quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
599s
max time network
602s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (14) - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral30/memory/3956-1-0x0000000000510000-0x000000000057C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 28 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 29 IoCs

Processes:

pid	process
2744	Client.exe
3788	Client.exe
3228	Client.exe
3252	Client.exe
264	Client.exe
1716	Client.exe
4536	Client.exe
4516	Client.exe
1488	Client.exe
5084	Client.exe
3248	Client.exe
2432	Client.exe
3232	Client.exe
3084	Client.exe
4564	Client.exe
4480	Client.exe
1120	Client.exe
2760	Client.exe
4580	Client.exe
3340	Client.exe
4224	Client.exe
384	Client.exe
4068	Client.exe
4376	Client.exe
3100	Client.exe
944	Client.exe
3992	Client.exe
3280	Client.exe
2476	Client.exe

Looks up external IP address via web service 27 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
35	ip-api.com
13	ip-api.com
19	ip-api.com
31	ip-api.com
25	ip-api.com
52	ip-api.com
54	ip-api.com
59	ip-api.com
65	ip-api.com
17	ip-api.com
23	ip-api.com
57	ip-api.com
61	ip-api.com
63	ip-api.com
8	api.ipify.org
33	ip-api.com
43	ip-api.com
49	ip-api.com
27	ip-api.com
38	ip-api.com
45	ip-api.com
47	ip-api.com
29	ip-api.com
40	ip-api.com
2	ip-api.com
15	ip-api.com
21	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 28 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2828	2744	WerFault.exe	Client.exe
4780	3788	WerFault.exe	Client.exe
1872	3228	WerFault.exe	Client.exe
5092	3252	WerFault.exe	Client.exe
3476	264	WerFault.exe	Client.exe
1908	1716	WerFault.exe	Client.exe
2532	4536	WerFault.exe	Client.exe
424	4516	WerFault.exe	Client.exe
1604	1488	WerFault.exe	Client.exe
2944	5084	WerFault.exe	Client.exe
4764	3248	WerFault.exe	Client.exe
1288	2432	WerFault.exe	Client.exe
4840	3232	WerFault.exe	Client.exe
944	3084	WerFault.exe	Client.exe
3104	4564	WerFault.exe	Client.exe
2620	4480	WerFault.exe	Client.exe
4992	1120	WerFault.exe	Client.exe
2912	2760	WerFault.exe	Client.exe
1940	4580	WerFault.exe	Client.exe
3884	3340	WerFault.exe	Client.exe
2068	4224	WerFault.exe	Client.exe
3940	384	WerFault.exe	Client.exe
2416	4068	WerFault.exe	Client.exe
3204	4376	WerFault.exe	Client.exe
3588	3100	WerFault.exe	Client.exe
2332	944	WerFault.exe	Client.exe
1876	3992	WerFault.exe	Client.exe
4040	3280	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1416	schtasks.exe
3964	schtasks.exe
3400	schtasks.exe
2980	schtasks.exe
5108	schtasks.exe
4636	schtasks.exe
4964	schtasks.exe
3880	schtasks.exe
2704	schtasks.exe
3856	schtasks.exe
1700	schtasks.exe
1292	schtasks.exe
3592	schtasks.exe
232	schtasks.exe
4776	schtasks.exe
4404	schtasks.exe
3344	schtasks.exe
2932	schtasks.exe
4968	schtasks.exe
3476	SCHTASKS.exe
2980	schtasks.exe
2444	schtasks.exe
2088	schtasks.exe
388	schtasks.exe
4072	schtasks.exe
2448	schtasks.exe
536	schtasks.exe
400	schtasks.exe
636	schtasks.exe
4980	schtasks.exe

Runs ping.exe 1 TTPs 28 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3348	PING.EXE
3260	PING.EXE
3888	PING.EXE
436	PING.EXE
1908	PING.EXE
2228	PING.EXE
2740	PING.EXE
4264	PING.EXE
1164	PING.EXE
2256	PING.EXE
1396	PING.EXE
1784	PING.EXE
3732	PING.EXE
2280	PING.EXE
4772	PING.EXE
1492	PING.EXE
2864	PING.EXE
5044	PING.EXE
4384	PING.EXE
3840	PING.EXE
2148	PING.EXE
2088	PING.EXE
4472	PING.EXE
3076	PING.EXE
2556	PING.EXE
864	PING.EXE
4440	PING.EXE
2708	PING.EXE

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

Uni - Copy (14) - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3956	Uni - Copy (14) - Copy.exe
Token: SeDebugPrivilege	2744	Client.exe
Token: SeDebugPrivilege	3788	Client.exe
Token: SeDebugPrivilege	3228	Client.exe
Token: SeDebugPrivilege	3252	Client.exe
Token: SeDebugPrivilege	264	Client.exe
Token: SeDebugPrivilege	1716	Client.exe
Token: SeDebugPrivilege	4536	Client.exe
Token: SeDebugPrivilege	4516	Client.exe
Token: SeDebugPrivilege	1488	Client.exe
Token: SeDebugPrivilege	5084	Client.exe
Token: SeDebugPrivilege	3248	Client.exe
Token: SeDebugPrivilege	2432	Client.exe
Token: SeDebugPrivilege	3232	Client.exe
Token: SeDebugPrivilege	3084	Client.exe
Token: SeDebugPrivilege	4564	Client.exe
Token: SeDebugPrivilege	4480	Client.exe
Token: SeDebugPrivilege	1120	Client.exe
Token: SeDebugPrivilege	2760	Client.exe
Token: SeDebugPrivilege	4580	Client.exe
Token: SeDebugPrivilege	3340	Client.exe
Token: SeDebugPrivilege	4224	Client.exe
Token: SeDebugPrivilege	384	Client.exe
Token: SeDebugPrivilege	4068	Client.exe
Token: SeDebugPrivilege	4376	Client.exe
Token: SeDebugPrivilege	3100	Client.exe
Token: SeDebugPrivilege	944	Client.exe
Token: SeDebugPrivilege	3992	Client.exe
Token: SeDebugPrivilege	3280	Client.exe
Token: SeDebugPrivilege	2476	Client.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

pid	process
2744	Client.exe
3788	Client.exe
3228	Client.exe
3252	Client.exe
264	Client.exe
1716	Client.exe
4536	Client.exe
4516	Client.exe
1488	Client.exe
5084	Client.exe
3248	Client.exe
2432	Client.exe
3232	Client.exe
3084	Client.exe
4564	Client.exe
4480	Client.exe
1120	Client.exe
2760	Client.exe
4580	Client.exe
3340	Client.exe
4224	Client.exe
384	Client.exe
4068	Client.exe
4376	Client.exe
3100	Client.exe
944	Client.exe
3992	Client.exe
3280	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (14) - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 3956 wrote to memory of 4980	3956	Uni - Copy (14) - Copy.exe	schtasks.exe
PID 3956 wrote to memory of 4980	3956	Uni - Copy (14) - Copy.exe	schtasks.exe
PID 3956 wrote to memory of 4980	3956	Uni - Copy (14) - Copy.exe	schtasks.exe
PID 3956 wrote to memory of 2744	3956	Uni - Copy (14) - Copy.exe	Client.exe
PID 3956 wrote to memory of 2744	3956	Uni - Copy (14) - Copy.exe	Client.exe
PID 3956 wrote to memory of 2744	3956	Uni - Copy (14) - Copy.exe	Client.exe
PID 3956 wrote to memory of 3476	3956	Uni - Copy (14) - Copy.exe	SCHTASKS.exe
PID 3956 wrote to memory of 3476	3956	Uni - Copy (14) - Copy.exe	SCHTASKS.exe
PID 3956 wrote to memory of 3476	3956	Uni - Copy (14) - Copy.exe	SCHTASKS.exe
PID 2744 wrote to memory of 2980	2744	Client.exe	schtasks.exe
PID 2744 wrote to memory of 2980	2744	Client.exe	schtasks.exe
PID 2744 wrote to memory of 2980	2744	Client.exe	schtasks.exe
PID 2744 wrote to memory of 2176	2744	Client.exe	cmd.exe
PID 2744 wrote to memory of 2176	2744	Client.exe	cmd.exe
PID 2744 wrote to memory of 2176	2744	Client.exe	cmd.exe
PID 2176 wrote to memory of 1560	2176	cmd.exe	chcp.com
PID 2176 wrote to memory of 1560	2176	cmd.exe	chcp.com
PID 2176 wrote to memory of 1560	2176	cmd.exe	chcp.com
PID 2176 wrote to memory of 1908	2176	cmd.exe	PING.EXE
PID 2176 wrote to memory of 1908	2176	cmd.exe	PING.EXE
PID 2176 wrote to memory of 1908	2176	cmd.exe	PING.EXE
PID 2176 wrote to memory of 3788	2176	cmd.exe	Client.exe
PID 2176 wrote to memory of 3788	2176	cmd.exe	Client.exe
PID 2176 wrote to memory of 3788	2176	cmd.exe	Client.exe
PID 3788 wrote to memory of 2704	3788	Client.exe	schtasks.exe
PID 3788 wrote to memory of 2704	3788	Client.exe	schtasks.exe
PID 3788 wrote to memory of 2704	3788	Client.exe	schtasks.exe
PID 3788 wrote to memory of 2876	3788	Client.exe	cmd.exe
PID 3788 wrote to memory of 2876	3788	Client.exe	cmd.exe
PID 3788 wrote to memory of 2876	3788	Client.exe	cmd.exe
PID 2876 wrote to memory of 3024	2876	cmd.exe	chcp.com
PID 2876 wrote to memory of 3024	2876	cmd.exe	chcp.com
PID 2876 wrote to memory of 3024	2876	cmd.exe	chcp.com
PID 2876 wrote to memory of 4772	2876	cmd.exe	PING.EXE
PID 2876 wrote to memory of 4772	2876	cmd.exe	PING.EXE
PID 2876 wrote to memory of 4772	2876	cmd.exe	PING.EXE
PID 2876 wrote to memory of 3228	2876	cmd.exe	Client.exe
PID 2876 wrote to memory of 3228	2876	cmd.exe	Client.exe
PID 2876 wrote to memory of 3228	2876	cmd.exe	Client.exe
PID 3228 wrote to memory of 3400	3228	Client.exe	schtasks.exe
PID 3228 wrote to memory of 3400	3228	Client.exe	schtasks.exe
PID 3228 wrote to memory of 3400	3228	Client.exe	schtasks.exe
PID 3228 wrote to memory of 544	3228	Client.exe	cmd.exe
PID 3228 wrote to memory of 544	3228	Client.exe	cmd.exe
PID 3228 wrote to memory of 544	3228	Client.exe	cmd.exe
PID 544 wrote to memory of 620	544	cmd.exe	chcp.com
PID 544 wrote to memory of 620	544	cmd.exe	chcp.com
PID 544 wrote to memory of 620	544	cmd.exe	chcp.com
PID 544 wrote to memory of 2708	544	cmd.exe	PING.EXE
PID 544 wrote to memory of 2708	544	cmd.exe	PING.EXE
PID 544 wrote to memory of 2708	544	cmd.exe	PING.EXE
PID 544 wrote to memory of 3252	544	cmd.exe	Client.exe
PID 544 wrote to memory of 3252	544	cmd.exe	Client.exe
PID 544 wrote to memory of 3252	544	cmd.exe	Client.exe
PID 3252 wrote to memory of 536	3252	Client.exe	schtasks.exe
PID 3252 wrote to memory of 536	3252	Client.exe	schtasks.exe
PID 3252 wrote to memory of 536	3252	Client.exe	schtasks.exe
PID 3252 wrote to memory of 3644	3252	Client.exe	cmd.exe
PID 3252 wrote to memory of 3644	3252	Client.exe	cmd.exe
PID 3252 wrote to memory of 3644	3252	Client.exe	cmd.exe
PID 3644 wrote to memory of 3684	3644	cmd.exe	chcp.com
PID 3644 wrote to memory of 3684	3644	cmd.exe	chcp.com
PID 3644 wrote to memory of 3684	3644	cmd.exe	chcp.com
PID 3644 wrote to memory of 1396	3644	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4980

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y0Mtcvifgmhb.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1560

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1908

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3788

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ruj2ErJLhfN6.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:3024

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4772

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4Ocz3gBVs1zt.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:620

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2708

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EccSDMmUQoZo.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:3684

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1396

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:264

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LdTm38Sh2pLN.bat" "
11⤵
PID:4296

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:3040

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1164

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ik2TT1VhKaSr.bat" "
13⤵
PID:3992

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:2640

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2556

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4536

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NRJFK3grF0oj.bat" "
15⤵
PID:2344

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:3880

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4384

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4516

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGs5lf4C2TPb.bat" "
17⤵
PID:1856

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:4184

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2228

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1488

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mk0tqlIwmEP9.bat" "
19⤵
PID:1724

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2916

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1784

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5084

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8ltyGYSOFZgR.bat" "
21⤵
PID:2996

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:3980

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:864

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3248

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fBycv38DBVEb.bat" "
23⤵
PID:2940

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:636

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2256

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WipFun44qb5g.bat" "
25⤵
PID:3820

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:2760

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:3888

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3232

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k0co0iWhuUPq.bat" "
27⤵
PID:1720

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:3972

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:1492

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3084

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gc2heOxdWIdP.bat" "
29⤵
PID:2328

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:4416

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:3732

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4564

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X9tKd8tTBOUV.bat" "
31⤵
PID:2944

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:672

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:3076

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4480

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GfebIiSqxlsr.bat" "
33⤵
PID:3920

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:1916

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:2740

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1120

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:3344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h36mNjn2r52E.bat" "
35⤵
PID:1160

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:2412

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:4440

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2760

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0rqt1b148kwC.bat" "
37⤵
PID:1812

C:\Windows\SysWOW64\chcp.com
chcp 65001
38⤵
PID:1152

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:3840

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4580

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:2932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yyQaRT44RV3g.bat" "
39⤵
PID:1164

C:\Windows\SysWOW64\chcp.com
chcp 65001
40⤵
PID:3068

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:436

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3340

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OMslWUPGLpC2.bat" "
41⤵
PID:2456

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:3956

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:3348

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4224

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
43⤵
- Creates scheduled task(s)
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkKwcVlRFAMO.bat" "
43⤵
PID:1780

C:\Windows\SysWOW64\chcp.com
chcp 65001
44⤵
PID:2152

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:2280

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:384

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSPRGH5vgOQA.bat" "
45⤵
PID:4868

C:\Windows\SysWOW64\chcp.com
chcp 65001
46⤵
PID:4392

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:2148

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4068

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WNdugyMpJIrE.bat" "
47⤵
PID:2420

C:\Windows\SysWOW64\chcp.com
chcp 65001
48⤵
PID:3052

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:2088

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4376

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
49⤵
- Creates scheduled task(s)
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d5iPLkhIkWv0.bat" "
49⤵
PID:928

C:\Windows\SysWOW64\chcp.com
chcp 65001
50⤵
PID:792

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:2864

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3100

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uca2JUd9Qcm6.bat" "
51⤵
PID:700

C:\Windows\SysWOW64\chcp.com
chcp 65001
52⤵
PID:3732

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:4264

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:944

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5bY1dOGoTPtk.bat" "
53⤵
PID:732

C:\Windows\SysWOW64\chcp.com
chcp 65001
54⤵
PID:2996

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:3260

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3992

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
55⤵
- Creates scheduled task(s)
PID:3880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LNUOUVKWEG6o.bat" "
55⤵
PID:2844

C:\Windows\SysWOW64\chcp.com
chcp 65001
56⤵
PID:1804

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:4472

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
56⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3280

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
57⤵
- Creates scheduled task(s)
PID:2448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZgHxZQmAIAPy.bat" "
57⤵
PID:4868

C:\Windows\SysWOW64\chcp.com
chcp 65001
58⤵
PID:2400

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
58⤵
- Runs ping.exe
PID:5044

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1680
57⤵
- Program crash
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 1720
55⤵
- Program crash
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 1728
53⤵
- Program crash
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 1092
51⤵
- Program crash
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 2236
49⤵
- Program crash
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 1696
47⤵
- Program crash
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 1676
45⤵
- Program crash
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 1096
43⤵
- Program crash
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1092
41⤵
- Program crash
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 1092
39⤵
- Program crash
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 2248
37⤵
- Program crash
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 1660
35⤵
- Program crash
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1680
33⤵
- Program crash
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 1708
31⤵
- Program crash
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1092
29⤵
- Program crash
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1096
27⤵
- Program crash
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1096
25⤵
- Program crash
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 1092
23⤵
- Program crash
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1092
21⤵
- Program crash
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1092
19⤵
- Program crash
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1716
17⤵
- Program crash
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1516
15⤵
- Program crash
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1728
13⤵
- Program crash
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 2192
11⤵
- Program crash
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 1644
9⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 1092
7⤵
- Program crash
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 2188
5⤵
- Program crash
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 1656
3⤵
- Program crash
PID:2828

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2744 -ip 2744
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3788 -ip 3788
1⤵
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3228 -ip 3228
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3252 -ip 3252
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 264 -ip 264
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1716 -ip 1716
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4536 -ip 4536
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4516 -ip 4516
1⤵
PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1488 -ip 1488
1⤵
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5084 -ip 5084
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3248 -ip 3248
1⤵
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2432 -ip 2432
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3232 -ip 3232
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3084 -ip 3084
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4564 -ip 4564
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4480 -ip 4480
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1120 -ip 1120
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2760 -ip 2760
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4580 -ip 4580
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3340 -ip 3340
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4224 -ip 4224
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 384 -ip 384
1⤵
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4068 -ip 4068
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4376 -ip 4376
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3100 -ip 3100
1⤵
PID:264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 944 -ip 944
1⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3992 -ip 3992
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3280 -ip 3280
1⤵
PID:4728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0rqt1b148kwC.bat
Filesize
207B

MD5
e08d2e08d4e173db26c076f3a5d9c2cb

SHA1
0732a693e283737707a7997aa1dee7fd35a5c0bc

SHA256
962de02d2ea7c814675cf1bf4e504a17bedf6e9bd1cf2af934b4cb7dbe916758

SHA512
a42f657e6ad5a5bf43cb4fb594e0aba60f5a716e5b8d3368004aad1fcb5a713e741b8252f7ca051cb272502197a7f4e33f71dedfe100fec0bbfe6177648b9629

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Ocz3gBVs1zt.bat
Filesize
207B

MD5
029681251647984e95d18c706783b4cf

SHA1
8b9fd56840b5766ac7b8badebe86adb3ff12c2ee

SHA256
fb06af12a46449e52ed034350a25c4a23958264c64965e5a7999a42fbf82ed53

SHA512
fc41fc1d1c898fec4f866f31bcc42a447a34d8f85fd8a547244545fb4ebf952a8856db13980d993a43ba702cda28fcd68a87db7611a5aad0fe9bc95f792fd2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ltyGYSOFZgR.bat
Filesize
207B

MD5
93e865c2d17021f8e6f5b5609c6fb652

SHA1
45b8f17bd9a75dae12258b6b98ff0543c1ec08a3

SHA256
822a289448d0479f1aae20b1a90d2860b59244f78c137135103ca0aff97e372f

SHA512
7c77fdeae10bdd35826f6ea7cba37624237fd73ca0b897dfdc813c14d8804db291ee1016fc589305a9bdf343b8eab24f87fb6a713dd893f7e920ea89e5c13d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\EccSDMmUQoZo.bat
Filesize
207B

MD5
bb2fe00fdb7306a30f465e1b6c73e8ad

SHA1
0a2f318ff3d34a13668717a9db2d338c58b686f0

SHA256
a4daf957253a17ec3b5f25dff9c7e253e95af17808d8b98689267f51f3e2ae53

SHA512
c71c473a00131064ce02fdb612c8d672c8b0a3ad254e817b20b1b8c7c378308ce014a0159e119a658d31e15515742b4bb827dd03474cb14b9b4caeec73178433

Download Submit
C:\Users\Admin\AppData\Local\Temp\GfebIiSqxlsr.bat
Filesize
207B

MD5
50a95395a64afd9592503bbd43262426

SHA1
5b6233c37f5bd955db35b3546e7547d7477160b3

SHA256
e8b0df869d09954daeb7f5e51175e3acc3a9a3a5cf3cf8354ba7c53b6db7e803

SHA512
be64d0acce2f4ba52b66deba2b1c600606e4a2d643b76841ee6f33255a5cec65e8c674a2b1038bb2dd95ff7d509a71b907d02c51108de8be3ffbab19c9a9150b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ik2TT1VhKaSr.bat
Filesize
207B

MD5
b3dbb6b1cae1e7dbce2e87b3a8a51e18

SHA1
f8dd91894c6cfc9fa555829f74f7ca5562ae6893

SHA256
c580bfbae6ce455262537607aa879887939225d8d3212a7ffed67e7846fe3cbb

SHA512
a70eceb99ddbc6d060fcefa3d42396cba54254ac18300b30b08f1c6b9752b171902df6d19080c6480655e554509c7cb355a58cdb75e98592b97e6b6c820fdc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\LdTm38Sh2pLN.bat
Filesize
207B

MD5
0035c354b5d2177372022049ec65051b

SHA1
071315096f135fdb4ac31323554d3c7fe21a926e

SHA256
a9be2662be8496eafcbfd8e5c0e7c3e4ec65d20b31bc72d3a1ee6e742f11dca5

SHA512
1222326ce4905af431e459f414ef5c49df62833ac4aef329b2873ec65f76ea88f731ea4b368bba69ba4b33e26b383f01d32a085f71275361f97e83a3b5ebf53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mk0tqlIwmEP9.bat
Filesize
207B

MD5
c4180a137067560fd8014948cc05fda3

SHA1
e7441c3029813fed4535d2b68045ee771b1a3984

SHA256
f3f9ce0e7bb74f8aca9e548aa266060951852c810c25786544d66d45f14f2480

SHA512
610269cfbc3175a99ef12b0ef5490b4a11394aa729bfd442565db88d8836147cb8b7ccb1e2e13fbf2e164330d5d846cd6c9e663b4315dc4c7678134338519eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\NRJFK3grF0oj.bat
Filesize
207B

MD5
6a4a3e78a147c0db808dc04551d574ce

SHA1
c191d7326e5e2d149e883760029cdeafea379c10

SHA256
004d838b359e7f54e8675e36c531d084309f7ee0dea1586ff35561b5b66b4bee

SHA512
caf04c7425b0ed28ae471644732d9166682362a6b47da02d846cabc6f817158492c5149873e812919067b5e3bc380948303596c5809a98643f66a2a86d6d10cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMslWUPGLpC2.bat
Filesize
207B

MD5
990508e5a915ea82314aec4f1fc6e302

SHA1
5035d131b97cf3e8f9d944d76467875f259bee45

SHA256
a8e50a4df78f52eb9a0878dc32b40b415dc3c50b3c6964d6e57d132d283f849e

SHA512
8dacd4f20f6e280efe84f809be9ea4ebb50626b421401fb39dbadab4e50036534cc3e10dbe7efacde9ff93834db91e80ad0fe0a0e9f6da51a471d176187e1ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ruj2ErJLhfN6.bat
Filesize
207B

MD5
58c829af8110b67d15f1df6d77820d4f

SHA1
0e7136e29146feb3b51eefbdafa5a0c69d86689b

SHA256
4ce18cf12963b7d489f48d1f0c11a9fe7564009537e7c088ec497db36398b3da

SHA512
52f8390bd38d92f379fcf33ec0198d580fb02649c9617f29a55ea1da26f3268b9ac182ce6b34c6e641e0bf60da8f436c98b46016d74151affb55c701ddcc7213

Download Submit
C:\Users\Admin\AppData\Local\Temp\WipFun44qb5g.bat
Filesize
207B

MD5
176041f7052ff9c63f42e28189464068

SHA1
bfaac04ace0b528d113e6b05b27896ba49b65c1e

SHA256
0a1d4aeed0dec392703522a08bc78b8b2a4bf480f09d0d1ed1f89b516f444ad2

SHA512
322e9f64e088460398ad5a59ef83eeeefd2436cfd9cb7459c18f3820d0df90c083f41837775a9cf3a847dda870a48cb31eb93a479c7f79532866c6ff60c47cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\X9tKd8tTBOUV.bat
Filesize
207B

MD5
d352161f9c65d27cf6e3d136ce802e28

SHA1
48717892bbaf72e3ad2352c164362c99cdd47af7

SHA256
485848e6c1107de52e418191bad12b8c449037048cb6cf69f4f917a4d6e588a1

SHA512
0a2f246ff43663dca8dc2986c62b0dd98d8732a794b256706f05fa4f3a1a0e4353e296f60843d8f8bb3a9b28a02860aed498378147cd17d934fe03a1fd23dffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\fBycv38DBVEb.bat
Filesize
207B

MD5
48be710bef8d26a31ef5c5beb9429b68

SHA1
dd20f3508ca7d8c116328d71645c4a3d3167850c

SHA256
8851d7bfb6bb76094cd1bd35888ce8ab22fc1f435c6b46057fe47dc1722bcb50

SHA512
c97294c8ad78833bbff073a855c41e092ce5e0510b847bbc2c764323bc3936c4f92fcea15e9a8c2c34e4976dac369816396dc8d70a965308c90173ce07bb032f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gc2heOxdWIdP.bat
Filesize
207B

MD5
80d8dd56690f7e03f9e5c040bcbe0f44

SHA1
dd42b9fbd4cf3f10aa926e307e6a5e525a6d5a6c

SHA256
60e056ab82ee35faaae491f448664433f0a55d57a2d6cbd229942282aab15c3c

SHA512
4a3c8dd8c55a8af3c8178a5c344428983b2e797cd4daa9bc5e8a573e44ee8f8036ddf5ca8e6536636941574f5fd734af3ea0da9f0bed8d3fbff0d94ca517439e

Download Submit
C:\Users\Admin\AppData\Local\Temp\h36mNjn2r52E.bat
Filesize
207B

MD5
061290fd256cafa51a4b69956c0e9809

SHA1
d54260ba173f1f485ffe817f76f68ff99aeb3319

SHA256
7de4caef5924146ad0874884aec37f98960a58a4ca0895856b71bf8a8467a4db

SHA512
392dd390ca96b3ed7abfc81a21941d7fb2bc9b397b48969f071129adbc0881773c75b4e51bd1c6f72616ebea59d6969ad91a142720411023edc08cff7c05cab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\k0co0iWhuUPq.bat
Filesize
207B

MD5
5f820e301ac15330dfeb318a647faef4

SHA1
23e4858ea54e2fe6152f67fefa537b6421334278

SHA256
8e6b037259a46eecb519edf8e5cd345dc85f179362f2c5577e238fba5b2c32df

SHA512
199eee4f07fcf5b7461afecf470c85bb056f795a2608b80e5f6bab8a9d0a9862361b0ebe7c0556f428ec61a787583ec42ac7e8df8703cfab619817b4c2779e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\kGs5lf4C2TPb.bat
Filesize
207B

MD5
278e9e2a0d5169ceaf53873866bdedfb

SHA1
0d33eab95e52c555b6514b9887c9705427080cef

SHA256
d3875e66445c2a58ae6d2965c526620b220149cd29d7417d444e3c29fa56bb87

SHA512
4f140d2e2d0bef715688a840759c04604e43cbb2b61e737ef1989f8d6a7bb5924b6fa7c9f5689269d64900fdfe962c50d30dfaef6c27f12ced9f430d6374bafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkKwcVlRFAMO.bat
Filesize
207B

MD5
90a301703a953bead3f22468ee0a8e89

SHA1
728705e00473114ff5d40a43d199863f2cfe9194

SHA256
e3aef3b7a1033523cea113229ed7f8e4b5a08c6ad7afd3cceb7951d5e46e2b43

SHA512
6022c21e6a75d50c3b93ef53043fd6f20416dc0eb6c8020c0c7ed121a09c42add2f146524cdb00bdf867e298f040803bd51c3183764befc4b610b9cebdb4aeb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\y0Mtcvifgmhb.bat
Filesize
207B

MD5
5b0b26c139a36ec8f732e171d0b3cd3f

SHA1
0a58e7826fb645436343070ebe0a6c1da851ea72

SHA256
0f467bd64ea7a0daa7de66ed4223f6c8d46284acce64d76518f80252db6857e3

SHA512
07bc42c00d4e372bd6251f8c247a486cb39458ba1a9435baacfacabec5bbb6125e698cbfaa0905f28111971e8b3f3dc7fa10cc39d05ce6d4b5a165c5f04ae2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyQaRT44RV3g.bat
Filesize
207B

MD5
7ab3f8d0ad69d3d26cbfcbcf4d106c30

SHA1
114162f3e3519691af0c2c581fc8dff74ae23f5b

SHA256
ab04b76e7595b875f23d92d5603e158eaad730ddd2e9c0a2be59fc214edf7535

SHA512
dc61f8790ed6c10f6f525eb6e1ff47ee6df103467ad49a3916d06cc513b21a5e7b439aab2d0db115dcd6ea156150c24ad05df3b11c444e4c525d8f45799fbd4d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
ba630c5251eecbf5302e6456f01393af

SHA1
5b0ccb3d2a33339cf9f7fac555352bb4c3c0a57b

SHA256
da571cf6b2d9f6f258f0a717126d9b65596993595ee7199e7deacbc4cbd36367

SHA512
e2aad17e5f22a63e62c724ff6dad295eda9e6e0463b4526ad31ef893ab72f74e02aef57c45c4c90e36fb2e3b4cdb16c7ccd97754c143e1e70be3c3b7b2b7572e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
e6a678a7d5c6555caeb2c9eb60ab7af2

SHA1
1950f6439bfc99efc71ae70307fc2b06f121480b

SHA256
cf9be85aa9ddebacfb3e7a10f40ac7c1ab59dd1734b1b02fae25cfa80180ba11

SHA512
40e16b825eabf5085a8a249b57ee0ac13915975f7396d7e14fd09911f2a2c39cd0a37b523dd20316122267efff42016e4418ea3ceddd6944be3718f6ced34c34

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
48700a740547b61216af313ea8ad7c8c

SHA1
f00fbaf02442321907f7db46b4bc2bfe4d62cbcc

SHA256
b3dc81c137d1a76027dac18ff816fac27c3281f9d19877efec1761b6ae411ab1

SHA512
c7b5fbc72839e6e03a91a6fb94c8a4bb66107a2f7b30773d3bb9f12425ab868cd3cc89f811f42314d6885d36f455220dc5c603d2b09ab212c0371124759cc111

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
ca71f167a9a1fa8dd4da4bf90028c907

SHA1
6c5350f1b60d466e6056d7e60fde38b4d5a5826d

SHA256
0bdbcced25e4015a42eb003e3b96e4a1ac2774713919037c8e768f200aa26d14

SHA512
58d8f52e112bdfa3342587ed331968abafe4616d4cecaacad2f7d074d3dc7b861c8847f1a4738f06d78af8296a8c401ed49fa04f24733cd0e51954e58606875d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
b844dcb36c9360d599d9d137e26e51c3

SHA1
fa4b47287e909325d0d1b9b64695b14429fbaefb

SHA256
adf2a0f99a874fd0dcfd8b8220d91232fab37190d9f07c407f128fde0fee7eb3

SHA512
2982ab49d8519ed58d90d6a84c446234eba8ea5f1777559947b0743d5fa6518677142003f90994c563609273a6ed2503874cb0d31fe9180b8056660101c17c85

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
4af2600a79826ac9350830df50385242

SHA1
17fa5045f546c999a67700cb849a4869295e6e9b

SHA256
7d23c26b0bab665a6e68b5d5a258ecb1a6e2c648614f706fcb17b6a64975213e

SHA512
450a47fb22e0025261fe04d47d0fc53044530e59a61d3986560d97faad082f38cbf2958c5d7680441dfd0f342cca8e4f946a6ce6b6b6d6b9847f32a963bb78b9

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
ce69cb1382d61c4b6ab0d2b4997f13af

SHA1
f4cc0d8874eb273766c37948ebee671859232487

SHA256
2744abf7c8d632ef6029d54e9a771b727531fc95eada79da1bc366578157d6b8

SHA512
d2b8d8d6c9abfaab096f14f0a723732a89002605a25f46a809e338996e05e16c336e2f98bd3973b85f848c7caceb6effc697b0180d6eae52632f209cbb4e9cf1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
22cbbe535fec35e5af210486fd2b749b

SHA1
7775e507b7f2339b343549895fa0dc88265c02a0

SHA256
8f1fcb0c6295bbbb528ed07882518e5a1dfff7905e6d657f5bf991e04622ad1e

SHA512
6bf853b92962de3c8bd6489bedaf96d4a27128d8896ad3fc658c5099a570f489236a4c3ba5e5ac0516899b654dfc5b9eada6bbe6ab5944eea3fa6feaadda1643

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
5f3a3f74254b2ff33f25c42e7b33b7e1

SHA1
5da155905405c5d2dfd0642b59a4d610229bcae3

SHA256
542344d72166445c583ff41190efa85d9f70042ca13acaca885c791bdfb0e1ab

SHA512
4d2770fb283305ee3621fddea8cd8416e39e1c5c26c9683a725146ec990e7fe08f43c9f8c06f5cea767bd60e9bb8446d8eb3c9d81d1fda836b5a5bf0639e7fb3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/2744-15-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/2744-24-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/2744-17-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/2744-19-0x0000000006E40000-0x0000000006E4A000-memory.dmp

Filesize
40KB

Download
memory/3956-7-0x00000000747DE000-0x00000000747DF000-memory.dmp

Filesize
4KB

Download
memory/3956-0-0x00000000747DE000-0x00000000747DF000-memory.dmp

Filesize
4KB

Download
memory/3956-8-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/3956-16-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/3956-6-0x0000000005D90000-0x0000000005DA2000-memory.dmp

Filesize
72KB

Download
memory/3956-5-0x0000000004F30000-0x0000000004F96000-memory.dmp

Filesize
408KB

Download
memory/3956-4-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/3956-3-0x0000000004FD0000-0x0000000005062000-memory.dmp

Filesize
584KB

Download
memory/3956-2-0x0000000005580000-0x0000000005B24000-memory.dmp

Filesize
5.6MB

Download
memory/3956-1-0x0000000000510000-0x000000000057C000-memory.dmp

Filesize
432KB

Download