quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
591s
max time network
601s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (14) - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral28/memory/5052-1-0x0000000000E50000-0x0000000000EBC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 27 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 27 IoCs

Processes:

pid	process
828	Client.exe
3720	Client.exe
3048	Client.exe
4376	Client.exe
2124	Client.exe
2296	Client.exe
4808	Client.exe
628	Client.exe
992	Client.exe
3452	Client.exe
3024	Client.exe
2980	Client.exe
3740	Client.exe
4804	Client.exe
3128	Client.exe
4568	Client.exe
1372	Client.exe
2528	Client.exe
5004	Client.exe
4052	Client.exe
2560	Client.exe
1380	Client.exe
3636	Client.exe
4784	Client.exe
1604	Client.exe
4036	Client.exe
404	Client.exe

Looks up external IP address via web service 27 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
11	api.ipify.org
43	ip-api.com
41	ip-api.com
59	ip-api.com
3	ip-api.com
16	ip-api.com
26	ip-api.com
28	ip-api.com
30	ip-api.com
20	ip-api.com
55	ip-api.com
65	ip-api.com
22	ip-api.com
24	ip-api.com
34	ip-api.com
36	ip-api.com
63	ip-api.com
48	ip-api.com
50	ip-api.com
57	ip-api.com
14	ip-api.com
18	ip-api.com
38	ip-api.com
46	ip-api.com
53	ip-api.com
32	ip-api.com
61	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 27 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3188	828	WerFault.exe	Client.exe
1916	3720	WerFault.exe	Client.exe
2772	3048	WerFault.exe	Client.exe
1816	4376	WerFault.exe	Client.exe
2424	2124	WerFault.exe	Client.exe
5008	2296	WerFault.exe	Client.exe
2384	4808	WerFault.exe	Client.exe
400	628	WerFault.exe	Client.exe
1476	992	WerFault.exe	Client.exe
3720	3452	WerFault.exe	Client.exe
2016	3024	WerFault.exe	Client.exe
1592	2980	WerFault.exe	Client.exe
3144	3740	WerFault.exe	Client.exe
1596	4804	WerFault.exe	Client.exe
968	3128	WerFault.exe	Client.exe
2720	4568	WerFault.exe	Client.exe
3248	1372	WerFault.exe	Client.exe
3208	2528	WerFault.exe	Client.exe
3100	5004	WerFault.exe	Client.exe
4328	4052	WerFault.exe	Client.exe
3944	2560	WerFault.exe	Client.exe
3916	1380	WerFault.exe	Client.exe
1944	3636	WerFault.exe	Client.exe
3684	4784	WerFault.exe	Client.exe
3436	1604	WerFault.exe	Client.exe
4528	4036	WerFault.exe	Client.exe
4580	404	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 29 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3204	schtasks.exe
2168	schtasks.exe
4712	schtasks.exe
2284	SCHTASKS.exe
3168	schtasks.exe
2588	schtasks.exe
2408	schtasks.exe
3404	schtasks.exe
4108	schtasks.exe
4328	schtasks.exe
2784	schtasks.exe
4004	schtasks.exe
3048	schtasks.exe
832	schtasks.exe
2952	schtasks.exe
2232	schtasks.exe
3256	schtasks.exe
2588	schtasks.exe
1388	schtasks.exe
1160	schtasks.exe
4936	schtasks.exe
4328	schtasks.exe
5072	schtasks.exe
2616	schtasks.exe
512	schtasks.exe
2196	schtasks.exe
804	schtasks.exe
312	schtasks.exe
2548	schtasks.exe

Runs ping.exe 1 TTPs 27 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4400	PING.EXE
1212	PING.EXE
3016	PING.EXE
3264	PING.EXE
4000	PING.EXE
4844	PING.EXE
2784	PING.EXE
4188	PING.EXE
1464	PING.EXE
4220	PING.EXE
1048	PING.EXE
2652	PING.EXE
2172	PING.EXE
1268	PING.EXE
3452	PING.EXE
2352	PING.EXE
3304	PING.EXE
4984	PING.EXE
1900	PING.EXE
4740	PING.EXE
396	PING.EXE
4980	PING.EXE
3696	PING.EXE
1804	PING.EXE
3592	PING.EXE
5072	PING.EXE
1696	PING.EXE

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

Uni - Copy (14) - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	5052	Uni - Copy (14) - Copy - Copy.exe
Token: SeDebugPrivilege	828	Client.exe
Token: SeDebugPrivilege	3720	Client.exe
Token: SeDebugPrivilege	3048	Client.exe
Token: SeDebugPrivilege	4376	Client.exe
Token: SeDebugPrivilege	2124	Client.exe
Token: SeDebugPrivilege	2296	Client.exe
Token: SeDebugPrivilege	4808	Client.exe
Token: SeDebugPrivilege	628	Client.exe
Token: SeDebugPrivilege	992	Client.exe
Token: SeDebugPrivilege	3452	Client.exe
Token: SeDebugPrivilege	3024	Client.exe
Token: SeDebugPrivilege	2980	Client.exe
Token: SeDebugPrivilege	3740	Client.exe
Token: SeDebugPrivilege	4804	Client.exe
Token: SeDebugPrivilege	3128	Client.exe
Token: SeDebugPrivilege	4568	Client.exe
Token: SeDebugPrivilege	1372	Client.exe
Token: SeDebugPrivilege	2528	Client.exe
Token: SeDebugPrivilege	5004	Client.exe
Token: SeDebugPrivilege	4052	Client.exe
Token: SeDebugPrivilege	2560	Client.exe
Token: SeDebugPrivilege	1380	Client.exe
Token: SeDebugPrivilege	3636	Client.exe
Token: SeDebugPrivilege	4784	Client.exe
Token: SeDebugPrivilege	1604	Client.exe
Token: SeDebugPrivilege	4036	Client.exe
Token: SeDebugPrivilege	404	Client.exe

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

pid	process
828	Client.exe
3720	Client.exe
3048	Client.exe
4376	Client.exe
2124	Client.exe
2296	Client.exe
4808	Client.exe
628	Client.exe
992	Client.exe
3452	Client.exe
3024	Client.exe
2980	Client.exe
3740	Client.exe
4804	Client.exe
3128	Client.exe
4568	Client.exe
1372	Client.exe
2528	Client.exe
5004	Client.exe
4052	Client.exe
2560	Client.exe
1380	Client.exe
3636	Client.exe
4784	Client.exe
1604	Client.exe
4036	Client.exe
404	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (14) - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 5052 wrote to memory of 512	5052	Uni - Copy (14) - Copy - Copy.exe	schtasks.exe
PID 5052 wrote to memory of 512	5052	Uni - Copy (14) - Copy - Copy.exe	schtasks.exe
PID 5052 wrote to memory of 512	5052	Uni - Copy (14) - Copy - Copy.exe	schtasks.exe
PID 5052 wrote to memory of 828	5052	Uni - Copy (14) - Copy - Copy.exe	Client.exe
PID 5052 wrote to memory of 828	5052	Uni - Copy (14) - Copy - Copy.exe	Client.exe
PID 5052 wrote to memory of 828	5052	Uni - Copy (14) - Copy - Copy.exe	Client.exe
PID 5052 wrote to memory of 2284	5052	Uni - Copy (14) - Copy - Copy.exe	SCHTASKS.exe
PID 5052 wrote to memory of 2284	5052	Uni - Copy (14) - Copy - Copy.exe	SCHTASKS.exe
PID 5052 wrote to memory of 2284	5052	Uni - Copy (14) - Copy - Copy.exe	SCHTASKS.exe
PID 828 wrote to memory of 3256	828	Client.exe	schtasks.exe
PID 828 wrote to memory of 3256	828	Client.exe	schtasks.exe
PID 828 wrote to memory of 3256	828	Client.exe	schtasks.exe
PID 828 wrote to memory of 4676	828	Client.exe	cmd.exe
PID 828 wrote to memory of 4676	828	Client.exe	cmd.exe
PID 828 wrote to memory of 4676	828	Client.exe	cmd.exe
PID 4676 wrote to memory of 4252	4676	cmd.exe	chcp.com
PID 4676 wrote to memory of 4252	4676	cmd.exe	chcp.com
PID 4676 wrote to memory of 4252	4676	cmd.exe	chcp.com
PID 4676 wrote to memory of 2172	4676	cmd.exe	PING.EXE
PID 4676 wrote to memory of 2172	4676	cmd.exe	PING.EXE
PID 4676 wrote to memory of 2172	4676	cmd.exe	PING.EXE
PID 4676 wrote to memory of 3720	4676	cmd.exe	Client.exe
PID 4676 wrote to memory of 3720	4676	cmd.exe	Client.exe
PID 4676 wrote to memory of 3720	4676	cmd.exe	Client.exe
PID 3720 wrote to memory of 4936	3720	Client.exe	schtasks.exe
PID 3720 wrote to memory of 4936	3720	Client.exe	schtasks.exe
PID 3720 wrote to memory of 4936	3720	Client.exe	schtasks.exe
PID 3720 wrote to memory of 4712	3720	Client.exe	cmd.exe
PID 3720 wrote to memory of 4712	3720	Client.exe	cmd.exe
PID 3720 wrote to memory of 4712	3720	Client.exe	cmd.exe
PID 4712 wrote to memory of 3024	4712	cmd.exe	chcp.com
PID 4712 wrote to memory of 3024	4712	cmd.exe	chcp.com
PID 4712 wrote to memory of 3024	4712	cmd.exe	chcp.com
PID 4712 wrote to memory of 3304	4712	cmd.exe	PING.EXE
PID 4712 wrote to memory of 3304	4712	cmd.exe	PING.EXE
PID 4712 wrote to memory of 3304	4712	cmd.exe	PING.EXE
PID 4712 wrote to memory of 3048	4712	cmd.exe	Client.exe
PID 4712 wrote to memory of 3048	4712	cmd.exe	Client.exe
PID 4712 wrote to memory of 3048	4712	cmd.exe	Client.exe
PID 3048 wrote to memory of 2588	3048	Client.exe	schtasks.exe
PID 3048 wrote to memory of 2588	3048	Client.exe	schtasks.exe
PID 3048 wrote to memory of 2588	3048	Client.exe	schtasks.exe
PID 3048 wrote to memory of 2520	3048	Client.exe	cmd.exe
PID 3048 wrote to memory of 2520	3048	Client.exe	cmd.exe
PID 3048 wrote to memory of 2520	3048	Client.exe	cmd.exe
PID 2520 wrote to memory of 1356	2520	cmd.exe	chcp.com
PID 2520 wrote to memory of 1356	2520	cmd.exe	chcp.com
PID 2520 wrote to memory of 1356	2520	cmd.exe	chcp.com
PID 2520 wrote to memory of 3696	2520	cmd.exe	PING.EXE
PID 2520 wrote to memory of 3696	2520	cmd.exe	PING.EXE
PID 2520 wrote to memory of 3696	2520	cmd.exe	PING.EXE
PID 2520 wrote to memory of 4376	2520	cmd.exe	Client.exe
PID 2520 wrote to memory of 4376	2520	cmd.exe	Client.exe
PID 2520 wrote to memory of 4376	2520	cmd.exe	Client.exe
PID 4376 wrote to memory of 3404	4376	Client.exe	schtasks.exe
PID 4376 wrote to memory of 3404	4376	Client.exe	schtasks.exe
PID 4376 wrote to memory of 3404	4376	Client.exe	schtasks.exe
PID 4376 wrote to memory of 720	4376	Client.exe	cmd.exe
PID 4376 wrote to memory of 720	4376	Client.exe	cmd.exe
PID 4376 wrote to memory of 720	4376	Client.exe	cmd.exe
PID 720 wrote to memory of 2304	720	cmd.exe	chcp.com
PID 720 wrote to memory of 2304	720	cmd.exe	chcp.com
PID 720 wrote to memory of 2304	720	cmd.exe	chcp.com
PID 720 wrote to memory of 4220	720	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:512

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MHBXuOZvQ2eJ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4252

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2172

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wlFkxTHl5aaC.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:3024

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:3304

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2xRUKPhQ7ZSD.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:1356

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:3696

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rz9JXx2C6iRO.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:2304

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4220

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2124

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5IwrdsUpAbkY.bat" "
11⤵
PID:5100

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:4820

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4984

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rIqx3feHdw1p.bat" "
13⤵
PID:800

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4720

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:1212

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4808

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jtR6vbvtivYU.bat" "
15⤵
PID:1900

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:1352

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4844

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:628

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YTEVzn3BI7OG.bat" "
17⤵
PID:2752

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:4268

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2784

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:992

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1sVQsYYhiFEW.bat" "
19⤵
PID:3256

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2084

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:3016

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3452

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F6YT4GfZMFt6.bat" "
21⤵
PID:4468

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:3448

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1804

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3024

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOK2AB7CR8CF.bat" "
23⤵
PID:3308

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:2088

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3592

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2980

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SZdFTHVy9nzJ.bat" "
25⤵
PID:2036

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:2596

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4188

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3740

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sx6QYHr9378f.bat" "
27⤵
PID:2644

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:5056

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:1268

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4804

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HHo5k6qaXYdS.bat" "
29⤵
PID:3540

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:116

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:5072

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3128

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\My5qc71kTyzJ.bat" "
31⤵
PID:384

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:2984

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:3452

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K9O3vDQVBdmM.bat" "
33⤵
PID:1768

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:2444

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:4400

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:3048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GlowZtsRnR0w.bat" "
35⤵
PID:3508

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:2864

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:1900

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daMn0VFmaubo.bat" "
37⤵
PID:2932

C:\Windows\SysWOW64\chcp.com
chcp 65001
38⤵
PID:1500

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:4740

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CVbGRCXgDn2s.bat" "
39⤵
PID:2548

C:\Windows\SysWOW64\chcp.com
chcp 65001
40⤵
PID:3264

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:1696

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4052

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWULrzh8f8JA.bat" "
41⤵
PID:1300

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:3948

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:1464

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
43⤵
- Creates scheduled task(s)
PID:4004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a0c8w6vsPtIi.bat" "
43⤵
PID:4588

C:\Windows\SysWOW64\chcp.com
chcp 65001
44⤵
PID:4856

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:396

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1380

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1O4J16G4JDS4.bat" "
45⤵
PID:5060

C:\Windows\SysWOW64\chcp.com
chcp 65001
46⤵
PID:3704

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:1048

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3636

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:2616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aJJmSoXxw7t9.bat" "
47⤵
PID:4152

C:\Windows\SysWOW64\chcp.com
chcp 65001
48⤵
PID:4552

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:2352

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4784

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
49⤵
- Creates scheduled task(s)
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuuvJkpZ26Qo.bat" "
49⤵
PID:5084

C:\Windows\SysWOW64\chcp.com
chcp 65001
50⤵
PID:1704

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:3264

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:2548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8PqSBaDdHf7H.bat" "
51⤵
PID:828

C:\Windows\SysWOW64\chcp.com
chcp 65001
52⤵
PID:2120

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:2652

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4036

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C67D3cOnD6T9.bat" "
53⤵
PID:4168

C:\Windows\SysWOW64\chcp.com
chcp 65001
54⤵
PID:1452

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:4980

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:404

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
55⤵
- Creates scheduled task(s)
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ADgvTVRnVrac.bat" "
55⤵
PID:3124

C:\Windows\SysWOW64\chcp.com
chcp 65001
56⤵
PID:1072

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1688
55⤵
- Program crash
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 1092
53⤵
- Program crash
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 1712
51⤵
- Program crash
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 1092
49⤵
- Program crash
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1092
47⤵
- Program crash
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 1092
45⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 1084
43⤵
- Program crash
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 2224
41⤵
- Program crash
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 2236
39⤵
- Program crash
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1092
37⤵
- Program crash
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 1096
35⤵
- Program crash
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 2248
33⤵
- Program crash
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1080
31⤵
- Program crash
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1096
29⤵
- Program crash
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 1708
27⤵
- Program crash
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 2248
25⤵
- Program crash
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1676
23⤵
- Program crash
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 2224
21⤵
- Program crash
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1672
19⤵
- Program crash
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 2232
17⤵
- Program crash
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 2228
15⤵
- Program crash
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 2228
13⤵
- Program crash
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 2232
11⤵
- Program crash
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 2252
9⤵
- Program crash
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 2196
7⤵
- Program crash
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 2196
5⤵
- Program crash
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 1628
3⤵
- Program crash
PID:3188

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 828 -ip 828
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3720 -ip 3720
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3048 -ip 3048
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4376 -ip 4376
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2124 -ip 2124
1⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2296 -ip 2296
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4808 -ip 4808
1⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 628 -ip 628
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 992 -ip 992
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3452 -ip 3452
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3024 -ip 3024
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2980 -ip 2980
1⤵
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3740 -ip 3740
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4804 -ip 4804
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3128 -ip 3128
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4568 -ip 4568
1⤵
PID:2184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1372 -ip 1372
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2528 -ip 2528
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5004 -ip 5004
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4052 -ip 4052
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2560 -ip 2560
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1380 -ip 1380
1⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3636 -ip 3636
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4784 -ip 4784
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1604 -ip 1604
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4036 -ip 4036
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 404 -ip 404
1⤵
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1sVQsYYhiFEW.bat
Filesize
207B

MD5
cd3ac153ae7b2d89bcfbe59350358556

SHA1
a1257aabe6578b85e927f36da3e3be0b87ca6685

SHA256
401f6866aae0f8132eed32ba84113fd5e49e9e30159e19311a686777618c9984

SHA512
03ac77c7c4db7b4ea1b01f238cf1701f591e070090277588fc193295a9637098c6db59842ca700666d7548591c5f8925995f71fc10c7b1957c3079feaa6839c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2xRUKPhQ7ZSD.bat
Filesize
207B

MD5
db4f4cdcab8db7f3832c85618ce732f3

SHA1
52a6852aa4b7a77e0f38b84224f6ce5ad058d08f

SHA256
cf38bb7cdb980c731bc6b7b8ff242dd1c6880f5b786beee58b53ed85c62a0594

SHA512
d9494e72d6ef819ad76ef8797221698d173948efb78dee3be6900aa4e2e96fdc8484c2fafd92bd758420394eb98ac0c5f615424a5f05b8d0d89155697ff250f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5IwrdsUpAbkY.bat
Filesize
207B

MD5
d38acd23d07ba06c477ff31e1ce4100b

SHA1
9f01876e9ed1c7757a7e3a4d4c50df28a9ba4a13

SHA256
ddecf2c5f3320a6858a4ec8d033ff3bd72082e6bae0ab00f70de77552ddfcb8c

SHA512
4d12a5dc64ee9684449c7162620f778eb6e5b3f97e43bd767a3888698ba0402dac63278081fc9aed12ba8a88af2e81fe32e5290b331099cf36f7594067572b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\CVbGRCXgDn2s.bat
Filesize
207B

MD5
a992fdbff9c95a22b65a01a4faa63095

SHA1
9141393a5a9c4d51a8554f3e528152754e18e162

SHA256
64e71f0ac2d61f80e97a6fbec77d3d977a7df639f8435f386642cf28e20634ba

SHA512
d02cad29b0a6620d9d5b38e8991c469b27844912eb19745346aa53ece921f800352dd82da23f7f841eb23570a1101858704077f62be681567e1d9b652b0d44ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6YT4GfZMFt6.bat
Filesize
207B

MD5
21b212a2c0bcaeb5c9379bc8f423e866

SHA1
245f0db2551b816f261d4fbcc5bd599879f3adb0

SHA256
18e7ef1dab9b2094907ad759b9b1c2c2ac3194cd16f9ea660eb99f6357ff5b9d

SHA512
f2066be52353da9e7fff0ebbfe1e0001ec67f742f635772ae41563158d714563e7fa3ad39452cff6fb5f5080cb2f153eadf926ea4f190599ba026e60da36ba47

Download Submit
C:\Users\Admin\AppData\Local\Temp\GlowZtsRnR0w.bat
Filesize
207B

MD5
c082ab6d2021441e19f93b7ee419c935

SHA1
edba896ed5b0db9425e8a9a53faba19231ccea08

SHA256
784e6dbbb64ca5ba3f2813238c215d517ef485aa81880188d4db55feb881c76f

SHA512
2aff2e5465f683bf5ea5f9f895a077aa24b38691fc1b65fe9bc277e6a6fa506fe4e32241f897e547e7fe32c298001f9dc5a78ab53818f564ef489a4c1243c526

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHo5k6qaXYdS.bat
Filesize
207B

MD5
82463983294e8df8808b4d3d7d7eb963

SHA1
395829e6681e862d4823c40dcb98407bcede3584

SHA256
01d15e5036487fd236ded2e2dc3d10286aa5434a0c65b869de790b3c3f743adf

SHA512
34daf8d9ccfb56aec162d2c6adeb6ec79015149ac095b2a7487c27e1a3a9e8242ced97ad2a5fe08d62ae7cb3197fb40eaea6e47ca6091b5041b748394ce3f445

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9O3vDQVBdmM.bat
Filesize
207B

MD5
4a11680d220179bae116f723a35a05f0

SHA1
511b1e9b20dc5542c8eb6334bac1ced1c5ec1a1b

SHA256
7b614dcd06d2e913bf810cd408db5688800b720b0e95902591994f2604d7ed41

SHA512
1e563f71f76f454cb87ae6d9eb9f1c96f22e71f7c753ca2095d4cd8c74397fdf534d6d1836d889741d41eee043a9b7e1f72d544147921c73ebea49761d93815d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MHBXuOZvQ2eJ.bat
Filesize
207B

MD5
2868a1f99561a4cbded5d8850eaa40cb

SHA1
88616dfb2baf9d926b7e6c34f09401ce8899500d

SHA256
f310b2e536f52aa0af2dc05bf81d76ce93ecd3342066e8207b59c24918804d09

SHA512
aef4f815096ac7eb8d6e2ad89cd135150500c822d175dede64837f24170e28eaa0e5caba410c6e11eec046fa528aa4e727201625cb4bc59a8e1d6d56198cf42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\My5qc71kTyzJ.bat
Filesize
207B

MD5
e780261c3ed59a56d9771590d2454963

SHA1
2f5df7c3f82281b21a905ed561896ac01c70b163

SHA256
98dddbf249c76a33ee07c3d9a2dbbfa3a7256dc3c152af588e55eba427c2c98d

SHA512
3b4465f21d5dda8fa255642a70c490d7b5e3e99b7f2c6ce93bae4f2177a49b33d33ddfd01c4d72cf1c4d818aaf1e59c05e5f49e5cbf5e06ddbc19bdc5b7403bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\SZdFTHVy9nzJ.bat
Filesize
207B

MD5
871598c3321b98d01df716abcbc3f54e

SHA1
bf3320b062d306b8fe635af7e8dcb1db91ca0ab8

SHA256
3f73a1fd86c9fa45c0a3e6ad3178cd568dbd7f7669958fc56baced34e2044e1a

SHA512
3622df6f270ea43341b59ecef3c10c73b91d7ce3f801cee8acf2a4b3c9407cc87faaa552653342814ad3e1e425fba29f895ee3c07d236c6e44a6dbb32db8671e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOK2AB7CR8CF.bat
Filesize
207B

MD5
48430121d754e04cd45f3ea028b2d4e2

SHA1
cf37509baa045349638b6e2f58ae294789997789

SHA256
6aea0062933c812b9f539a3c4273045c565c6bcb5141ca646111d24a655fb7cf

SHA512
c417c799e7194a068ea8c9ff39ff38bb90a424e820b3338617389224049920692213fd4509d1217a602e27b8711374a32e3977d807a276b6e1d3fa7cb8d63e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTEVzn3BI7OG.bat
Filesize
207B

MD5
3e2c46e1b29f9509970b45efa059156a

SHA1
fdd13630fffcb45adf13f0d64dd09d4e29f3f8ef

SHA256
af0928f68d970bd2b9b6f25d8cad86869e0db560b8bb4e96507ea8628be0f77b

SHA512
287b6b302055800944491e230f8a27ff358d1fdc4536fe8ca6c832f61632c6c679085c347423a038e9a2efae5ffe3ae253ae0c1980e5a1faabf941ba48b13b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0c8w6vsPtIi.bat
Filesize
207B

MD5
79f159a6e8199a033d49065c15c460c2

SHA1
6a37680a3db974120a8bbe43a318419f156715f6

SHA256
4cc0e36e751ce8b87dd76460563caa1163893411ef97cf7c1fce3a57b8e499f3

SHA512
0a075160fd7d163a5024040913358f843d2e6d4aadc3348474355c168da9ab996c1441b3b6b6aff59f1a33f37e70e6aa95e16c870416327ecaea14c902363a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\daMn0VFmaubo.bat
Filesize
207B

MD5
7cd3ee4b8e6b0968b333f38cc40dbc92

SHA1
39de935a75413df97ddd21556d48d222440dbf6f

SHA256
a77332b25f24a2d607e8d12761fed87c523ec825c9b597f42ae4a1dcf559804e

SHA512
1d011288d361635d337d26d6c8b8939a818e66ecbf6a03efab4e0dd640b9c6b7821472a7546326686c3ff91815f7e97425cd5e79c383af100bf4909975cec227

Download Submit
C:\Users\Admin\AppData\Local\Temp\jtR6vbvtivYU.bat
Filesize
207B

MD5
be56ddbd73fd250b5f807eede1b4beee

SHA1
aed8043092ac1369318f10adc6f2712e9e3533fe

SHA256
a810e2c96ec69d264c49bd17dbb450e442858603425002301268cabcdb97c1db

SHA512
cbe2c45c8e785d5d11a91f1b69b5e8b935a5b604beab5670506155ec0ba3595d0e716590b2b7b6e6f0a490c056b709daa97022d6080ebd9d3b26cc2c03cc5599

Download Submit
C:\Users\Admin\AppData\Local\Temp\rIqx3feHdw1p.bat
Filesize
207B

MD5
4a6c30233e50e8ac06fbb1388dcdf069

SHA1
79ca066804481935806470ffa153cf20de90c080

SHA256
eef672900f7c84ff7fd0740a5477f3f05e71dbaa33a0402f6a4cf770015cc3d8

SHA512
c4467f0bac7ab68485a603b195b50fb513934c3d4decdf1072fb90aaab32832f53fca6ad7c9539c1cd613a66f97ae00cadb8ff709929ec4a32cefdd994372132

Download Submit
C:\Users\Admin\AppData\Local\Temp\rz9JXx2C6iRO.bat
Filesize
207B

MD5
4e2c908e2a5cd440927d5e6f40e65d92

SHA1
2ad2aa7f9b2033f2e584de09e63214cb460fd0c8

SHA256
de6c78bdb79c89cdaada405b61a883ba495efc269355497e454e019cae5e24b8

SHA512
0575e80184a1cb04fc00a4f7be76d1bddf6460e9165b61d16a19ea4a5226c8b15bbe84159aa42355ca63fdab57344c8b344f0be677c9a013cfb91db12b353f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\sx6QYHr9378f.bat
Filesize
207B

MD5
a97a52735e97acc7da7dff5948764856

SHA1
7594268a4910a5f779809e1457742f99db11f1d8

SHA256
7100f90b7fbc9e4029d78c1ade2de7a4afb3856ce330d9949f4300124ce3496f

SHA512
07fcb541ebf2ec5acdb47dbf30c6f3473cb462cb48c4be10f6be29217f9e9ae4f78a77c4b63e9b89195c2d616cee20b0a29351c430927e8565a356d0240209cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wlFkxTHl5aaC.bat
Filesize
207B

MD5
165184a4c58f91a21fff3e8b381f745c

SHA1
79f4fdfaec45a22f1c0cce3d22223617de799dfe

SHA256
6ff792002e6bb404fdc901eab7b6ccf1355d0898d44d1fc295ffc6d3ac728d89

SHA512
874790ebf8dd8633bcaa0abe2b95ca0c702ebecddcb93822eb1182c8c518a5ad1ad2da32c55f6e3fe42d723a01cb4247626af471ad1cc13efbe3afafc5c5d91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yWULrzh8f8JA.bat
Filesize
207B

MD5
f55ba399ed5daaea63cb27c815b1d701

SHA1
6b0336b266f0abfd7edae1f8c610b21feb873be7

SHA256
f585f41e661441ef4423d9be240d2950651c53fb170a4b44943d182e7e67a8e8

SHA512
b0f94253554b7058437e625f6b77b0bc4adf2b2463bb1cebf0649413a74abdf8563521a0bd4956aaf8ae59d7fe955f489b59f3dcfd4d0a39b038d149909a6c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
d44b009b707d8e56f153e9443f07d469

SHA1
c9206e993828d29e830f50bd7cb4cb187fda3d06

SHA256
b8e507f70faabb521d4297b8863c27a9cc264a4f656aeb2d38bd050913924626

SHA512
048ef17d6ff7cc3638c4d41c88136989b11f5428824e206b84dccb551fd37d7c2e80a0931d51c8f1afa118af2b3809c5903a0c621e83c5911dbd98beb2bbc6ee

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
1cb11caa8733d5a99e1c8ecc7aa4e852

SHA1
8b2d39910355affd183e5e7937e6697c4fbb70b8

SHA256
f78f75db99749f8eaa0618f70598fa920741549a8e4ef38f0d3b9c381ab3186d

SHA512
5153f868714710916ccda02ffd1bf2b9f427a73d55004ea1b30ae171538b8129c4c732bc2a278b19bed8c15faf201f9b2ecd3b5ee386a4699fa9f313a1038b17

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
a01179a2820b6278a06f1de7590f1d85

SHA1
3a33d0c938b80e3eedc506d1e932e7cd6e2842ef

SHA256
cb551b4fee1984cb48072738bf4b190825e78a7d434024bdb21694ca60ab463c

SHA512
b529dc894cb3435e884783ee475a2485d925087835e58e431cc97a6c518258e51b6fe191e3db5a8ce96db6d031ec87c43b7bdb270479fbcbf1195b375b18c045

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
b01131ac51afe26c395c6bb30bf73e92

SHA1
67e757f980110e94c70729e079b5d0fd22f3bc26

SHA256
bf245353b7d969f3b842339efeeecfe350d75ea728a2b2b08ef62c8dcd5c4d4d

SHA512
1a70bd7c576c518db45b9f0b8dbbb274d162e7093cfee838c44700f75ecf7ff6988123f96304eb50c129514725484ddf91feedbbf68fe46c251487b404150dfc

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
e873340c3cbaed53de19ac0d4c5ffa4f

SHA1
910a993eedcce0a97642288f08159ecb0cddf0e5

SHA256
ff5d23738c84172f4cfd6e474ff2978e31951c7ad591423257fc2dd7cc69cf3f

SHA512
05f3c370ae7a62f597fc63c7c29ef0944418e8819d052c4160a56c391dcea94704bd4ca9c77644c85d9d0644add59d234cd3b8972a086131ba608ad374e94e52

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
9e6dfea857adc1bc5132e7cc2fc2e75f

SHA1
f91b825e33c29f842508bd697d6e291081a3fc76

SHA256
501578aabe5cbc9f8adf9cda3ba62a2f370d2324addf19a97235bc712c068a13

SHA512
6c9a927a71512bf7c8acece1539f998e392e26505faddb5c47df2c214d0b3e6fb505f850ba4236064ff8c85ff2411f928907aef6b0ecb7089ee69645a9543c2b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
39680199eae4ee56f26024389a9bfb4c

SHA1
53af4b704c6cf08a6c4bfb9f5f4f0b2cc5d84566

SHA256
e102d648ad0defa81fe82ce3ccd09748c7a7f1d2f769aa0276ac5852654626c1

SHA512
16936a708d28fb7afdc5f9a718ceeb4c6901de31dc2ac6d7f7cef8f014b3e96f62b1b9939e009cb526747e7614c421663cdfc0a2b86c9883ca57350efb7c18fb

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/828-17-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/828-15-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/828-24-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/828-19-0x0000000005FA0000-0x0000000005FAA000-memory.dmp

Filesize
40KB

Download
memory/5052-4-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/5052-6-0x0000000006600000-0x0000000006612000-memory.dmp

Filesize
72KB

Download
memory/5052-5-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/5052-7-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

Filesize
4KB

Download
memory/5052-16-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/5052-3-0x0000000005980000-0x0000000005A12000-memory.dmp

Filesize
584KB

Download
memory/5052-2-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/5052-0-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

Filesize
4KB

Download
memory/5052-8-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/5052-1-0x0000000000E50000-0x0000000000EBC000-memory.dmp

Filesize
432KB

Download