quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
590s
max time network
604s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (15) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral32/memory/3940-1-0x0000000000B50000-0x0000000000BBC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 27 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 28 IoCs

Processes:

pid	process
904	Client.exe
3056	Client.exe
644	Client.exe
4324	Client.exe
1456	Client.exe
4576	Client.exe
3032	Client.exe
4296	Client.exe
64	Client.exe
1812	Client.exe
4168	Client.exe
2224	Client.exe
4124	Client.exe
3960	Client.exe
1152	Client.exe
692	Client.exe
4056	Client.exe
1592	Client.exe
900	Client.exe
3172	Client.exe
1884	Client.exe
1032	Client.exe
3460	Client.exe
4816	Client.exe
2332	Client.exe
1804	Client.exe
5024	Client.exe
2584	Client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe

Looks up external IP address via web service 26 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
17	ip-api.com
29	ip-api.com
32	ip-api.com
53	ip-api.com
64	ip-api.com
15	ip-api.com
45	ip-api.com
51	ip-api.com
62	ip-api.com
34	ip-api.com
43	ip-api.com
2	ip-api.com
40	ip-api.com
38	ip-api.com
58	ip-api.com
11	ip-api.com
22	ip-api.com
26	ip-api.com
8	api.ipify.org
36	ip-api.com
47	ip-api.com
24	ip-api.com
19	ip-api.com
55	ip-api.com
60	ip-api.com
13	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 27 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4896	904	WerFault.exe	Client.exe
3136	3056	WerFault.exe	Client.exe
4336	644	WerFault.exe	Client.exe
1068	4324	WerFault.exe	Client.exe
2444	1456	WerFault.exe	Client.exe
3192	4576	WerFault.exe	Client.exe
2128	3032	WerFault.exe	Client.exe
2192	4296	WerFault.exe	Client.exe
2908	64	WerFault.exe	Client.exe
380	1812	WerFault.exe	Client.exe
4708	4168	WerFault.exe	Client.exe
5052	2224	WerFault.exe	Client.exe
3400	4124	WerFault.exe	Client.exe
2204	3960	WerFault.exe	Client.exe
2608	1152	WerFault.exe	Client.exe
3620	692	WerFault.exe	Client.exe
4328	4056	WerFault.exe	Client.exe
5056	1592	WerFault.exe	Client.exe
904	900	WerFault.exe	Client.exe
556	3172	WerFault.exe	Client.exe
4040	1884	WerFault.exe	Client.exe
1500	1032	WerFault.exe	Client.exe
2892	3460	WerFault.exe	Client.exe
2396	4816	WerFault.exe	Client.exe
3916	2332	WerFault.exe	Client.exe
2660	1804	WerFault.exe	Client.exe
224	5024	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 29 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3136	schtasks.exe
3616	schtasks.exe
4388	schtasks.exe
3168	schtasks.exe
3208	schtasks.exe
3684	schtasks.exe
688	schtasks.exe
3384	schtasks.exe
2828	schtasks.exe
1796	schtasks.exe
5020	schtasks.exe
4416	schtasks.exe
456	schtasks.exe
5096	schtasks.exe
2772	schtasks.exe
468	schtasks.exe
116	schtasks.exe
3776	schtasks.exe
4516	schtasks.exe
1660	schtasks.exe
468	schtasks.exe
1084	schtasks.exe
728	schtasks.exe
2168	schtasks.exe
3172	schtasks.exe
3232	SCHTASKS.exe
1724	schtasks.exe
4672	schtasks.exe
2184	schtasks.exe

Runs ping.exe 1 TTPs 27 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2124	PING.EXE
2784	PING.EXE
1204	PING.EXE
4112	PING.EXE
4420	PING.EXE
1740	PING.EXE
3968	PING.EXE
2556	PING.EXE
3300	PING.EXE
632	PING.EXE
2964	PING.EXE
4828	PING.EXE
4296	PING.EXE
2400	PING.EXE
3976	PING.EXE
704	PING.EXE
1480	PING.EXE
5004	PING.EXE
1304	PING.EXE
4680	PING.EXE
3852	PING.EXE
1540	PING.EXE
1812	PING.EXE
4444	PING.EXE
1236	PING.EXE
3976	PING.EXE
1636	PING.EXE

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

Uni - Copy (15) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3940	Uni - Copy (15) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	904	Client.exe
Token: SeDebugPrivilege	3056	Client.exe
Token: SeDebugPrivilege	644	Client.exe
Token: SeDebugPrivilege	4324	Client.exe
Token: SeDebugPrivilege	1456	Client.exe
Token: SeDebugPrivilege	4576	Client.exe
Token: SeDebugPrivilege	3032	Client.exe
Token: SeDebugPrivilege	4296	Client.exe
Token: SeDebugPrivilege	64	Client.exe
Token: SeDebugPrivilege	1812	Client.exe
Token: SeDebugPrivilege	4168	Client.exe
Token: SeDebugPrivilege	2224	Client.exe
Token: SeDebugPrivilege	4124	Client.exe
Token: SeDebugPrivilege	3960	Client.exe
Token: SeDebugPrivilege	1152	Client.exe
Token: SeDebugPrivilege	692	Client.exe
Token: SeDebugPrivilege	4056	Client.exe
Token: SeDebugPrivilege	1592	Client.exe
Token: SeDebugPrivilege	900	Client.exe
Token: SeDebugPrivilege	3172	Client.exe
Token: SeDebugPrivilege	1884	Client.exe
Token: SeDebugPrivilege	1032	Client.exe
Token: SeDebugPrivilege	3460	Client.exe
Token: SeDebugPrivilege	4816	Client.exe
Token: SeDebugPrivilege	2332	Client.exe
Token: SeDebugPrivilege	1804	Client.exe
Token: SeDebugPrivilege	5024	Client.exe
Token: SeDebugPrivilege	2584	Client.exe

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

pid	process
904	Client.exe
3056	Client.exe
644	Client.exe
4324	Client.exe
1456	Client.exe
4576	Client.exe
3032	Client.exe
4296	Client.exe
64	Client.exe
1812	Client.exe
4168	Client.exe
2224	Client.exe
4124	Client.exe
3960	Client.exe
1152	Client.exe
692	Client.exe
4056	Client.exe
1592	Client.exe
900	Client.exe
3172	Client.exe
1884	Client.exe
1032	Client.exe
3460	Client.exe
4816	Client.exe
2332	Client.exe
1804	Client.exe
5024	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (15) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 3940 wrote to memory of 2772	3940	Uni - Copy (15) - Copy - Copy - Copy.exe	schtasks.exe
PID 3940 wrote to memory of 2772	3940	Uni - Copy (15) - Copy - Copy - Copy.exe	schtasks.exe
PID 3940 wrote to memory of 2772	3940	Uni - Copy (15) - Copy - Copy - Copy.exe	schtasks.exe
PID 3940 wrote to memory of 904	3940	Uni - Copy (15) - Copy - Copy - Copy.exe	Client.exe
PID 3940 wrote to memory of 904	3940	Uni - Copy (15) - Copy - Copy - Copy.exe	Client.exe
PID 3940 wrote to memory of 904	3940	Uni - Copy (15) - Copy - Copy - Copy.exe	Client.exe
PID 3940 wrote to memory of 3232	3940	Uni - Copy (15) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 3940 wrote to memory of 3232	3940	Uni - Copy (15) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 3940 wrote to memory of 3232	3940	Uni - Copy (15) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 904 wrote to memory of 3384	904	Client.exe	schtasks.exe
PID 904 wrote to memory of 3384	904	Client.exe	schtasks.exe
PID 904 wrote to memory of 3384	904	Client.exe	schtasks.exe
PID 904 wrote to memory of 380	904	Client.exe	cmd.exe
PID 904 wrote to memory of 380	904	Client.exe	cmd.exe
PID 904 wrote to memory of 380	904	Client.exe	cmd.exe
PID 380 wrote to memory of 1588	380	cmd.exe	chcp.com
PID 380 wrote to memory of 1588	380	cmd.exe	chcp.com
PID 380 wrote to memory of 1588	380	cmd.exe	chcp.com
PID 380 wrote to memory of 1636	380	cmd.exe	PING.EXE
PID 380 wrote to memory of 1636	380	cmd.exe	PING.EXE
PID 380 wrote to memory of 1636	380	cmd.exe	PING.EXE
PID 380 wrote to memory of 3056	380	cmd.exe	Client.exe
PID 380 wrote to memory of 3056	380	cmd.exe	Client.exe
PID 380 wrote to memory of 3056	380	cmd.exe	Client.exe
PID 3056 wrote to memory of 1660	3056	Client.exe	schtasks.exe
PID 3056 wrote to memory of 1660	3056	Client.exe	schtasks.exe
PID 3056 wrote to memory of 1660	3056	Client.exe	schtasks.exe
PID 3056 wrote to memory of 4440	3056	Client.exe	cmd.exe
PID 3056 wrote to memory of 4440	3056	Client.exe	cmd.exe
PID 3056 wrote to memory of 4440	3056	Client.exe	cmd.exe
PID 4440 wrote to memory of 3872	4440	cmd.exe	chcp.com
PID 4440 wrote to memory of 3872	4440	cmd.exe	chcp.com
PID 4440 wrote to memory of 3872	4440	cmd.exe	chcp.com
PID 4440 wrote to memory of 3300	4440	cmd.exe	PING.EXE
PID 4440 wrote to memory of 3300	4440	cmd.exe	PING.EXE
PID 4440 wrote to memory of 3300	4440	cmd.exe	PING.EXE
PID 4440 wrote to memory of 644	4440	cmd.exe	Client.exe
PID 4440 wrote to memory of 644	4440	cmd.exe	Client.exe
PID 4440 wrote to memory of 644	4440	cmd.exe	Client.exe
PID 644 wrote to memory of 3776	644	Client.exe	schtasks.exe
PID 644 wrote to memory of 3776	644	Client.exe	schtasks.exe
PID 644 wrote to memory of 3776	644	Client.exe	schtasks.exe
PID 644 wrote to memory of 4708	644	Client.exe	cmd.exe
PID 644 wrote to memory of 4708	644	Client.exe	cmd.exe
PID 644 wrote to memory of 4708	644	Client.exe	cmd.exe
PID 4708 wrote to memory of 1392	4708	cmd.exe	chcp.com
PID 4708 wrote to memory of 1392	4708	cmd.exe	chcp.com
PID 4708 wrote to memory of 1392	4708	cmd.exe	chcp.com
PID 4708 wrote to memory of 4444	4708	cmd.exe	PING.EXE
PID 4708 wrote to memory of 4444	4708	cmd.exe	PING.EXE
PID 4708 wrote to memory of 4444	4708	cmd.exe	PING.EXE
PID 4708 wrote to memory of 4324	4708	cmd.exe	Client.exe
PID 4708 wrote to memory of 4324	4708	cmd.exe	Client.exe
PID 4708 wrote to memory of 4324	4708	cmd.exe	Client.exe
PID 4324 wrote to memory of 2828	4324	Client.exe	schtasks.exe
PID 4324 wrote to memory of 2828	4324	Client.exe	schtasks.exe
PID 4324 wrote to memory of 2828	4324	Client.exe	schtasks.exe
PID 4324 wrote to memory of 4852	4324	Client.exe	cmd.exe
PID 4324 wrote to memory of 4852	4324	Client.exe	cmd.exe
PID 4324 wrote to memory of 4852	4324	Client.exe	cmd.exe
PID 4852 wrote to memory of 4144	4852	cmd.exe	chcp.com
PID 4852 wrote to memory of 4144	4852	cmd.exe	chcp.com
PID 4852 wrote to memory of 4144	4852	cmd.exe	chcp.com
PID 4852 wrote to memory of 1236	4852	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2772

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ktx4cEBJMm7n.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1588

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1636

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N5K4CQRftxIu.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:3872

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:3300

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JFbhTUKXWP0I.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:1392

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4444

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ma76S2UHWeCy.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:4144

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1236

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0sueYxwubXV8.bat" "
11⤵
PID:4460

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:3636

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3852

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:3136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yzTMyqzutIdc.bat" "
13⤵
PID:4512

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:2236

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:4112

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HnETchDwAxWa.bat" "
15⤵
PID:4984

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:4680

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3976

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4296

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:3616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4sr4vhjA3BTR.bat" "
17⤵
PID:100

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:1596

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1480

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:64

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KfoRmonso2gV.bat" "
19⤵
PID:2444

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:4504

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:632

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zNaRMdICbgiN.bat" "
21⤵
PID:1884

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:2520

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:2124

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pl2cRedNV0sj.bat" "
23⤵
PID:948

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:2128

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:1540

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyHwrcawdCpP.bat" "
25⤵
PID:840

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:4564

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:704

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P4jGxMGT2ETA.bat" "
27⤵
PID:3424

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:3288

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:2784

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3960

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZHxaNKC1AQQq.bat" "
29⤵
PID:2444

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:440

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:2964

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RsZjEGUdGQxV.bat" "
31⤵
PID:2836

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:4152

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:4420

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:692

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:3168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oh7afssz3tYN.bat" "
33⤵
PID:372

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:1376

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:4828

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4056

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pNLlUsWFt6qZ.bat" "
35⤵
PID:3800

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:1948

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:3976

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ex9BZ4eXSIgL.bat" "
37⤵
PID:4192

C:\Windows\SysWOW64\chcp.com
chcp 65001
38⤵
PID:3936

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:4296

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:900

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KS4hRv2birMn.bat" "
39⤵
PID:3136

C:\Windows\SysWOW64\chcp.com
chcp 65001
40⤵
PID:632

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:2400

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3172

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JdOuj0RMRW9r.bat" "
41⤵
PID:3408

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:1632

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:1812

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1884

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
43⤵
- Creates scheduled task(s)
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NKegb2cWMwWi.bat" "
43⤵
PID:60

C:\Windows\SysWOW64\chcp.com
chcp 65001
44⤵
PID:1764

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:4680

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FvGpSyt8Sw2N.bat" "
45⤵
PID:4288

C:\Windows\SysWOW64\chcp.com
chcp 65001
46⤵
PID:4376

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:5004

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3460

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:2184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gJi0YyEKMGCk.bat" "
47⤵
PID:3816

C:\Windows\SysWOW64\chcp.com
chcp 65001
48⤵
PID:4808

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:1740

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4816

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
49⤵
- Creates scheduled task(s)
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEwTygWEzAdo.bat" "
49⤵
PID:3644

C:\Windows\SysWOW64\chcp.com
chcp 65001
50⤵
PID:3456

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:1204

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mC6iVqyZW92Y.bat" "
51⤵
PID:2432

C:\Windows\SysWOW64\chcp.com
chcp 65001
52⤵
PID:4700

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:3968

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1804

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:3172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQ9lhY5RA9g9.bat" "
53⤵
PID:3408

C:\Windows\SysWOW64\chcp.com
chcp 65001
54⤵
PID:3192

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:2556

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5024

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
55⤵
- Creates scheduled task(s)
PID:688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\37QWZaFb5Z30.bat" "
55⤵
PID:208

C:\Windows\SysWOW64\chcp.com
chcp 65001
56⤵
PID:4424

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:1304

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1092
55⤵
- Program crash
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 1724
53⤵
- Program crash
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 1092
51⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 1092
49⤵
- Program crash
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 2232
47⤵
- Program crash
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1692
45⤵
- Program crash
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 2220
43⤵
- Program crash
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1724
41⤵
- Program crash
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 1688
39⤵
- Program crash
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 2232
37⤵
- Program crash
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 2196
35⤵
- Program crash
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 1672
33⤵
- Program crash
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 1092
31⤵
- Program crash
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 2236
29⤵
- Program crash
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 2232
27⤵
- Program crash
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 1572
25⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1092
23⤵
- Program crash
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 2232
21⤵
- Program crash
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1092
19⤵
- Program crash
PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 1092
17⤵
- Program crash
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 1712
15⤵
- Program crash
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 1092
13⤵
- Program crash
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1076
11⤵
- Program crash
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1708
9⤵
- Program crash
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 2196
7⤵
- Program crash
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 2180
5⤵
- Program crash
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 1888
3⤵
- Program crash
PID:4896

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (15) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 904 -ip 904
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3056 -ip 3056
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 644 -ip 644
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4324 -ip 4324
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1456 -ip 1456
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4576 -ip 4576
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3032 -ip 3032
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4296 -ip 4296
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 64 -ip 64
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1812 -ip 1812
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4168 -ip 4168
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2224 -ip 2224
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4124 -ip 4124
1⤵
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3960 -ip 3960
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1152 -ip 1152
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 692 -ip 692
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4056 -ip 4056
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1592 -ip 1592
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 900 -ip 900
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3172 -ip 3172
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1884 -ip 1884
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1032 -ip 1032
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3460 -ip 3460
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4816 -ip 4816
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2332 -ip 2332
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1804 -ip 1804
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5024 -ip 5024
1⤵
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0sueYxwubXV8.bat
Filesize
207B

MD5
02c1c940ba18f100989a500e4a179936

SHA1
4eb39ab54c3b930fe35eaf682677895370451122

SHA256
11022913e470e383d0fbe78b88538fcffada60a1833c7cf68af6df9e255f1c58

SHA512
fae27a4f276dbce8c545524376de8320785e8ca799af6ca96ee76f71d68e810b8a017e20e4c58d0af57ee1dae3b3e9d45d7f2d2666202a176193851b8199f850

Download Submit
C:\Users\Admin\AppData\Local\Temp\4sr4vhjA3BTR.bat
Filesize
207B

MD5
97d5e66fe38d080753210c4f372330b7

SHA1
bf3c60fd27e4830a1b6b1da8d5e533bf3f1aeb2f

SHA256
5630c48d7615bb9538c728af4331674e4248d794c08617b3363f9c734ac6b3b2

SHA512
ac5d1d3280cb16040002ecd1c9876e6000527e82acc453d77c3397998ca82bf1246e3fbd6a66d9a41e66eda8f2a6baafe34f17204787555cbffc243580718041

Download Submit
C:\Users\Admin\AppData\Local\Temp\HnETchDwAxWa.bat
Filesize
207B

MD5
f083d44381fdaacee7e85e591031415a

SHA1
bfaa3e67ffe50d5259564431b53587f8a54c6fb4

SHA256
e205473ec6c78eca51b327b612c1c2edcb6cacdd2c8cfaaca99c18e58d5fbefc

SHA512
e5f1758c7d8f795830b5769c647d872b12d6b21002f16c8dec4118de307b8fd0092f3b5e747335f202af600730f779fc3042e8f3a704f88a544186b8d66df34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFbhTUKXWP0I.bat
Filesize
207B

MD5
b04885a7251ad4d6742f1c6c77595704

SHA1
78dff1d0ea067054375a5d6f539e940d90e5ccfd

SHA256
a6229d1ed085036e9a68b00e70a42173d89fc0b831a2a280713f15a3c61a1061

SHA512
17d634835515f55baf03b8895f882418f1176d1704696284e77a46f0258ccda7896063050909dc45ed625f1da2bd218a8b3c83d0b2dcba4b654b0274397a1a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\JdOuj0RMRW9r.bat
Filesize
207B

MD5
1852f0278be8ffb0b355398dc65bb079

SHA1
6137f02b43ab1c2779ec0d688959acddbccd5372

SHA256
53a92d1bdcfefdd139e4bf4bbf29129e199467c8f531b081238abc7f4786cbee

SHA512
f98a4f11803f29314de97fed36df519f8a42396f1c740ba0e3e594c4b4e2f8c238d117285a97789f2994549f14d67953159a58653c94e2da97355196aca0f63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KS4hRv2birMn.bat
Filesize
207B

MD5
29b8e93c01aaec7697d9b38363e3efb1

SHA1
80e18dfc82444c6e529226b7faf2dd4f4bec73f7

SHA256
0cc937142a866e02ee357e5aa8fb9d014633f12d3ee27642c85e92a4cab92a03

SHA512
6feac4a23aa450ac54f3fde56baa0281e7924896123726cccc418d3f5685cffb5ad6029e14b1582e1064675da20dfe6a1d3a18df1b3e43ce78e933ea720d5fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KfoRmonso2gV.bat
Filesize
207B

MD5
3592d10a699d469f0195e60bf70b5fc5

SHA1
3bc38f5b9c01742050ac9e4caebc764a63455116

SHA256
010cf4fcec0080be609262c36e6588740f58454147bc0290717cf04ac8cc3c05

SHA512
33b345034f2c10935269d9e688d40026f3260c9385cd5a02b257b6e1b2f003a4e0fd8827c00ce48ac314ddc67513d146186b5d8cce08a0d9ddc0d82e665a1741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ktx4cEBJMm7n.bat
Filesize
207B

MD5
0ee75920959cff50993a88f2c96fcb42

SHA1
a26f4b2e29a6312855d272a710052d5095487b80

SHA256
f2b8767642d9b591f27f4ea6d79e806bdba638178cbd443ceeac1e7bee1f5cd2

SHA512
862ec32b5a9a04825e8fc52da5c8348cecde513b06af2f2bb1e1d4a54cd2ea898046e41ec1d6f1beef6be8eb6a1e3e7377daf8d5dd336639de897af76c665915

Download Submit
C:\Users\Admin\AppData\Local\Temp\N5K4CQRftxIu.bat
Filesize
207B

MD5
d1c2fb24fceab6b4416b3f06867b5e24

SHA1
b1b6dd292720a3759a46fded395fd9e841428bc6

SHA256
f0712dffa8ea962db1832a0d6503fcb5e992d7b7b888ba664c74796bc8567a5f

SHA512
11c1ad2765df8bd26b3237f155fb759e32e1bc03d71feac86a8e07baf58e836dedc13a2492881360d7562265314dec054c242998a8b59f01e6a01adba041ccfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\NKegb2cWMwWi.bat
Filesize
207B

MD5
939a0d5c945d5214e7ea95ce7a18556e

SHA1
a276d7e87f5cf770772441db1098282a4abd2b64

SHA256
c15dce6fb6f73f6585de8aca544af7d5d082f42de10aef39558dada5a044333e

SHA512
bf23019a36619ffe49ac760aad28bcefaac770679df3a798abe2eb7b412d2d2f2236b5d5bfd9ce7ed67caaed8af28df2fc3e9e9aa97e87071e718188c87e84ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\P4jGxMGT2ETA.bat
Filesize
207B

MD5
0af224160da4ee329aa06099c4bea287

SHA1
4e23173ade2cdc25fed716cf1c62d38493a4b47f

SHA256
c56f3fef1cd37f6ab3909e8ef0293f55c3a9a365ea7e68d82b52cbdfe3881015

SHA512
888df56fae448c6d021c32f6796d6859b7efb18b1b38c918ea36e9370a97e83444353a16f6facd2f1e8b621f94712aba0932a4d29143215b03fedb6777a87786

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pl2cRedNV0sj.bat
Filesize
207B

MD5
be385a7bd129b9113d74fc5747a0ef2c

SHA1
3dc4fe0a501f51e539afe67acba38d3f630ae483

SHA256
1f7e9a4fb3d33247aadfdedfc5db48a3c215ac3138c04f130958a10249ced044

SHA512
412ffe57d0dfc0a41b5307c7f8a6e4c7cebfc6ccb5ab731d9aba8edf5b06af898159c95fc1bf2607fb795555f7fe460c6e60c8e2b6e8fde60ffcf2f7b1e76a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\RsZjEGUdGQxV.bat
Filesize
207B

MD5
4bc9f6e20e3d01b81f45f99cdb84a36b

SHA1
0c48c05892647500f3cd84558040892a1b95cdb0

SHA256
4b8a3d1447cbec75cba4394008d570f7faf2c5a9b882345a0d13f373f609ac8a

SHA512
20a79d7d66fe4a0dd314e061988a2cf323724be537d2bd0d13d4d285386152fc7f8f57ec4ee6c7cfde8db42280bf4cccdeb683d66d51dd40deb13b6f94dd25a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZHxaNKC1AQQq.bat
Filesize
207B

MD5
4c54e4a1305c4f2d8dd897f43f360012

SHA1
8b514863e091456726cccad2b3c5dba89e254d2c

SHA256
60c50f1e583d0ab8575dffda5df5c7258e91bacb69756c78b981bb8283b9583d

SHA512
ab2fb7e0fda0aacc14950cb9cb893067c3296df345de3a7213e3bfb84419ddb0b93d6f72c647777b59476b21209865499f09ff6bd10ea926c223dc901db77c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZyHwrcawdCpP.bat
Filesize
207B

MD5
7a9a46c6d95431adfbaa1c1792149722

SHA1
527518592334b78046f4503fe5ca2b3897650126

SHA256
e09ea91d76d7dff8672eb9144579840a9c4e37c489716bc1f923abe3745ae7f7

SHA512
beb4a1a458bb4b8e6dbcc46109a8e00c920a6f4082b54377e8647ce878476e58eb2091b6d0675fba96c4ad70d4cb1de975767f49e0d23eeb80fe282b2797dda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ex9BZ4eXSIgL.bat
Filesize
207B

MD5
4c34a44dd75f853b50a88bfa2c127be9

SHA1
c6f85513b7e8ee1b723b683d331b50b2c7ec25d0

SHA256
2a1308b9a8dcceef48b1493dbc346475b54b3e53d8494b770bb7288452576679

SHA512
d8fa7460368c1dfd7c1c5b65c1ca205b25a6f9f2c1b3126dcc8e1fba2b52e7069a91a7d0a3f24c425e964f7a3d3a5aedf01a02db140ec8afa343aa13fe3fc9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ma76S2UHWeCy.bat
Filesize
207B

MD5
60793885a0998facb858db9822ce13fd

SHA1
39ea5251f07e8fbc5aabc36aa58186fb6593e7c0

SHA256
39652dbdf7e3ed8e9c58b78f836ed2c4459290cbe73e5413b35a66e5fc3f7c4e

SHA512
a5d95c33ed48fe33c7681cee6067e21fc8573f74f8a742539770ad90b3ecef1fcc7ed5d5160cc639a3555be123da43f57d8f410b7c5fd0fc4efda4210b490de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\oh7afssz3tYN.bat
Filesize
207B

MD5
bb7501100b813b74707497215d44e64f

SHA1
3ee34019342ca509b2b132def93874342b0b470a

SHA256
b1b71aa10c552c82a4960333645c4154c2f03d6dbc49218022f18e1a850e6301

SHA512
9602bf098741457dfcc083c052ddabdb775d7bfaaca089e70c8dfa6e30b02b29c139d8392bbc9fe274337e81117e519d31d685e91d75ce262e0d7e728271b8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\pNLlUsWFt6qZ.bat
Filesize
207B

MD5
a195e280db4709083c7b9d2723e33d9f

SHA1
8e75d7209108658546dcd55793450c190ae638ab

SHA256
b2038af0ca35dcd5a44692f6866e7156e61fa2503044df51793672091ac46d8d

SHA512
bf8d76eec6141ffaf1e102f7da59da77835df0ae0c901fdce651255eb6257a5535a2f42c7bb2408dc1f1d8b12f39f69ef3c519aa6379bdef3428d50adbee5436

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzTMyqzutIdc.bat
Filesize
207B

MD5
c845d611c4ba82b8ece0cb6f0f5898e6

SHA1
e3f684ea24ff456a82336f96de00f87b46d60298

SHA256
54c2057b04c1d0dd683d0b182ca24e1ce2cf9433c49b6fd5e1956688ff6a6f1d

SHA512
b21f9588480c1ca9e4e10a16a1b35924edd0a3a1bd320847ef7274a51db777f37243f53d3e396bc90ac44fd814835b23a8a58700e80d96f5bcd21c9c414c870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zNaRMdICbgiN.bat
Filesize
207B

MD5
363e776f5b1e64927698b152b65fffbc

SHA1
f1e64b580b48b1702f751645102dfa7127c618fb

SHA256
bbc63bd5de95f255ea51e62070695562675fb7e1f3af176004f15cb1fc4d2c32

SHA512
8396ccd7262af39d9e6d2430ca9f01f4ab41d05c0923c6a92156199f9eab522e57cc00ce114da0b891f95cf6f9fa8e9ef18da7b530775dd1e756cd7faf13d16e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
13ae35fc441cc1a48baf82d5a6c54bd7

SHA1
2b6e57a7442221cb1f4c6c2d1347bbd54d6577ad

SHA256
ad78117547e9804f11c8cacc7756525118cdeb285a01ee7c108ee6a679824d79

SHA512
a7a6b58c2e08b7d4862188c83ae8ab03731116eeea2fc80aea24821ca125a113fdbd64f48345d32e3fc238f265119249e97a6967d157214364697c2983415952

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
1be1808af12f2e0eccf0a423e04aa1c5

SHA1
f058f58d949c5f3c4994b5c68ea46fe1e7151ab0

SHA256
85f896d30386c40a524a04a1754edf8f9e179d00313850843891cd6a9cdb4c12

SHA512
6a65b365ceb78691efe8d37ea6d873853a403dc02ffd4e37593774c4b3d3cc7d179e4f6ce5b77497feb009deaffb0b6e0947e4fd09d2a53a4d7479048f30b762

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
0266f8a6bc97960b087d43e1540ab1fc

SHA1
8fa56cc85d78f53576457ba9bca0946f27cb55e8

SHA256
c9d43ddcb4edd737adb5129b21edfac8ebefc1b24fe275f121eaea8a2b5f2a47

SHA512
0eaad11a5e88ca122d5944b834f7522711f2523b6a3059955b17d6a559e720ad5bc3c00324376076a0e92f64fb21898be3842dea6196fed452dc52b0ca1c5d79

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
cd077d45632e8fda1855459d2be5cbb3

SHA1
1ae037b956f0960e7bb201720fbf9005a4179f88

SHA256
c62f317adf7f9a10be0795179d7d018c1c7659cdaf5ff3e8fe80ae3fa1ca2734

SHA512
960c347bf1c25e1b833382c08e58707addae0d4f061a59062023a20c701e48e9e70889a906538688bb8dc86d2b74dc4c7dcfba5f1aa3bc1ddbe1e1c9689ead6e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
ec6fdbf78e5171cc9fe5f0cf66841996

SHA1
81c866c901f4ebc3d4530325e855fc8612e305c0

SHA256
f5c9c70d577a8b01a21568feb1fd013c1c98cb9bd49e7fd4b8ae27ed4dd8af88

SHA512
d616f44d7a1920aaa9745de66f4083d31560f4e0d5a06443bdd757b5f02b78b057683b477eb4d0db866e56f6fa35e699ba3fe5a31c9a474bc93ffd5c1350a211

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
ff80959a314f97bdbf95266e711cbafa

SHA1
f1f7db37d4881cb216250f1c687960bae7ebf6c3

SHA256
03c8cf607ffd7becd7e3efa1bb4f4fc352c70f48d42e56b923ff5589aa220e34

SHA512
381215486b79cead3c558e0e9c12f6cf5744267e28cc1b09cf21b99602cda7236d8291b61db6ad43e9b7a5df913286bbf1df140d70f0c19254b00bc63aadc8f1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
6ffce06571e69230afb630559567693d

SHA1
d7a925ffd7dbfcb237e8efb11440b5f41237237a

SHA256
100ed0f0688a4a2a6f5a78cba98a1ac1397d1efee8f0a1193ff3f488c2a1450c

SHA512
898841a3805374611231542f121caec139d152447004e4538de6d1537b6e09243728bb8bbd3bd0de2b091697b633fa4157e064c9c2bed045955977f54fe20930

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
8be4c830662bebb0c82a083e6113c524

SHA1
9d392f000076fe0d68b38857dd331b6405a3de19

SHA256
b36c781f06c3885c1240f83047a3b5b6d39ccd63f12ef72215fa2c8819eb1d63

SHA512
967f580e9e3ebeeb1bdc3660491963c0ccd47b9e225f08072d9b3b5eaafa3869116160c4d52b9c1076a551dc5e20e5591d3584be5049f35a39a13503d38cc90b

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/904-14-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/904-24-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/904-19-0x0000000006660000-0x000000000666A000-memory.dmp

Filesize
40KB

Download
memory/904-16-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3940-7-0x00000000744EE000-0x00000000744EF000-memory.dmp

Filesize
4KB

Download
memory/3940-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

Filesize
4KB

Download
memory/3940-8-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3940-17-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3940-6-0x00000000062E0000-0x00000000062F2000-memory.dmp

Filesize
72KB

Download
memory/3940-5-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/3940-4-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3940-3-0x0000000005620000-0x00000000056B2000-memory.dmp

Filesize
584KB

Download
memory/3940-2-0x0000000005B30000-0x00000000060D4000-memory.dmp

Filesize
5.6MB

Download
memory/3940-1-0x0000000000B50000-0x0000000000BBC000-memory.dmp

Filesize
432KB

Download