quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
598s
max time network
599s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (13) - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral24/memory/4560-1-0x0000000000100000-0x000000000016C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 27 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 28 IoCs

Processes:

pid	process
4924	Client.exe
4276	Client.exe
5036	Client.exe
2000	Client.exe
1172	Client.exe
4472	Client.exe
1816	Client.exe
4300	Client.exe
1480	Client.exe
1212	Client.exe
3824	Client.exe
2952	Client.exe
5092	Client.exe
3176	Client.exe
716	Client.exe
2764	Client.exe
5064	Client.exe
4396	Client.exe
2656	Client.exe
1720	Client.exe
1980	Client.exe
2884	Client.exe
4392	Client.exe
684	Client.exe
2232	Client.exe
4148	Client.exe
5104	Client.exe
4880	Client.exe

Looks up external IP address via web service 26 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
46	ip-api.com
62	ip-api.com
18	ip-api.com
32	ip-api.com
39	ip-api.com
42	ip-api.com
44	ip-api.com
20	ip-api.com
50	ip-api.com
12	api.ipify.org
30	ip-api.com
37	ip-api.com
48	ip-api.com
66	ip-api.com
55	ip-api.com
58	ip-api.com
64	ip-api.com
16	ip-api.com
22	ip-api.com
35	ip-api.com
60	ip-api.com
25	ip-api.com
27	ip-api.com
52	ip-api.com
3	ip-api.com
68	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 27 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4564	4924	WerFault.exe	Client.exe
4400	4276	WerFault.exe	Client.exe
4876	5036	WerFault.exe	Client.exe
5024	2000	WerFault.exe	Client.exe
940	1172	WerFault.exe	Client.exe
2764	4472	WerFault.exe	Client.exe
4628	1816	WerFault.exe	Client.exe
1640	4300	WerFault.exe	Client.exe
3980	1480	WerFault.exe	Client.exe
4956	1212	WerFault.exe	Client.exe
3040	3824	WerFault.exe	Client.exe
3260	2952	WerFault.exe	Client.exe
4828	5092	WerFault.exe	Client.exe
2496	3176	WerFault.exe	Client.exe
3324	716	WerFault.exe	Client.exe
3280	2764	WerFault.exe	Client.exe
368	5064	WerFault.exe	Client.exe
1336	4396	WerFault.exe	Client.exe
1412	2656	WerFault.exe	Client.exe
4452	1720	WerFault.exe	Client.exe
4332	1980	WerFault.exe	Client.exe
2916	2884	WerFault.exe	Client.exe
960	4392	WerFault.exe	Client.exe
2300	684	WerFault.exe	Client.exe
4676	2232	WerFault.exe	Client.exe
1964	4148	WerFault.exe	Client.exe
2436	5104	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 29 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

SCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4572	SCHTASKS.exe
4756	schtasks.exe
5032	schtasks.exe
4356	schtasks.exe
1152	schtasks.exe
3552	schtasks.exe
2984	schtasks.exe
1448	schtasks.exe
4032	schtasks.exe
1472	schtasks.exe
4628	schtasks.exe
3440	schtasks.exe
3012	schtasks.exe
2908	schtasks.exe
1356	schtasks.exe
1916	schtasks.exe
2540	schtasks.exe
4480	schtasks.exe
1640	schtasks.exe
3512	schtasks.exe
2396	schtasks.exe
3500	schtasks.exe
4440	schtasks.exe
2120	schtasks.exe
4328	schtasks.exe
692	schtasks.exe
5096	schtasks.exe
3164	schtasks.exe
2596	schtasks.exe

Runs ping.exe 1 TTPs 27 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1028	PING.EXE
880	PING.EXE
2184	PING.EXE
116	PING.EXE
4944	PING.EXE
4468	PING.EXE
1864	PING.EXE
836	PING.EXE
2884	PING.EXE
3996	PING.EXE
2884	PING.EXE
4500	PING.EXE
2068	PING.EXE
4488	PING.EXE
3776	PING.EXE
3372	PING.EXE
4884	PING.EXE
4212	PING.EXE
3292	PING.EXE
3404	PING.EXE
3028	PING.EXE
5024	PING.EXE
3236	PING.EXE
2768	PING.EXE
1568	PING.EXE
2656	PING.EXE
4932	PING.EXE

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

Uni - Copy (13) - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4560	Uni - Copy (13) - Copy.exe
Token: SeDebugPrivilege	4924	Client.exe
Token: SeDebugPrivilege	4276	Client.exe
Token: SeDebugPrivilege	5036	Client.exe
Token: SeDebugPrivilege	2000	Client.exe
Token: SeDebugPrivilege	1172	Client.exe
Token: SeDebugPrivilege	4472	Client.exe
Token: SeDebugPrivilege	1816	Client.exe
Token: SeDebugPrivilege	4300	Client.exe
Token: SeDebugPrivilege	1480	Client.exe
Token: SeDebugPrivilege	1212	Client.exe
Token: SeDebugPrivilege	3824	Client.exe
Token: SeDebugPrivilege	2952	Client.exe
Token: SeDebugPrivilege	5092	Client.exe
Token: SeDebugPrivilege	3176	Client.exe
Token: SeDebugPrivilege	716	Client.exe
Token: SeDebugPrivilege	2764	Client.exe
Token: SeDebugPrivilege	5064	Client.exe
Token: SeDebugPrivilege	4396	Client.exe
Token: SeDebugPrivilege	2656	Client.exe
Token: SeDebugPrivilege	1720	Client.exe
Token: SeDebugPrivilege	1980	Client.exe
Token: SeDebugPrivilege	2884	Client.exe
Token: SeDebugPrivilege	4392	Client.exe
Token: SeDebugPrivilege	684	Client.exe
Token: SeDebugPrivilege	2232	Client.exe
Token: SeDebugPrivilege	4148	Client.exe
Token: SeDebugPrivilege	5104	Client.exe
Token: SeDebugPrivilege	4880	Client.exe

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

pid	process
4924	Client.exe
4276	Client.exe
5036	Client.exe
2000	Client.exe
1172	Client.exe
4472	Client.exe
1816	Client.exe
4300	Client.exe
1480	Client.exe
1212	Client.exe
3824	Client.exe
2952	Client.exe
5092	Client.exe
3176	Client.exe
716	Client.exe
2764	Client.exe
5064	Client.exe
4396	Client.exe
2656	Client.exe
1720	Client.exe
1980	Client.exe
2884	Client.exe
4392	Client.exe
684	Client.exe
2232	Client.exe
4148	Client.exe
5104	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (13) - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 4560 wrote to memory of 4356	4560	Uni - Copy (13) - Copy.exe	schtasks.exe
PID 4560 wrote to memory of 4356	4560	Uni - Copy (13) - Copy.exe	schtasks.exe
PID 4560 wrote to memory of 4356	4560	Uni - Copy (13) - Copy.exe	schtasks.exe
PID 4560 wrote to memory of 4924	4560	Uni - Copy (13) - Copy.exe	Client.exe
PID 4560 wrote to memory of 4924	4560	Uni - Copy (13) - Copy.exe	Client.exe
PID 4560 wrote to memory of 4924	4560	Uni - Copy (13) - Copy.exe	Client.exe
PID 4560 wrote to memory of 4572	4560	Uni - Copy (13) - Copy.exe	SCHTASKS.exe
PID 4560 wrote to memory of 4572	4560	Uni - Copy (13) - Copy.exe	SCHTASKS.exe
PID 4560 wrote to memory of 4572	4560	Uni - Copy (13) - Copy.exe	SCHTASKS.exe
PID 4924 wrote to memory of 3440	4924	Client.exe	schtasks.exe
PID 4924 wrote to memory of 3440	4924	Client.exe	schtasks.exe
PID 4924 wrote to memory of 3440	4924	Client.exe	schtasks.exe
PID 4924 wrote to memory of 1948	4924	Client.exe	cmd.exe
PID 4924 wrote to memory of 1948	4924	Client.exe	cmd.exe
PID 4924 wrote to memory of 1948	4924	Client.exe	cmd.exe
PID 1948 wrote to memory of 4780	1948	cmd.exe	chcp.com
PID 1948 wrote to memory of 4780	1948	cmd.exe	chcp.com
PID 1948 wrote to memory of 4780	1948	cmd.exe	chcp.com
PID 1948 wrote to memory of 1568	1948	cmd.exe	PING.EXE
PID 1948 wrote to memory of 1568	1948	cmd.exe	PING.EXE
PID 1948 wrote to memory of 1568	1948	cmd.exe	PING.EXE
PID 1948 wrote to memory of 4276	1948	cmd.exe	Client.exe
PID 1948 wrote to memory of 4276	1948	cmd.exe	Client.exe
PID 1948 wrote to memory of 4276	1948	cmd.exe	Client.exe
PID 4276 wrote to memory of 3512	4276	Client.exe	schtasks.exe
PID 4276 wrote to memory of 3512	4276	Client.exe	schtasks.exe
PID 4276 wrote to memory of 3512	4276	Client.exe	schtasks.exe
PID 4276 wrote to memory of 4808	4276	Client.exe	cmd.exe
PID 4276 wrote to memory of 4808	4276	Client.exe	cmd.exe
PID 4276 wrote to memory of 4808	4276	Client.exe	cmd.exe
PID 4808 wrote to memory of 1720	4808	cmd.exe	chcp.com
PID 4808 wrote to memory of 1720	4808	cmd.exe	chcp.com
PID 4808 wrote to memory of 1720	4808	cmd.exe	chcp.com
PID 4808 wrote to memory of 1864	4808	cmd.exe	PING.EXE
PID 4808 wrote to memory of 1864	4808	cmd.exe	PING.EXE
PID 4808 wrote to memory of 1864	4808	cmd.exe	PING.EXE
PID 4808 wrote to memory of 5036	4808	cmd.exe	Client.exe
PID 4808 wrote to memory of 5036	4808	cmd.exe	Client.exe
PID 4808 wrote to memory of 5036	4808	cmd.exe	Client.exe
PID 5036 wrote to memory of 3012	5036	Client.exe	schtasks.exe
PID 5036 wrote to memory of 3012	5036	Client.exe	schtasks.exe
PID 5036 wrote to memory of 3012	5036	Client.exe	schtasks.exe
PID 5036 wrote to memory of 4628	5036	Client.exe	cmd.exe
PID 5036 wrote to memory of 4628	5036	Client.exe	cmd.exe
PID 5036 wrote to memory of 4628	5036	Client.exe	cmd.exe
PID 4628 wrote to memory of 1512	4628	cmd.exe	chcp.com
PID 4628 wrote to memory of 1512	4628	cmd.exe	chcp.com
PID 4628 wrote to memory of 1512	4628	cmd.exe	chcp.com
PID 4628 wrote to memory of 2184	4628	cmd.exe	PING.EXE
PID 4628 wrote to memory of 2184	4628	cmd.exe	PING.EXE
PID 4628 wrote to memory of 2184	4628	cmd.exe	PING.EXE
PID 4628 wrote to memory of 2000	4628	cmd.exe	Client.exe
PID 4628 wrote to memory of 2000	4628	cmd.exe	Client.exe
PID 4628 wrote to memory of 2000	4628	cmd.exe	Client.exe
PID 2000 wrote to memory of 4756	2000	Client.exe	schtasks.exe
PID 2000 wrote to memory of 4756	2000	Client.exe	schtasks.exe
PID 2000 wrote to memory of 4756	2000	Client.exe	schtasks.exe
PID 2000 wrote to memory of 184	2000	Client.exe	cmd.exe
PID 2000 wrote to memory of 184	2000	Client.exe	cmd.exe
PID 2000 wrote to memory of 184	2000	Client.exe	cmd.exe
PID 184 wrote to memory of 3612	184	cmd.exe	chcp.com
PID 184 wrote to memory of 3612	184	cmd.exe	chcp.com
PID 184 wrote to memory of 3612	184	cmd.exe	chcp.com
PID 184 wrote to memory of 2884	184	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4356

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\grIhOBQOQuWT.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4780

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1568

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eydYZm8p9GGB.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:1720

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1864

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X1PA4QJAwvdP.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:1512

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2184

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:4756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5RUojvzzsrBZ.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:184

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:3612

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2884

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1172

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nRZ9Myz7pOlx.bat" "
11⤵
PID:3440

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:2240

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3776

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4472

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vtau8NCjArUk.bat" "
13⤵
PID:4520

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4820

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:3996

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1816

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EPKAnxk6wEs6.bat" "
15⤵
PID:4504

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:1508

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3372

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4300

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kJkuRurg3KbH.bat" "
17⤵
PID:1464

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:2172

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2884

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1480

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v2d8sRMU0MNx.bat" "
19⤵
PID:4176

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:1180

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4500

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WS1Q4KFSKDhw.bat" "
21⤵
PID:5080

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:1764

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4884

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3824

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWqHaabMgdwt.bat" "
23⤵
PID:556

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:1508

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:4212

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dtGsdZQeVl1Z.bat" "
25⤵
PID:2976

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:3088

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:5024

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4Hi3iZlqP5Bv.bat" "
27⤵
PID:3264

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:616

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:3292

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3176

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nLXuEp6jmVQs.bat" "
29⤵
PID:1480

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:1808

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:2656

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:716

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o10wJ67aC76q.bat" "
31⤵
PID:3712

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:3332

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:3236

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2764

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yIzlcHPukDi6.bat" "
33⤵
PID:1216

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:3424

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:836

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5064

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\604GG3kNBRmr.bat" "
35⤵
PID:2892

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:5024

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:1028

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4396

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:1472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mV0n8u8RR0TK.bat" "
37⤵
PID:4540

C:\Windows\SysWOW64\chcp.com
chcp 65001
38⤵
PID:2612

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:2768

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:3500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e6bwzqQ3Xz0z.bat" "
39⤵
PID:1992

C:\Windows\SysWOW64\chcp.com
chcp 65001
40⤵
PID:1212

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:116

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:3164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KbXTrgo6nYgS.bat" "
41⤵
PID:4876

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:4596

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:3404

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
43⤵
- Creates scheduled task(s)
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ePHaVY284DaQ.bat" "
43⤵
PID:2396

C:\Windows\SysWOW64\chcp.com
chcp 65001
44⤵
PID:4504

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:3028

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i6YLNaDIzexI.bat" "
45⤵
PID:264

C:\Windows\SysWOW64\chcp.com
chcp 65001
46⤵
PID:4028

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:2068

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4392

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:1916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mnp7EcNSv4K9.bat" "
47⤵
PID:1512

C:\Windows\SysWOW64\chcp.com
chcp 65001
48⤵
PID:1252

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:4944

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:684

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
49⤵
- Creates scheduled task(s)
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWjLf8sFs65p.bat" "
49⤵
PID:1676

C:\Windows\SysWOW64\chcp.com
chcp 65001
50⤵
PID:628

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:880

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2232

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HKTSJz6H9lzn.bat" "
51⤵
PID:1184

C:\Windows\SysWOW64\chcp.com
chcp 65001
52⤵
PID:452

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:4468

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4148

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKZox26Q6IZA.bat" "
53⤵
PID:3916

C:\Windows\SysWOW64\chcp.com
chcp 65001
54⤵
PID:3688

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:4932

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5104

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
55⤵
- Creates scheduled task(s)
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2Wgk2sfVKl28.bat" "
55⤵
PID:3536

C:\Windows\SysWOW64\chcp.com
chcp 65001
56⤵
PID:4300

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:4488

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 2228
55⤵
- Program crash
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1092
53⤵
- Program crash
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 2248
51⤵
- Program crash
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 2224
49⤵
- Program crash
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 2248
47⤵
- Program crash
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 1096
45⤵
- Program crash
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 2236
43⤵
- Program crash
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1724
41⤵
- Program crash
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 2224
39⤵
- Program crash
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 2160
37⤵
- Program crash
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 2224
35⤵
- Program crash
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 1708
33⤵
- Program crash
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 1096
31⤵
- Program crash
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 1092
29⤵
- Program crash
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 2232
27⤵
- Program crash
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 2168
25⤵
- Program crash
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 1704
23⤵
- Program crash
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 2224
21⤵
- Program crash
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 2224
19⤵
- Program crash
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 1708
17⤵
- Program crash
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1092
15⤵
- Program crash
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 2236
13⤵
- Program crash
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 2236
11⤵
- Program crash
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1092
9⤵
- Program crash
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 2200
7⤵
- Program crash
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 2176
5⤵
- Program crash
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 2180
3⤵
- Program crash
PID:4564

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4924 -ip 4924
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4276 -ip 4276
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5036 -ip 5036
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2000 -ip 2000
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1172 -ip 1172
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4472 -ip 4472
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1816 -ip 1816
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4300 -ip 4300
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1480 -ip 1480
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1212 -ip 1212
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3824 -ip 3824
1⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2952 -ip 2952
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5092 -ip 5092
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3176 -ip 3176
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 716 -ip 716
1⤵
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2764 -ip 2764
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5064 -ip 5064
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4396 -ip 4396
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2656 -ip 2656
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1720 -ip 1720
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1980 -ip 1980
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2884 -ip 2884
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4392 -ip 4392
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 684 -ip 684
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2232 -ip 2232
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4148 -ip 4148
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5104 -ip 5104
1⤵
PID:4028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4Hi3iZlqP5Bv.bat
Filesize
207B

MD5
c8194d5401f5b8ac69cf67045d1f5af5

SHA1
215b66d14856a7a44a920952aa84d608dc57a553

SHA256
f2600cda7d5c98011437775a152ce06904804b0d6e56ca24a60effbce0cbf102

SHA512
277bc9504b53b1afbb3060a79f8135a54eb1462579e7b531fd3cd4fb4a446459949fb21d47a0fb0e096b25c034d47681e523316c3b02526f409a40031e2419f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5RUojvzzsrBZ.bat
Filesize
207B

MD5
3556101dc8ce0f22640a9a52c19f3733

SHA1
cb6dfb9e3813d156600a49d88e8523f796ad2a3e

SHA256
88e2cc96d33ab04520334e491c5fe54d7aaba9ee9ac10e6c4cd7d0017e189679

SHA512
88c67ebe2af46881d8808da650a06f31337e2c07fb9a7715ff49fdf7fa1982ea9281ba07e99396ff9b7997621d8ec387b32f030ed22fba9ec69de76dbe67cdee

Download Submit
C:\Users\Admin\AppData\Local\Temp\604GG3kNBRmr.bat
Filesize
207B

MD5
2652342fa3e2a1d60d55abbaf78d1465

SHA1
c73d05ab6f82d4a25845238087e49814d9631f6c

SHA256
d3b76b5e736e96de3b4ca1f0ec5bb81f66628e520e04809bbf0e53575cd07981

SHA512
6b6aa3051dd75d4ebdec2d3c41b1fdfdb78ab0b8fc902a56f887b4d53b38ed1e129a8b60dd22238c020ab4c07afbad2ac9874e15a77c1be935b98bc4bec896e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EPKAnxk6wEs6.bat
Filesize
207B

MD5
45aaa5cccd3bbf4ff4a7dcb7680d0b37

SHA1
fcf87d2037ed77d9ac02cc5e60ecf841d2cd8843

SHA256
845182fa3199a87cd076b9c8d213adab217f62282ce237a3aa38bd626b5964a0

SHA512
203984bed8b516212eee5f75f6c42a5255091e8389a5a16787cdb7f5d615198c2510f8684c706e0050530409e66c1b7c7e5bf5e2ec881f47448500f94e01fa7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GWqHaabMgdwt.bat
Filesize
207B

MD5
06ea8a66ed84df04a69515c943e9ca5d

SHA1
6753e00a285b7f33727e027b6e09b59cd3b762ab

SHA256
ed079186f01fde91d118037d2e1f45e8bfe67b3e8e978079f89a6209a0543f99

SHA512
6d80e9d607d91f171ece47e48640d5bb45221121e57610dd2bdafa1d3fad2323d03b35346259c0adb16ac289113ac0ad136ef40a35abc89d480841f70478b010

Download Submit
C:\Users\Admin\AppData\Local\Temp\KbXTrgo6nYgS.bat
Filesize
207B

MD5
6bc211a8a1566a34bf2317a084668669

SHA1
581adf1f8f0cbcca7fa8cf267db0ef99bdb535c9

SHA256
7b35449cde3a22a38cc24347f322f736845b66a1e5f5f5d7312c63930fe287a2

SHA512
f0665f1eb22f11bb8e1daa564d0d0affcaa170be979e1585ab94bb5d63c4fc3fc02d02bd96852ecc45f3fddc2fdec7d219e778aad43a9ac12a2625e88404b4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vtau8NCjArUk.bat
Filesize
207B

MD5
0ab7325184ab5ff8f89a2a4f8ba00e8a

SHA1
a076dff7e32edbcb02aa3269f2afab88d2aa363b

SHA256
729c1c8614897382ad2b068e0519a31fc9ecb4224b3df720948613193f57f27f

SHA512
61c9dcff70f03e98d5637d4844d1e266b5a88c2fc687d8891fcef00b213e1cf813aecaf78371b75b5353df288cd04d282c9a0aee768ee3b138eb88fdd214ba5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WS1Q4KFSKDhw.bat
Filesize
207B

MD5
d76fad12b4c45f9bdff87cb08f3fff15

SHA1
d290bcbfe6c8e20325f4ecba3a88a153654432a1

SHA256
f0268077c39d6cbfa934e212308e04c1dd8c50b119c13528d4abd99fd73f1a12

SHA512
6bfab8b2798716061e764d878a43c88eed248a0f7aff9284d965237098c3da6273678ffdd8281a3d7900f8379ceee81436bb5c227487943b2c46a80243ae6559

Download Submit
C:\Users\Admin\AppData\Local\Temp\X1PA4QJAwvdP.bat
Filesize
207B

MD5
71fa017ca1bf2bc204d48f8d7135ea61

SHA1
c0405905b1e6b66b1d52fc386787b3af5c90a098

SHA256
8a8d376039d2592516ad51d55b56339d418f0202428396ddc65a72716dfa5a46

SHA512
dcce4b38c8a9346992ff0b54271702b491be913b409aaaecb381be8b10594c41852c3607bfa80e1c42bd2a3663c5532de98b7db954e4d202dc93b93b857b872d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dtGsdZQeVl1Z.bat
Filesize
207B

MD5
4c23adf228f6f3531ade6ffe8d09568b

SHA1
224e78806a4a46b9d3cdc253bc68c595eb444865

SHA256
4c524351622f23aac5249c45447310791c7be281a215e91928e7f8723a03380f

SHA512
4164ca46879f25a1e1f5661d0fe029e0623dc88057c4fe4d8494cbb7f5bc21ee2eb313153b081b96bb2edddb61a57207c449a7df0fedeee0a737966bc698a682

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6bwzqQ3Xz0z.bat
Filesize
207B

MD5
f435bf186910d43cbfa8c0f0943cc3f2

SHA1
3920655d6eb0d6e7821f05bc5d94b14169dbd594

SHA256
38e0f66fbb4e9f19911bde6986d467e4188ffbd00404ee99df33870ae2d014c3

SHA512
e76d3e77545ed505ef0e46865e4e43d3ab184b87d9bfd067ac01001642465107d19ae99caefb97b2d10692b2e93586e79f75be1c5f0357e3a171ac9a7e0a99e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ePHaVY284DaQ.bat
Filesize
207B

MD5
2bd132096a9c48e1122535a7850797a8

SHA1
ba228043a410803359222d5341e084d3a5b3f198

SHA256
0cc9559f653f73a5bfc610373233f49503397c3aa6f8f970c48b8811998d1437

SHA512
f0eabef3e123ddcdcc6ccd16ffa78b4e2ff026b7fd9162a2de2943b0036cb874860b13632b26f14084d0e38662f6c58b24ea44ef2f43b51f9b2b20c861bccfa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eydYZm8p9GGB.bat
Filesize
207B

MD5
2cb9aaea3c7feca92e15ca3322a768d9

SHA1
a2b00159aaee73d9ee0f5e38c4174c9bbc42ef85

SHA256
6a3b3e3b76c6740e2390fc832d8587627778484fee0edcc8adfbe3afe7860bf6

SHA512
2eea8068d2bca6465ff725bcd27c55f76ba181375728d2b2d4b1eb0ce1ba8d5b2e39a547a534dbf602fba5773f027b4318fcc5bd009ff98d422fef0df4fabf72

Download Submit
C:\Users\Admin\AppData\Local\Temp\grIhOBQOQuWT.bat
Filesize
207B

MD5
3b6a988048d441eff0a7136241907d72

SHA1
931620b66f13dcc80f0bb82cbbc4f0aec409b7f9

SHA256
2a3b4c183dee2350415e893907c8fc287d9b0d5ba3d8975c50e7a94a47fbd4d7

SHA512
f75faafed8e46f6c97ecab9415991b11e07651450099d19458c11d33f1e53dde1e9faaa5a3d7abad6fc58aa3b01c2822600cf105544f05fc654b1b73126466fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kJkuRurg3KbH.bat
Filesize
207B

MD5
37ae74878cea2009121cbaf4576db7ce

SHA1
27a68730271b959176d4f56cd3c7b4a896ac8c7b

SHA256
a0e9de2d86fba15bb6d7a2966f1c7455535bd52a5c388c216ca839f53fce9f6e

SHA512
100a7c725527895b8216e45b38fc2b75df59dcbe2fc053a2e7c509eaaa026dac85e0b379b11351e33b78005d76062856de886ec8e77db5b18b6d59432ded148a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mV0n8u8RR0TK.bat
Filesize
207B

MD5
c62081160788b14cefa81e733eb34af3

SHA1
9a30c63e1d0379a4f9c45c0ec8c1896ec1b9b26f

SHA256
f919935f90fc38eaae458067aa4f06468599b2880b9fb9f0a01115d364cc6eb5

SHA512
9bc4110f539e531ca6224453f5fd480d9982a5227c513af8ac270aab87d0ba469c477a9610467cabdde102044af76479bf62fda16b90f49b6ad51b0aa4d29831

Download Submit
C:\Users\Admin\AppData\Local\Temp\nLXuEp6jmVQs.bat
Filesize
207B

MD5
3784332df8d9a4be5f32fcf24c1d4236

SHA1
78e3e04d6a596669f1179861c0db4ed3570aef79

SHA256
34f63fa91bf47c6f594cc45e99370f7aec2362785e12b691facf3b83f066d86e

SHA512
b0c131648d3afb68504a535144290853a2d7b07a65a82676a9740b7ab5d563dff29a7ca9f83a055b0150e4cd522cfb8c9a5033f50dffe61d9dc6d24aa73e4932

Download Submit
C:\Users\Admin\AppData\Local\Temp\nRZ9Myz7pOlx.bat
Filesize
207B

MD5
2df69c0a98e3189b32b0057ae1accef3

SHA1
1628f8a8c9d7350ad457ba157bc289cf3500551a

SHA256
6976d7877c272032dc627abc40bce3c880ee5629bd0ba3c9a858007e2643434e

SHA512
0a3b927e628ee3711f7a57432c669d10ca29a5c5d8d43f430728883c40c670d5b394158ef2bc9414b8c56dcca274f5c5b185d5c5eff6a4daea3f0664bb21ab0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\o10wJ67aC76q.bat
Filesize
207B

MD5
288d92b0ce0c6104301f53c396ed521f

SHA1
9631f8edb14dac3fd01f44f737d2adac2a7711fd

SHA256
388d840f2ceff2ac516dd2c0105c159d22ffda0d6bbc728ecac5864f08a3fe05

SHA512
f3dba9b6f4ef60e59246eed847326d872aa52f62d23a8c46d096ba7eee12fbbdcf0cfe65d840a4ab1d96bb80de231b83c0206a17c18ab7b8f47b977104a3ec01

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2d8sRMU0MNx.bat
Filesize
207B

MD5
09ab72a29ddf7d1ce85a22159e1e80ad

SHA1
df4fc249cb3f7ced017552c3cd2726e029ddbebc

SHA256
9d49ae8825598aac25f54c5b903feb519e4fbeb9dc5ec9e7873d0d07b64ec890

SHA512
25f5535c4d522a23cfd456175b57ddba7050cf5e70be2265f0cd9b2b34ebe767c4e46a67d947d8a7970325ad448164e945633674556e6859211b70c2fedbded7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIzlcHPukDi6.bat
Filesize
207B

MD5
4e32f7c05c15ae4a4bd3817568a10738

SHA1
27bb3d74fd245b00dcabbed1ff9b8b3707f4feb0

SHA256
67ae3da6c383b8e52c09a961315b990e8dabd05fbc7d5aaef1fd36ac10a06731

SHA512
6f70f014077e1a13a9628d8dc9470d606848422cc3368cfbe09582f1573473bb6627e05c7ca40f989c371c35669d9acfc3c55c9c69098cb7dc93872e918b0981

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
d1979ced91f173f1e08027cc6fa34710

SHA1
9b38496322c5e0591b58b10da8081f1e2227e065

SHA256
878b2f3c728b696461bf3c9264e9aa5733a628e07f4949600410912a7bf4d13a

SHA512
b313bf7bcc8a65c0ccca730a284ea4cf97448a6d64c1a48012bb4ed934c4d5b2b50f50ca388e7fc526851fc41064d2ca77e4310fa4894332b26b2be6fa2aabbc

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
ff6fe9f9202d0767908437455c6e3abd

SHA1
6d042aa014bc5d41f6848a340a2daf9b98c76e5d

SHA256
0217934f40df6e95f6b486cd6a02deedc7d4236425af65b61af64b909606a4e0

SHA512
debd7347dec29742f363c982833618125df84e0f33e700dd5b6352623d1d2bc55d7ae5d0809e0fb8c30b404c8a0df19ed1b0c91a5baf33fd8fd27522cf5c02e4

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
fa3508ff20e45e3c9abb470c194d032e

SHA1
1b70fda8427115043da0d8381adf2cb6adc4d1b6

SHA256
16c0b7827fa0b3b3c65301066ce1f792d70eeae265218ae926dc345e56720eb6

SHA512
a604311ae187d84fcd8d36001c47def23140cd98a3999480161369deb3955301eeee7717f872c88611f2fcfc402a9cebbca2aaebd36a720153a97652fd1b0b18

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
e288b93240926ed4ef2667a3eb666eca

SHA1
a65bae7641deaa02ae43e2530f05ac6001322cab

SHA256
849b39e55f685659f2ca43f2e952bffcecb4cf12cdf18f7793400c15fabbfe49

SHA512
2e3785c71a1fe3e625d553e58a5241fd215da7fbaf3b50662ec430dcb146c14b5791fbc589176cc33ca1404bd6e41652768698554b0eb3556570d187ff7f5a65

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
eedb3e4116118b53fa02c9aeda83e156

SHA1
f322ae173b3ec6d55d35baaa570634531eca773c

SHA256
75114de3bf579f06763361c4dab6a22e4dbad1f36aa029f911ae7fb5a0236f0c

SHA512
ef24283abd9b95ee9ea7b1b49fc933e0559908247c40ac2834b7c6d5f862200bc10f3acbaab6a8ad90a670cfa6f09558833c750d782acd112469b0c9eea87f97

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/4560-4-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4560-0-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/4560-1-0x0000000000100000-0x000000000016C000-memory.dmp

Filesize
432KB

Download
memory/4560-16-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4560-2-0x00000000050C0000-0x0000000005664000-memory.dmp

Filesize
5.6MB

Download
memory/4560-3-0x0000000004BF0000-0x0000000004C82000-memory.dmp

Filesize
584KB

Download
memory/4560-8-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4560-7-0x000000007454E000-0x000000007454F000-memory.dmp

Filesize
4KB

Download
memory/4560-6-0x00000000050A0000-0x00000000050B2000-memory.dmp

Filesize
72KB

Download
memory/4560-5-0x0000000004C90000-0x0000000004CF6000-memory.dmp

Filesize
408KB

Download
memory/4924-19-0x0000000005FC0000-0x0000000005FCA000-memory.dmp

Filesize
40KB

Download
memory/4924-24-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4924-15-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download
memory/4924-17-0x0000000074540000-0x0000000074CF0000-memory.dmp

Filesize
7.7MB

Download