5fd82cc20ffd677bea531dd7268739f0bdfd3025eb17c8ca43fe82b3560a5b05bc36e9cfdcee4cacf3ae90f39f6a5196

Download Submit
C:\Users\Admin\AppData\Local\Temp\o8Vqrec9DDpE.bat
Filesize
207B

MD5
ecb2902ba265b8300029113b19403229

SHA1
a8a47e525d03742361f2007d3824d6719bec8a17

SHA256
eeece4839709118acb06b5e638eec9c8d1da26e7838cb8b9589abb1c8f5ce549

SHA512
60220916a986176d516f7f8eaacdfe1b3610c04464bf4bbab50aed98fcefb3d92f2a11366f5006d46872cf1a3ab6aebd92eae70dfafbb2f844cd6181a81f0449

Download Submit
C:\Users\Admin\AppData\Local\Temp\oW8YqDOzAleN.bat
Filesize
207B

MD5
7b66bd365ee43d8c8919e9aa8b808cd8

SHA1
ab72fd105201a342399d384f50cad700012ef57c

SHA256
7e4a7461c79365db2e77d14dc173fd4eb4a1ce8219a84555174e048e551a479c

SHA512
2f21480ea4c93e0c9f3e39646216ce44406370695fc1374db8f2c27e5e154fa82a4c4f181326bb8cff9fc56bfdb17d787fc654c3f3705d4be0087bdf6371f65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdjgUq4683JZ.bat
Filesize
207B

MD5
0b05ab08695ec578bb55132d29dd7741

SHA1
e33e32e8ccff0d7e5a1f5c6ebb58bd0dc4f11630

SHA256
19737821ce681990c69719854d727bf542a5166ef20a22b9d7accd8e30f85fee

SHA512
aa2f46b988e0c87466d8661d9658abe7abde9be2898e471262bca8c67cc4a34f148e19167cc6b810b8efaa68d5ce109b0fc9635270163a52251ba6ff7e1a865a

Download Submit
C:\Users\Admin\AppData\Local\Temp\t1HDn76HS31L.bat
Filesize
207B

MD5
f0ee850342a008627f295ed6c80edfd5

SHA1
dad474b0d78500ac53bb4f716c5b911e9ef3ecb6

SHA256
6f4fba788a437e07d2dd69dcc749c25614e2b1aba4a502a1ba319944d7b05406

SHA512
94e96cac4e77edb2af2808abf400466cf154335a33e37cb748648ba1c7224f78b988b4ec99802beabefe03cd8265ffacb3b3d149524a41d9addaee25dc7a67e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vPWGn57EKeUC.bat
Filesize
207B

MD5
49d52241d744c132167d1324fa08a3e6

SHA1
86b63572710a1372ff3d36eeff2418b3024c2160

SHA256
8492020ff9bdc195955a56015e14cd05ccfa726b54044d8a62c088229f9009e2

SHA512
ec72ff4d5bb70440bcf7f9401815437176c82c4dbbae7fb8ab61c8925b3f605708c67236c0718fcb5dc94985c6e6232ab177b016afaffb863f6d10117d755686

Download Submit
C:\Users\Admin\AppData\Local\Temp\wXJjmGGdY3N8.bat
Filesize
207B

MD5
c7f9e8567737d45fb578ad3a45c2b51e

SHA1
5dd683c13bd551171a288efd2b1323c4094857af

SHA256
0108b6f51350aba320b2928bea91b0bc0f3581f2786913877fc2ba238b415ce4

SHA512
4ce3c13d4f9c791860c88b148bfe388f871f1a20966150fba5aba966377d51666a1131e6f5ea2737e90505c136067147befcaec62c5d37fcb5a93a72907c5ff3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
dc5e5face1bf03bf031d33067ee8e755

SHA1
978ba1cdee2b738073f77d11c7bd2d106998e166

SHA256
5300992fdfe6dd9d376e68a761e4ce78ef08e6fe8ca59da6e8f5e4c0d9eeaf30

SHA512
179101c9f6542d8a97a6921ddd076bee85c976c263b35caa4c53ac5d01003e2c16c46c3d5ab73c0ed073d235b167d03a3375726a4ca3c46efb072f551a10869e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
a8bbd324661fac394fc9cf6e44e3560a

SHA1
ece4b1c6dc4f1faa4b3d8d40c5006e5479d9b38c

SHA256
8208380170dce20065772a98efea511967bbe8d2955533984f54ce6174f68340

SHA512
6bea51baf6d02fe49138300de9db220253216b03650895d3c48a137b2ea20882dc0c6694784e0b173f914b55fec3bb2013805670c5a63c0ad8aa29e2143f7538

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
69d4a406a5778a70975b4d9888a3799d

SHA1
12e92a99c7f970b9731c7a312d237248dcb0ff79

SHA256
629bfdda09a023a4ff9b34017fc8846f9341ccf63982136fb9d6ab72f8da4be3

SHA512
d9021f85bc5f64720fff38ca2e31498e8e6c406caa2e8abd63ceeca7fe3bff9b04f18c903013c2cf9cc9179102161a703d55bde6a4119bb3bb094d10c4f5a6ed

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
68ca7ed6c4fc7efa5177fc91da431a05

SHA1
9ef319032db2771b2e8c859115160e16fd0c46ce

SHA256
e436504fb436237061d6f6c7b1f1d47d6085f9e1c712ebbd461d204814b6a26b

SHA512
f7862d477f7880f1e078c43ed96801a8b24c58d1ba87b43ad0e4fd747a47d257399be0fb2f710b03c990d1d1779ce5af294b10c7c28758140ed9467c3bc519f9

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
9adf3c102259ab6b26b31de845589f90

SHA1
a9d2072d36b72ee3a93e59738760d20024560c7c

SHA256
57ae9ff936d956a4302b301bd2e1b581df14d498f871a59b32a687e2fcd515a5

SHA512
396de918c83f72d5917c464425d374607e77c12a0a206d4833b1a60c3c2562c2d81b32fc66f1e5947a3bc673a678f3bbd5ef4c777373a1a1409de70a92b4ad00

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
eb9e97bb2537d22391bced17bb036876

SHA1
4fd315c8d0088483af55d9a936b7f286edc8bb7a

SHA256
4b155148166659069f7b6e6a148337cb9a014857d6c3666b32d2752f8e64037d

SHA512
0885491270c6c1a5e0898c45a25996f93d0059d2722b27c64bae56b2e0391bab78dfde4c1768096c6cabda595685ae81a20e892daf83505004098ca1e50f1a23

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
b36c3484596ba522014362164ecb56ae

SHA1
c5dc90b7cc655497daa7d3eeee7b2362cb16c9e5

SHA256
01ad6cb23689af9678fa742b8da660787e901fb2119b8a029553b3bc782b5773

SHA512
f8457c62ac20068d585cc26a03bcccceb2fe21baa7bd634db5fafbff507475edbb0a9ac0b148146a0e9fd5ea6c2766f48bfd3bc0eae2b2f35d24cf0ee846fa8a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
59623252d23455ed41b0d9dde6ff4b66

SHA1
1867df5ebc06799129b73808dc4e1bcbb5c098b8

SHA256
54aeca978ca20484d7bc0dd0b4b44130ad9fe7f2e15a391900be747ccdf90382

SHA512
c1e7f154f7126398e9068120e23ef102688ec9d11eae52a5b86e7fbb31b279506b330883c67150fd229f4cae8e9b4f13865ec41723b4e58bd0a5885d9127dfb5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
774c523127f45c4ed3e5791e81408be9

SHA1
d319ea097e82e78290dfd615b6303aa9581e72bd

SHA256
48edae334bebd2c6ccab03599f9c30b324f813be086b8a83069b27da1a421664

SHA512
95a8d97a671b09f1f232de3c6ab201e8774a07f7a0288c34411b1a8f62b16b872afe591528cb711d80d512910c9332a20bdefdeb27921354ac5f24e3517e9be3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
68a0c69fc23df5d08088301559d8561b

SHA1
417c80189146b868be3e5ccddf60023bfeae8565

SHA256
642cf3b7f10ea8d26b80b4b4d2878f230483e9799bb69543c997c451ca623d0f

SHA512
b72a1617fff85c081b44462ef675df7c782a83440897e61bf78be581a9244116d3f8898a47a56be166afffb0fdd089bd3bceb4b041f2f9d0fe7bcd5543ee1f0f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1296-6-0x00000000058D0000-0x00000000058E2000-memory.dmp

Filesize
72KB

Download
memory/1296-7-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/1296-1-0x0000000000040000-0x00000000000AC000-memory.dmp

Filesize
432KB

Download
memory/1296-2-0x0000000004F40000-0x00000000054E4000-memory.dmp

Filesize
5.6MB

Download
memory/1296-15-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/1296-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/1296-8-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/1296-3-0x0000000004A80000-0x0000000004B12000-memory.dmp

Filesize
584KB

Download
memory/1296-4-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/1296-5-0x0000000004B20000-0x0000000004B86000-memory.dmp

Filesize
408KB

Download
memory/5008-24-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/5008-19-0x0000000006030000-0x000000000603A000-memory.dmp

Filesize
40KB

Download
memory/5008-16-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/5008-17-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download