quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
600s
max time network
602s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (12) - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral16/memory/4032-1-0x0000000000420000-0x000000000048C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 28 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 29 IoCs

Processes:

pid	process
3768	Client.exe
8	Client.exe
3656	Client.exe
2364	Client.exe
3584	Client.exe
908	Client.exe
656	Client.exe
3404	Client.exe
3516	Client.exe
5096	Client.exe
4488	Client.exe
1032	Client.exe
1096	Client.exe
3088	Client.exe
3552	Client.exe
4924	Client.exe
2816	Client.exe
1080	Client.exe
2976	Client.exe
5016	Client.exe
4236	Client.exe
2532	Client.exe
1396	Client.exe
1824	Client.exe
3684	Client.exe
4072	Client.exe
4136	Client.exe
2992	Client.exe
1900	Client.exe

Looks up external IP address via web service 26 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
13	ip-api.com
15	ip-api.com
29	ip-api.com
49	ip-api.com
23	ip-api.com
25	ip-api.com
47	ip-api.com
62	ip-api.com
27	ip-api.com
58	ip-api.com
41	ip-api.com
56	ip-api.com
9	api.ipify.org
38	ip-api.com
43	ip-api.com
52	ip-api.com
21	ip-api.com
33	ip-api.com
35	ip-api.com
2	ip-api.com
45	ip-api.com
54	ip-api.com
60	ip-api.com
17	ip-api.com
19	ip-api.com
31	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 28 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4660	3768	WerFault.exe	Client.exe
3416	8	WerFault.exe	Client.exe
4292	3656	WerFault.exe	Client.exe
2164	2364	WerFault.exe	Client.exe
2708	3584	WerFault.exe	Client.exe
3416	908	WerFault.exe	Client.exe
4340	656	WerFault.exe	Client.exe
2084	3404	WerFault.exe	Client.exe
1228	3516	WerFault.exe	Client.exe
2016	5096	WerFault.exe	Client.exe
4892	4488	WerFault.exe	Client.exe
2364	1032	WerFault.exe	Client.exe
4684	1096	WerFault.exe	Client.exe
1652	3088	WerFault.exe	Client.exe
1508	3552	WerFault.exe	Client.exe
2688	4924	WerFault.exe	Client.exe
3920	2816	WerFault.exe	Client.exe
3548	1080	WerFault.exe	Client.exe
2500	2976	WerFault.exe	Client.exe
1508	5016	WerFault.exe	Client.exe
2480	4236	WerFault.exe	Client.exe
2088	2532	WerFault.exe	Client.exe
952	1396	WerFault.exe	Client.exe
5072	1824	WerFault.exe	Client.exe
1432	3684	WerFault.exe	Client.exe
1500	4072	WerFault.exe	Client.exe
3856	4136	WerFault.exe	Client.exe
4912	2992	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2236	schtasks.exe
3988	schtasks.exe
1016	schtasks.exe
4284	schtasks.exe
4128	schtasks.exe
3320	schtasks.exe
2988	schtasks.exe
2616	schtasks.exe
4440	schtasks.exe
4232	schtasks.exe
2424	schtasks.exe
4860	schtasks.exe
3572	schtasks.exe
4500	schtasks.exe
4884	schtasks.exe
2704	SCHTASKS.exe
840	schtasks.exe
2572	schtasks.exe
4432	schtasks.exe
3896	schtasks.exe
388	schtasks.exe
3180	schtasks.exe
3592	schtasks.exe
5036	schtasks.exe
3336	schtasks.exe
1084	schtasks.exe
3584	schtasks.exe
1292	schtasks.exe
4676	schtasks.exe
5000	schtasks.exe

Runs ping.exe 1 TTPs 28 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
5028	PING.EXE
4496	PING.EXE
4032	PING.EXE
4448	PING.EXE
2028	PING.EXE
1460	PING.EXE
5000	PING.EXE
1116	PING.EXE
1180	PING.EXE
4464	PING.EXE
2164	PING.EXE
3304	PING.EXE
2928	PING.EXE
908	PING.EXE
5024	PING.EXE
5112	PING.EXE
528	PING.EXE
2400	PING.EXE
2312	PING.EXE
4112	PING.EXE
2912	PING.EXE
2248	PING.EXE
1032	PING.EXE
2388	PING.EXE
1252	PING.EXE
2380	PING.EXE
3960	PING.EXE
4056	PING.EXE

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

Uni - Copy (12) - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4032	Uni - Copy (12) - Copy - Copy.exe
Token: SeDebugPrivilege	3768	Client.exe
Token: SeDebugPrivilege	8	Client.exe
Token: SeDebugPrivilege	3656	Client.exe
Token: SeDebugPrivilege	2364	Client.exe
Token: SeDebugPrivilege	3584	Client.exe
Token: SeDebugPrivilege	908	Client.exe
Token: SeDebugPrivilege	656	Client.exe
Token: SeDebugPrivilege	3404	Client.exe
Token: SeDebugPrivilege	3516	Client.exe
Token: SeDebugPrivilege	5096	Client.exe
Token: SeDebugPrivilege	4488	Client.exe
Token: SeDebugPrivilege	1032	Client.exe
Token: SeDebugPrivilege	1096	Client.exe
Token: SeDebugPrivilege	3088	Client.exe
Token: SeDebugPrivilege	3552	Client.exe
Token: SeDebugPrivilege	4924	Client.exe
Token: SeDebugPrivilege	2816	Client.exe
Token: SeDebugPrivilege	1080	Client.exe
Token: SeDebugPrivilege	2976	Client.exe
Token: SeDebugPrivilege	5016	Client.exe
Token: SeDebugPrivilege	4236	Client.exe
Token: SeDebugPrivilege	2532	Client.exe
Token: SeDebugPrivilege	1396	Client.exe
Token: SeDebugPrivilege	1824	Client.exe
Token: SeDebugPrivilege	3684	Client.exe
Token: SeDebugPrivilege	4072	Client.exe
Token: SeDebugPrivilege	4136	Client.exe
Token: SeDebugPrivilege	2992	Client.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

pid	process
3768	Client.exe
8	Client.exe
3656	Client.exe
2364	Client.exe
3584	Client.exe
908	Client.exe
656	Client.exe
3404	Client.exe
3516	Client.exe
5096	Client.exe
4488	Client.exe
1032	Client.exe
1096	Client.exe
3088	Client.exe
3552	Client.exe
4924	Client.exe
2816	Client.exe
1080	Client.exe
2976	Client.exe
5016	Client.exe
4236	Client.exe
2532	Client.exe
1396	Client.exe
1824	Client.exe
3684	Client.exe
4072	Client.exe
4136	Client.exe
2992	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (12) - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 4032 wrote to memory of 2236	4032	Uni - Copy (12) - Copy - Copy.exe	schtasks.exe
PID 4032 wrote to memory of 2236	4032	Uni - Copy (12) - Copy - Copy.exe	schtasks.exe
PID 4032 wrote to memory of 2236	4032	Uni - Copy (12) - Copy - Copy.exe	schtasks.exe
PID 4032 wrote to memory of 3768	4032	Uni - Copy (12) - Copy - Copy.exe	Client.exe
PID 4032 wrote to memory of 3768	4032	Uni - Copy (12) - Copy - Copy.exe	Client.exe
PID 4032 wrote to memory of 3768	4032	Uni - Copy (12) - Copy - Copy.exe	Client.exe
PID 4032 wrote to memory of 2704	4032	Uni - Copy (12) - Copy - Copy.exe	SCHTASKS.exe
PID 4032 wrote to memory of 2704	4032	Uni - Copy (12) - Copy - Copy.exe	SCHTASKS.exe
PID 4032 wrote to memory of 2704	4032	Uni - Copy (12) - Copy - Copy.exe	SCHTASKS.exe
PID 3768 wrote to memory of 3320	3768	Client.exe	schtasks.exe
PID 3768 wrote to memory of 3320	3768	Client.exe	schtasks.exe
PID 3768 wrote to memory of 3320	3768	Client.exe	schtasks.exe
PID 3768 wrote to memory of 1020	3768	Client.exe	cmd.exe
PID 3768 wrote to memory of 1020	3768	Client.exe	cmd.exe
PID 3768 wrote to memory of 1020	3768	Client.exe	cmd.exe
PID 1020 wrote to memory of 1888	1020	cmd.exe	chcp.com
PID 1020 wrote to memory of 1888	1020	cmd.exe	chcp.com
PID 1020 wrote to memory of 1888	1020	cmd.exe	chcp.com
PID 1020 wrote to memory of 5112	1020	cmd.exe	PING.EXE
PID 1020 wrote to memory of 5112	1020	cmd.exe	PING.EXE
PID 1020 wrote to memory of 5112	1020	cmd.exe	PING.EXE
PID 1020 wrote to memory of 8	1020	cmd.exe	Client.exe
PID 1020 wrote to memory of 8	1020	cmd.exe	Client.exe
PID 1020 wrote to memory of 8	1020	cmd.exe	Client.exe
PID 8 wrote to memory of 4432	8	Client.exe	schtasks.exe
PID 8 wrote to memory of 4432	8	Client.exe	schtasks.exe
PID 8 wrote to memory of 4432	8	Client.exe	schtasks.exe
PID 8 wrote to memory of 3232	8	Client.exe	cmd.exe
PID 8 wrote to memory of 3232	8	Client.exe	cmd.exe
PID 8 wrote to memory of 3232	8	Client.exe	cmd.exe
PID 3232 wrote to memory of 1420	3232	cmd.exe	chcp.com
PID 3232 wrote to memory of 1420	3232	cmd.exe	chcp.com
PID 3232 wrote to memory of 1420	3232	cmd.exe	chcp.com
PID 3232 wrote to memory of 5000	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 5000	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 5000	3232	cmd.exe	PING.EXE
PID 3232 wrote to memory of 3656	3232	cmd.exe	Client.exe
PID 3232 wrote to memory of 3656	3232	cmd.exe	Client.exe
PID 3232 wrote to memory of 3656	3232	cmd.exe	Client.exe
PID 3656 wrote to memory of 2988	3656	Client.exe	schtasks.exe
PID 3656 wrote to memory of 2988	3656	Client.exe	schtasks.exe
PID 3656 wrote to memory of 2988	3656	Client.exe	schtasks.exe
PID 3656 wrote to memory of 3100	3656	Client.exe	cmd.exe
PID 3656 wrote to memory of 3100	3656	Client.exe	cmd.exe
PID 3656 wrote to memory of 3100	3656	Client.exe	cmd.exe
PID 3100 wrote to memory of 4876	3100	cmd.exe	chcp.com
PID 3100 wrote to memory of 4876	3100	cmd.exe	chcp.com
PID 3100 wrote to memory of 4876	3100	cmd.exe	chcp.com
PID 3100 wrote to memory of 3304	3100	cmd.exe	PING.EXE
PID 3100 wrote to memory of 3304	3100	cmd.exe	PING.EXE
PID 3100 wrote to memory of 3304	3100	cmd.exe	PING.EXE
PID 3100 wrote to memory of 2364	3100	cmd.exe	Client.exe
PID 3100 wrote to memory of 2364	3100	cmd.exe	Client.exe
PID 3100 wrote to memory of 2364	3100	cmd.exe	Client.exe
PID 2364 wrote to memory of 4232	2364	Client.exe	schtasks.exe
PID 2364 wrote to memory of 4232	2364	Client.exe	schtasks.exe
PID 2364 wrote to memory of 4232	2364	Client.exe	schtasks.exe
PID 2364 wrote to memory of 3776	2364	Client.exe	cmd.exe
PID 2364 wrote to memory of 3776	2364	Client.exe	cmd.exe
PID 2364 wrote to memory of 3776	2364	Client.exe	cmd.exe
PID 3776 wrote to memory of 2520	3776	cmd.exe	chcp.com
PID 3776 wrote to memory of 2520	3776	cmd.exe	chcp.com
PID 3776 wrote to memory of 2520	3776	cmd.exe	chcp.com
PID 3776 wrote to memory of 3960	3776	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2236

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WuSRnSuTxKYj.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1888

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:5112

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fz3S3QunkMQu.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:1420

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:5000

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bIiYDCOK9Zq1.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4876

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:3304

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoXbAuoGjTdR.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:2520

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:3960

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3584

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iw3XzmN2AuFD.bat" "
11⤵
PID:1776

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:4920

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4032

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:908

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5lcNQOlNxNq6.bat" "
13⤵
PID:1892

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:376

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2400

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:656

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1N2G44CJYB4f.bat" "
15⤵
PID:5024

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:3080

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2928

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3404

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KBmNiwQLpqyd.bat" "
17⤵
PID:5012

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:3508

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4448

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3516

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q5C6MtXvwwio.bat" "
19⤵
PID:1908

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:4796

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2312

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5096

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5NzfRozY1p1x.bat" "
21⤵
PID:3332

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:4988

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:908

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4488

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JfmEXjRC5jL7.bat" "
23⤵
PID:4440

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:1568

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2028

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NM3zOlcM09iz.bat" "
25⤵
PID:3988

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:3164

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:528

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mglfbZcmUaCl.bat" "
27⤵
PID:612

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:1900

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:1180

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3088

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D4EqgaxyOuL7.bat" "
29⤵
PID:4032

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:3748

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:4112

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3552

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hTUkYKSTo2CO.bat" "
31⤵
PID:3952

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:940

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:1460

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4924

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAlWQMddkSZF.bat" "
33⤵
PID:4508

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:4284

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:4464

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2816

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zSY5VH5HoMsP.bat" "
35⤵
PID:244

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:1720

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:1032

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1080

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:3336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qq0GaIQSig2l.bat" "
37⤵
PID:4388

C:\Windows\SysWOW64\chcp.com
chcp 65001
38⤵
PID:2736

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:5028

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z2FZ0GN1qszR.bat" "
39⤵
PID:4796

C:\Windows\SysWOW64\chcp.com
chcp 65001
40⤵
PID:3136

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:4496

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5016

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:4884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JZzqfrvOcFNo.bat" "
41⤵
PID:3800

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:512

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:2912

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4236

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
43⤵
- Creates scheduled task(s)
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rPTnDMrWpF9J.bat" "
43⤵
PID:4064

C:\Windows\SysWOW64\chcp.com
chcp 65001
44⤵
PID:4560

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:1116

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2532

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HnvyINCijZIf.bat" "
45⤵
PID:3096

C:\Windows\SysWOW64\chcp.com
chcp 65001
46⤵
PID:1936

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:5024

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uH3lNTQSTKIE.bat" "
47⤵
PID:2568

C:\Windows\SysWOW64\chcp.com
chcp 65001
48⤵
PID:1184

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:4056

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1824

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
49⤵
- Creates scheduled task(s)
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amzIFKpWitzh.bat" "
49⤵
PID:2020

C:\Windows\SysWOW64\chcp.com
chcp 65001
50⤵
PID:3560

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:2388

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3684

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:4860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0ARTKKAhdD83.bat" "
51⤵
PID:3880

C:\Windows\SysWOW64\chcp.com
chcp 65001
52⤵
PID:512

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:1252

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4072

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W4rCyHHHjJsE.bat" "
53⤵
PID:3636

C:\Windows\SysWOW64\chcp.com
chcp 65001
54⤵
PID:1624

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:2380

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
55⤵
- Creates scheduled task(s)
PID:4284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSJN3IcTed2a.bat" "
55⤵
PID:3692

C:\Windows\SysWOW64\chcp.com
chcp 65001
56⤵
PID:428

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:2248

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
56⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
57⤵
- Creates scheduled task(s)
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gW9FZYyN03HX.bat" "
57⤵
PID:4396

C:\Windows\SysWOW64\chcp.com
chcp 65001
58⤵
PID:3932

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
58⤵
- Runs ping.exe
PID:2164

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
58⤵
- Executes dropped EXE
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 1660
57⤵
- Program crash
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 2232
55⤵
- Program crash
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 2236
53⤵
- Program crash
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 1704
51⤵
- Program crash
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 1092
49⤵
- Program crash
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 1688
47⤵
- Program crash
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1708
45⤵
- Program crash
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 2232
43⤵
- Program crash
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1680
41⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 1096
39⤵
- Program crash
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 2252
37⤵
- Program crash
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1696
35⤵
- Program crash
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1096
33⤵
- Program crash
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 2232
31⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 1088
29⤵
- Program crash
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 2236
27⤵
- Program crash
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 2228
25⤵
- Program crash
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1732
23⤵
- Program crash
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1672
21⤵
- Program crash
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 1092
19⤵
- Program crash
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 1092
17⤵
- Program crash
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 1708
15⤵
- Program crash
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 1088
13⤵
- Program crash
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1088
11⤵
- Program crash
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 2200
9⤵
- Program crash
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 2196
7⤵
- Program crash
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 2196
5⤵
- Program crash
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1916
3⤵
- Program crash
PID:4660

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3768 -ip 3768
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 8 -ip 8
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3656 -ip 3656
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2364 -ip 2364
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3584 -ip 3584
1⤵
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 908 -ip 908
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 656 -ip 656
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3404 -ip 3404
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3516 -ip 3516
1⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5096 -ip 5096
1⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4488 -ip 4488
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1032 -ip 1032
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1096 -ip 1096
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3088 -ip 3088
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3552 -ip 3552
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4924 -ip 4924
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2816 -ip 2816
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1080 -ip 1080
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2976 -ip 2976
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5016 -ip 5016
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4236 -ip 4236
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2532 -ip 2532
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1396 -ip 1396
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1824 -ip 1824
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3684 -ip 3684
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4072 -ip 4072
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4136 -ip 4136
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2992 -ip 2992
1⤵
PID:1088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1N2G44CJYB4f.bat
Filesize
207B

MD5
976cea1769c22a9167363f08e5e26018

SHA1
5c75ef7411ea85df83f107410a830d03fb3b6acb

SHA256
dbd52e2cd9ff0d0e41173cfe08abb2e1ca12d44f72670d370e04ba29c3f6db76

SHA512
3a78f63e2c8f73d34bf718cab41e040b53944ee051ce5e6c768d26aea2502e51e9ac66fbd7fa5969e78122587d9aa04a0a5904ca62c55a83da8da660018b2b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\5NzfRozY1p1x.bat
Filesize
207B

MD5
c92ac013eac2f9e5866d75664a93f985

SHA1
5caafed24097046676690dac3e28090da82b6f03

SHA256
c861dbde1370094975163b75789e84c595bdf15c00730997525c4192c4412fa0

SHA512
be7c76b900e6b5808f497e80297ff905662b19b323e4f6ac2285306b058d3577bbf305fa8d99bfad97bf6c9e0d7190bc4b5766a0546f291b5f50eae922356f96

Download Submit
C:\Users\Admin\AppData\Local\Temp\5lcNQOlNxNq6.bat
Filesize
207B

MD5
deccdbebed176188afbe8a4cc97455e1

SHA1
3c5ebedd0c214023f6386f46b15d130d0fcf76d0

SHA256
adc395d0d2ca45eb4186c0e934a13bda7184eec70d62b0264d8bf849790ed5ed

SHA512
abdf45f2d2a4a31a954728e42df4bc8b648c8565028d7e641649d467b7dc288d896090089ec223c4065c2ab8399c9d719e082aa37926209dec0bcad4512cc31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4EqgaxyOuL7.bat
Filesize
207B

MD5
f7ad7e35518cf3b838fb7e3ab6419119

SHA1
1e4587744863210c556a4b6516815c9b81e11f78

SHA256
bedbdbc23bdc18c9ce480809b3ab9aa2cf88119f9bb0083327098a46e9bfcf23

SHA512
865d1afade0102b0fe34a6e47efe3ba4bd5cd2d81e4a1848b9faaf9cf43cfb3fa1c3296d1e42d7bd130b6d8f1e0d4bfd1af5da0b11916dcd04bb1a6aace103a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fz3S3QunkMQu.bat
Filesize
207B

MD5
385f5b1049597314e39a0f826fc94f0e

SHA1
1d9effc1b9861d65cf3013442c23eb76eb8751d9

SHA256
0aef9e32bbeb5f4b49934338b930fd2996cde3306c249422771f42a584839c52

SHA512
a9c4215ac6be503854c850d5286dc33b8dd92ae09fe99f5465918266512927ed1a0181546bd90a6f93eedc306237de95cef4e1cd997743b8ae2aef4ecd3236fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\JZzqfrvOcFNo.bat
Filesize
207B

MD5
531be0303164b8b3dd8bc34190ae395d

SHA1
9d957799c85559cfd9a023a8e7a55b422fcba06b

SHA256
2effbd5fcc75bf6466b46a23bbc27f9e8d81c06f78195a5b6bc2b7d952acca3a

SHA512
5cc9418e98d486184fce9390130a061f5bb90b36283534c4839dd5e685fd18fa40fa4b09dd5bd64532453fdb8920f3649e1c195f17c2f4e594e51c91c562be57

Download Submit
C:\Users\Admin\AppData\Local\Temp\JfmEXjRC5jL7.bat
Filesize
207B

MD5
57583d8311c2141a930bd92d7ef6723c

SHA1
1820c8b4ed20a79ec35d558d1db30a8f7aa5ae02

SHA256
2c158b9d1c0c1c43ebf090c540ffdb5382b36bd87c564061e38d5074b1114a13

SHA512
8ff6c0bdff65568b5087bda531450bc7b798afcd5f9be08b9f47a4555f98c0723a1424b4fcbb9f68c3b2f1cfe9c1996151a06de2f43dfe6f47f32e5cfe6aa224

Download Submit
C:\Users\Admin\AppData\Local\Temp\KBmNiwQLpqyd.bat
Filesize
207B

MD5
b915e6912fca767229577885cedb224c

SHA1
6853470450174ca2754b18015f72dc426a10db37

SHA256
7d4a4ff56f732b4630a04866e12431984e8a2e0c922112b72479ce7c77f63b2a

SHA512
dcf6837f5b4ee221b365df553df890ccfb62564f35cae9ace1366ffc3d25d464920db2393cb8991575ae44006354659d2016ee3d268ea7490ceb33fefc0fdddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\NM3zOlcM09iz.bat
Filesize
207B

MD5
6e8650a199ba9e53e568193d6e2ada84

SHA1
d17b61287144bdcd594b88084189e502723ee84a

SHA256
0c2440c286823403e9586206a8e3427eabb5480bb42eeb2bf909c97e049c09bf

SHA512
382ec11f74b44cdbe5cfc41ede267a10a2ad16c98ce1bdeb604e9c07710ba233451500079f1800acba14ac5b80a0138a35a63b81648bb1b4b81a70340b0a57d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PoXbAuoGjTdR.bat
Filesize
207B

MD5
86952a486e47eb8d33d5d82f37ac5a17

SHA1
6037f8d7dac81204d4ab2c97964e4b9161740132

SHA256
9d6974750a04c8a3e4f89d0baa9f11c16b3dde53bcae09015d797b8564771d77

SHA512
05b572f3f1a317edee0d7c85a20deec048408c8764b5e813d90ccaa78a55f6973ec8d87eb62ad4c77c005ddefe1ce44a9d0fb79268fa58f0d8d2d6dfa34267be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qq0GaIQSig2l.bat
Filesize
207B

MD5
6c09815feccf1d421857272775205ac8

SHA1
5c3a255b3910e434c2af5530915279fa3c3be65e

SHA256
138a621649e189562601eef41fa6560fc7231241a3baf428f270dc7195ea32ed

SHA512
39f01fccec75a27640b2ba20d83c39afbfa13e43957e2e446019be562dd64c0b9b7b9afe1dd00bf9555f6f25273d9a8468c526a6aeb93d264cdb1ef4f90f98c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WuSRnSuTxKYj.bat
Filesize
207B

MD5
b951a4ba3f9c1e30d70733f482ae5b1c

SHA1
9e35dc8180b301e1fabd6f38e7e1106ef5b1c7ac

SHA256
3a502fddcaf07d247bb95aa7bdef9949ffa693485ca9e670e04f4b88564d9fa5

SHA512
3154a37225542e45cff38965c90d402975e1f2d8bcc48c101c5f964ce62eb82a750c3cc682157f59d02497fde549966408e4dfa79b883bd7644704a8b017c799

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z2FZ0GN1qszR.bat
Filesize
207B

MD5
6d3be12e3219fae6aac4c501a0564326

SHA1
2147cfa9326f45e819375beee28ea878911dd7d0

SHA256
91f803c31df2e0d272b4622572ed4567ebcaf8c7a9e46de83c007b951099cc40

SHA512
aeaec096a93595b897b4426afab7af1e403890c221675f606a1afd66e8af1dda33ffed1f4856a8eb91959e486bf573931040254092dcb64980e6476a0687f19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bIiYDCOK9Zq1.bat
Filesize
207B

MD5
989019984fea1e78233d9f0ae0f12e3f

SHA1
7043f8b9fbb891ba5f0f744ebf55dc72416be0f4

SHA256
c5d1734166a90a8b8d3ac160480f8a7b0db8d665da0bf0304d9ddd2e862af85d

SHA512
4706e123990915569632b97f5f046033a8289aff4fd4b6e0527e2e918befead36f5c814cdd15ae78f622a059ab6dc0abafa2a4e80fd5e171ef6b1c21e2621d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\hTUkYKSTo2CO.bat
Filesize
207B

MD5
77253dbc21f19349afa4ca3f58414b66

SHA1
605ae42e97478e696a8b4749525a8905ed723565

SHA256
280c03925ea416145189334ff71b2f9478792c7cab5b659addc7f5b94fcb5b2f

SHA512
883b98c34b217134ce5489458284faa0cea8d5385ad2aab026d7327964d70c78d064482a3e31d4b698d4ee6f32dc245ed64a14b0543adf8e4768c820956dd632

Download Submit
C:\Users\Admin\AppData\Local\Temp\iw3XzmN2AuFD.bat
Filesize
207B

MD5
4db9df7915b6fa8f7b8c37e11ff62a37

SHA1
c12b6b4e88e0dc8731237ad6b4c213b1c66919be

SHA256
289b85c745d5355c0af5d515366f299b5f307efdd52b852d92b0629c5d21e216

SHA512
ea23d0ecd62e81d01b77095f8d38556fd327dffdf4ff26f26e5dde1f1c307ec08ebdd5e73f9a963c4478f203e7bcaa892581a751ffc8becac3c77902435be161

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAlWQMddkSZF.bat
Filesize
207B

MD5
bce30bfda236ab3833d5cba05df2b6fb

SHA1
cbeb3c1db2389fc65b47a8cca09ae277935fb0ce

SHA256
a8ec9655c62f62b47b7184aa7e8f9133c1a2220762ffdac7bd14422ffa635ff5

SHA512
20093f23f1132f8bc0a102e4314847da9feca2b19b2ca53934ea6323f50ea3123e0b1ec6559fb708aecf1cb3af0897a83f5f2ec2fbc85f83568ea51a3ca50558

Download Submit
C:\Users\Admin\AppData\Local\Temp\mglfbZcmUaCl.bat
Filesize
207B

MD5
c905300e860872f4a7136ad338932226

SHA1
0e8ed47c006bee345148327ded7cc0736a472622

SHA256
c3bde2aea093f004156ea4c4fbc685fec860b0182dce701ab75540329615b99e

SHA512
c7f680690f0df651f460cde3cccac602845f3231bc98c5a31ea09ad82728e5c1fbc0b206dc339ab47a5fee38eefdfbef07710fc2709b89ff1ad95c923b688257

Download Submit
C:\Users\Admin\AppData\Local\Temp\q5C6MtXvwwio.bat
Filesize
207B

MD5
6025cef59408fb0f5c722f894939f861

SHA1
9c904ee45897cb989ced2ca766422264c9ace8dc

SHA256
0a697bb3fadd1ee37da2e35e0f4a2a286c0860764c421542e0fa886ee39d9456

SHA512
6015e66ce6c95c182c1151fb273200e3613fc063030caf39d0fc6ff7acbf14be7cfbbfb2ab59118864bfa75f300a29a0b8b777fc8a4983c63475dbbd01182619

Download Submit
C:\Users\Admin\AppData\Local\Temp\rPTnDMrWpF9J.bat
Filesize
207B

MD5
31eb5f2940d8331d7699492cc04b82c3

SHA1
af675870336584b87bf6fccb8164799bc1e90a34

SHA256
179fc2651a0d59a8489f8ab1c0bef0e6bfc1a46c7931f347f800655fd80332d8

SHA512
a96c0e6895284a38fbbd05681a30bb58e5852105224ad1e2cfa5c50dfe138d99f665fbaac7b443b7c48298970bb4bf6240e30bc5a46933fd6c04f6dbe16c4996

Download Submit
C:\Users\Admin\AppData\Local\Temp\zSY5VH5HoMsP.bat
Filesize
207B

MD5
617f7d858be1d597b25e21dce07642ab

SHA1
065ca6b353312fd84c7c007f2d48c7ff06ef56d8

SHA256
5a9935676e7a085502efba21ece755f39025d70cb3dcd37c06b1875b4507f5dd

SHA512
8a265650556f5e25c823f0a7f06e774634fb606d2673ccd2a78dff4044a59d358d58ac0d8642eb9809e8ab620931818069845f6047c751b09f63a32e16029144

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
938de5a697e11c67fdd655ef311548b0

SHA1
d4bf26042927f07533ce67f4fa39353f2b83714e

SHA256
b3250da1ef0eda4a3b5f7d3b27db3b2da645fe93941e6b227132946178a5c4ea

SHA512
f95174defc7d355416b4ac004af73e6d2706a71bf5de7c38cc4f61f4fce359ea75d4beb47750a5aa72f78a1322f50880d5b3aa7d652138a0e4382e1eeacab7c3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
ed80ab401320492668ec1be3a3906324

SHA1
9f5e35086adcdd71deb04b85f90b4083a4ccb5ab

SHA256
1e110855b30818912d26ea82e9eb8346a02bbe2e23e077c373cafb1e0f90d4e4

SHA512
98b1d143dd7b681d473384eb59e2e9d4bb63fb7c92a0a72ee95b90c44cb50e1129de4afffcb05ae092f75b8550166df3448039eddc3d034779ce874c74fb95d0

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
3770533c9e32286cbfa5fd5f00fc84f9

SHA1
9e65cb9aeadfdba226a7447b8d52393ae7e8b405

SHA256
e886ed865bcc5820f2a25652422db0e08ea6270c0cc444c813ccd67675e0baf8

SHA512
1c6bbf32b7fca4fd6f4bb3993bf6b193aafd1ee06610d1d2b3945a7995eda9d8014735f107def848cd290552a0e59fe3e513a96defa4d18a2ad2271a8480b8ce

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
915e0abebfa00a8285a6ed124e37282a

SHA1
17a676e5da78c51302e3b35db2226dbe32225c40

SHA256
93145b406e6ee28fea5b86aed36f251c057fba39482cd4a2e54cf2e148cadadd

SHA512
8bb7f0ca86337c712e9ecf82eae1db386208962952e8453173c15835d53d25e82ff00148e9e7c48ea0e672c091acf02ee3d583118a161030a0c913fe46098eed

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
d4006d2826da7fb831487f03208424c9

SHA1
5519d6fd9bd02c036327ccd4dcc7b4cca9814cb2

SHA256
efe446434efd2f634afc5576ecfb362781037e1e3caf6bd1c17dc7495e4d6710

SHA512
46786e494be31c704b551754340b087a966d4a22495ba5c241b4112542a3332244aa0fb9ad67f381e22374f26d454b8346ca07c1d15a5b7ecf6c254d6b53ac15

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
9b106fccf50fca872e1a931a8983e29c

SHA1
62be1f2f5751b8ac6c563f720299a1713ebd20a2

SHA256
1c6ab68b58c3cc7c41d7ea4cedfb9a784daf319167188f556804a61f00aad346

SHA512
3719ea1740d8a78396f396c863db72e79fce7ff4674fc8649189d8228327bd156d16c85d609da529f69591c9d13c8ed066e479f0f25acfaf3d101c8a210604d4

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
0decbcd8eea1401b39a85a9e59bb9618

SHA1
d813851106070c7b9f425729e4c40c527723c0af

SHA256
63fc2bd95f89fa7b6f8e52c561a6cc3461ec78ed78e1207e755040a9df18be9a

SHA512
cf155fd9a34c3d8d281f2dc9b09968fc220496775933164df380e259f90420e75f131b50f48eb5b03810dcd0135a781e62f202fa9be968bef9b00c5a75146430

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
15adfd1ae4f53764de5a40e1ac660ba0

SHA1
87aa7815906d0d45cdb746e52b88f3e54c2141c2

SHA256
2495dafb9b8360b5498f9f75dac5f01affcf63c277f509252df7230b60c2f90e

SHA512
0778231b881abe1302e3e403d0aea7affaea32b893bc955c8aaa72771a80fcc30d946880c09fba55b5fe8bcc1334250e90320f72416228d62fa8b4720e187112

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
e5b03f5826dd38bf941e2dd745440713

SHA1
745bbe489724e8d81c66c8f5b3bd90ab79a9d0ca

SHA256
952b1450142c0b3abf6a287bb81bf08859d013eea4f70bebcb727eaffaf46bef

SHA512
0d679033a08d7e16997e3f7ab2093a383b8f33e2fa0c98f129b8c004967d0135ff26488b9eefc66eea51fb7008e71e98b56d2087615b6825489a46b7177e5231

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
dcd1d14d8f9db9d993aaadf319067e10

SHA1
285687cf658bde4cf318eb0672dbdd23e5e8f1dd

SHA256
f327fc44c959354a75952c931f897ded7e25c6b82094bb2c922a01423587539e

SHA512
2c317635456f7f22fbd1af8cda50a5ee523a91d7692548b366ffb28f3c51ec71294acd4bd12b5c9142b5f55c018d6d13f3ab1c9a090a78758689951ded67c71c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
67637df074828b6d7a4e3698a5bd9768

SHA1
61bd39ffa993d1ed6f3d4c42031fef7e839374eb

SHA256
dce44de9e01be74eea92b3eac2dde5f23fc8ee8456f362fde549c37e686cdb10

SHA512
70e4cf4ce7b3696d4d84d234864158147a68f447b1919816830204ac7474006b932ccf1215e90d5265ea72a6d9e24ed2e7e63255d42fef97cb6d8f710cc1668f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
c8d885b29bbcf27f1cbae1fda763eda7

SHA1
eb3b80f3d76a356771ba3aed04ec41023b12ae75

SHA256
19c2abf746ee177a1bae382ca555b24edf9ea9faabbf23037937df0002ba165a

SHA512
103455bc6e89766e1f481212b9c4c3f103e7ad43cac54968abf8930aa225602a400f7287732763a59b268a1e47801300cf6df6577283b4f2f708007d884d5da8

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/3768-14-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3768-24-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3768-19-0x0000000005FE0000-0x0000000005FEA000-memory.dmp

Filesize
40KB

Download
memory/3768-17-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4032-16-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4032-0-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/4032-8-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4032-7-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/4032-6-0x0000000005BC0000-0x0000000005BD2000-memory.dmp

Filesize
72KB

Download
memory/4032-5-0x0000000004F60000-0x0000000004FC6000-memory.dmp

Filesize
408KB

Download
memory/4032-4-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/4032-3-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/4032-2-0x00000000053D0000-0x0000000005974000-memory.dmp

Filesize
5.6MB

Download
memory/4032-1-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download