quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
599s
max time network
602s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (10) - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral6/memory/2516-1-0x0000000000650000-0x00000000006BC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 28 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 29 IoCs

Processes:

pid	process
1152	Client.exe
2400	Client.exe
3812	Client.exe
3132	Client.exe
4048	Client.exe
4420	Client.exe
1592	Client.exe
4184	Client.exe
1436	Client.exe
3048	Client.exe
1580	Client.exe
2056	Client.exe
4492	Client.exe
4472	Client.exe
2948	Client.exe
3196	Client.exe
1668	Client.exe
1864	Client.exe
4264	Client.exe
1036	Client.exe
3928	Client.exe
2584	Client.exe
2388	Client.exe
1492	Client.exe
1828	Client.exe
2540	Client.exe
2056	Client.exe
4700	Client.exe
4824	Client.exe

Looks up external IP address via web service 26 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
30	ip-api.com
50	ip-api.com
62	ip-api.com
20	ip-api.com
37	ip-api.com
58	ip-api.com
3	ip-api.com
39	ip-api.com
46	ip-api.com
16	ip-api.com
25	ip-api.com
33	ip-api.com
55	ip-api.com
66	ip-api.com
11	api.ipify.org
41	ip-api.com
44	ip-api.com
48	ip-api.com
68	ip-api.com
18	ip-api.com
22	ip-api.com
28	ip-api.com
35	ip-api.com
53	ip-api.com
60	ip-api.com
64	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 28 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2388	1152	WerFault.exe	Client.exe
1332	2400	WerFault.exe	Client.exe
2676	3812	WerFault.exe	Client.exe
4756	3132	WerFault.exe	Client.exe
4852	4048	WerFault.exe	Client.exe
4004	4420	WerFault.exe	Client.exe
4580	1592	WerFault.exe	Client.exe
1860	4184	WerFault.exe	Client.exe
2084	1436	WerFault.exe	Client.exe
3884	3048	WerFault.exe	Client.exe
1932	1580	WerFault.exe	Client.exe
3664	2056	WerFault.exe	Client.exe
4144	4492	WerFault.exe	Client.exe
3704	4472	WerFault.exe	Client.exe
1068	2948	WerFault.exe	Client.exe
5096	3196	WerFault.exe	Client.exe
4068	1668	WerFault.exe	Client.exe
4936	1864	WerFault.exe	Client.exe
880	4264	WerFault.exe	Client.exe
3636	1036	WerFault.exe	Client.exe
4008	3928	WerFault.exe	Client.exe
1340	2584	WerFault.exe	Client.exe
2928	2388	WerFault.exe	Client.exe
4972	1492	WerFault.exe	Client.exe
1488	1828	WerFault.exe	Client.exe
4924	2540	WerFault.exe	Client.exe
2604	2056	WerFault.exe	Client.exe
3164	4700	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1120	schtasks.exe
1036	schtasks.exe
2900	schtasks.exe
4680	schtasks.exe
4680	schtasks.exe
3412	schtasks.exe
4912	schtasks.exe
1396	schtasks.exe
2332	schtasks.exe
3552	schtasks.exe
1456	schtasks.exe
3932	schtasks.exe
4704	schtasks.exe
3460	schtasks.exe
5032	schtasks.exe
1456	schtasks.exe
5036	schtasks.exe
5020	schtasks.exe
1808	schtasks.exe
1312	schtasks.exe
3604	schtasks.exe
1112	schtasks.exe
3180	SCHTASKS.exe
4136	schtasks.exe
1608	schtasks.exe
224	schtasks.exe
1192	schtasks.exe
4380	schtasks.exe
948	schtasks.exe
2604	schtasks.exe

Runs ping.exe 1 TTPs 28 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4396	PING.EXE
540	PING.EXE
4376	PING.EXE
4916	PING.EXE
5060	PING.EXE
2776	PING.EXE
4344	PING.EXE
5020	PING.EXE
2428	PING.EXE
4068	PING.EXE
464	PING.EXE
4532	PING.EXE
1520	PING.EXE
4792	PING.EXE
4568	PING.EXE
4720	PING.EXE
2528	PING.EXE
4380	PING.EXE
3272	PING.EXE
4036	PING.EXE
2356	PING.EXE
4740	PING.EXE
3140	PING.EXE
3056	PING.EXE
3528	PING.EXE
3268	PING.EXE
1268	PING.EXE
768	PING.EXE

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

Uni - Copy (10) - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2516	Uni - Copy (10) - Copy.exe
Token: SeDebugPrivilege	1152	Client.exe
Token: SeDebugPrivilege	2400	Client.exe
Token: SeDebugPrivilege	3812	Client.exe
Token: SeDebugPrivilege	3132	Client.exe
Token: SeDebugPrivilege	4048	Client.exe
Token: SeDebugPrivilege	4420	Client.exe
Token: SeDebugPrivilege	1592	Client.exe
Token: SeDebugPrivilege	4184	Client.exe
Token: SeDebugPrivilege	1436	Client.exe
Token: SeDebugPrivilege	3048	Client.exe
Token: SeDebugPrivilege	1580	Client.exe
Token: SeDebugPrivilege	2056	Client.exe
Token: SeDebugPrivilege	4492	Client.exe
Token: SeDebugPrivilege	4472	Client.exe
Token: SeDebugPrivilege	2948	Client.exe
Token: SeDebugPrivilege	3196	Client.exe
Token: SeDebugPrivilege	1668	Client.exe
Token: SeDebugPrivilege	1864	Client.exe
Token: SeDebugPrivilege	4264	Client.exe
Token: SeDebugPrivilege	1036	Client.exe
Token: SeDebugPrivilege	3928	Client.exe
Token: SeDebugPrivilege	2584	Client.exe
Token: SeDebugPrivilege	2388	Client.exe
Token: SeDebugPrivilege	1492	Client.exe
Token: SeDebugPrivilege	1828	Client.exe
Token: SeDebugPrivilege	2540	Client.exe
Token: SeDebugPrivilege	2056	Client.exe
Token: SeDebugPrivilege	4700	Client.exe
Token: SeDebugPrivilege	4824	Client.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

pid	process
1152	Client.exe
2400	Client.exe
3812	Client.exe
3132	Client.exe
4048	Client.exe
4420	Client.exe
1592	Client.exe
4184	Client.exe
1436	Client.exe
3048	Client.exe
1580	Client.exe
2056	Client.exe
4492	Client.exe
4472	Client.exe
2948	Client.exe
3196	Client.exe
1668	Client.exe
1864	Client.exe
4264	Client.exe
1036	Client.exe
3928	Client.exe
2584	Client.exe
2388	Client.exe
1492	Client.exe
1828	Client.exe
2540	Client.exe
2056	Client.exe
4700	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (10) - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 2516 wrote to memory of 1456	2516	Uni - Copy (10) - Copy.exe	schtasks.exe
PID 2516 wrote to memory of 1456	2516	Uni - Copy (10) - Copy.exe	schtasks.exe
PID 2516 wrote to memory of 1456	2516	Uni - Copy (10) - Copy.exe	schtasks.exe
PID 2516 wrote to memory of 1152	2516	Uni - Copy (10) - Copy.exe	Client.exe
PID 2516 wrote to memory of 1152	2516	Uni - Copy (10) - Copy.exe	Client.exe
PID 2516 wrote to memory of 1152	2516	Uni - Copy (10) - Copy.exe	Client.exe
PID 2516 wrote to memory of 3180	2516	Uni - Copy (10) - Copy.exe	SCHTASKS.exe
PID 2516 wrote to memory of 3180	2516	Uni - Copy (10) - Copy.exe	SCHTASKS.exe
PID 2516 wrote to memory of 3180	2516	Uni - Copy (10) - Copy.exe	SCHTASKS.exe
PID 1152 wrote to memory of 4136	1152	Client.exe	schtasks.exe
PID 1152 wrote to memory of 4136	1152	Client.exe	schtasks.exe
PID 1152 wrote to memory of 4136	1152	Client.exe	schtasks.exe
PID 1152 wrote to memory of 2428	1152	Client.exe	cmd.exe
PID 1152 wrote to memory of 2428	1152	Client.exe	cmd.exe
PID 1152 wrote to memory of 2428	1152	Client.exe	cmd.exe
PID 2428 wrote to memory of 3960	2428	cmd.exe	chcp.com
PID 2428 wrote to memory of 3960	2428	cmd.exe	chcp.com
PID 2428 wrote to memory of 3960	2428	cmd.exe	chcp.com
PID 2428 wrote to memory of 2776	2428	cmd.exe	PING.EXE
PID 2428 wrote to memory of 2776	2428	cmd.exe	PING.EXE
PID 2428 wrote to memory of 2776	2428	cmd.exe	PING.EXE
PID 2428 wrote to memory of 2400	2428	cmd.exe	Client.exe
PID 2428 wrote to memory of 2400	2428	cmd.exe	Client.exe
PID 2428 wrote to memory of 2400	2428	cmd.exe	Client.exe
PID 2400 wrote to memory of 5036	2400	Client.exe	schtasks.exe
PID 2400 wrote to memory of 5036	2400	Client.exe	schtasks.exe
PID 2400 wrote to memory of 5036	2400	Client.exe	schtasks.exe
PID 2400 wrote to memory of 5020	2400	Client.exe	cmd.exe
PID 2400 wrote to memory of 5020	2400	Client.exe	cmd.exe
PID 2400 wrote to memory of 5020	2400	Client.exe	cmd.exe
PID 5020 wrote to memory of 4056	5020	cmd.exe	chcp.com
PID 5020 wrote to memory of 4056	5020	cmd.exe	chcp.com
PID 5020 wrote to memory of 4056	5020	cmd.exe	chcp.com
PID 5020 wrote to memory of 4344	5020	cmd.exe	PING.EXE
PID 5020 wrote to memory of 4344	5020	cmd.exe	PING.EXE
PID 5020 wrote to memory of 4344	5020	cmd.exe	PING.EXE
PID 5020 wrote to memory of 3812	5020	cmd.exe	Client.exe
PID 5020 wrote to memory of 3812	5020	cmd.exe	Client.exe
PID 5020 wrote to memory of 3812	5020	cmd.exe	Client.exe
PID 3812 wrote to memory of 1120	3812	Client.exe	schtasks.exe
PID 3812 wrote to memory of 1120	3812	Client.exe	schtasks.exe
PID 3812 wrote to memory of 1120	3812	Client.exe	schtasks.exe
PID 3812 wrote to memory of 5060	3812	Client.exe	cmd.exe
PID 3812 wrote to memory of 5060	3812	Client.exe	cmd.exe
PID 3812 wrote to memory of 5060	3812	Client.exe	cmd.exe
PID 5060 wrote to memory of 4476	5060	cmd.exe	chcp.com
PID 5060 wrote to memory of 4476	5060	cmd.exe	chcp.com
PID 5060 wrote to memory of 4476	5060	cmd.exe	chcp.com
PID 5060 wrote to memory of 4396	5060	cmd.exe	PING.EXE
PID 5060 wrote to memory of 4396	5060	cmd.exe	PING.EXE
PID 5060 wrote to memory of 4396	5060	cmd.exe	PING.EXE
PID 5060 wrote to memory of 3132	5060	cmd.exe	Client.exe
PID 5060 wrote to memory of 3132	5060	cmd.exe	Client.exe
PID 5060 wrote to memory of 3132	5060	cmd.exe	Client.exe
PID 3132 wrote to memory of 1608	3132	Client.exe	schtasks.exe
PID 3132 wrote to memory of 1608	3132	Client.exe	schtasks.exe
PID 3132 wrote to memory of 1608	3132	Client.exe	schtasks.exe
PID 3132 wrote to memory of 1988	3132	Client.exe	cmd.exe
PID 3132 wrote to memory of 1988	3132	Client.exe	cmd.exe
PID 3132 wrote to memory of 1988	3132	Client.exe	cmd.exe
PID 1988 wrote to memory of 2912	1988	cmd.exe	chcp.com
PID 1988 wrote to memory of 2912	1988	cmd.exe	chcp.com
PID 1988 wrote to memory of 2912	1988	cmd.exe	chcp.com
PID 1988 wrote to memory of 3268	1988	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1456

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsUaVSKOMswV.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:3960

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2776

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TZXV6C9yitwb.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4056

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4344

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:1120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ptCaGzdV77Mi.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4476

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4396

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xbH5vlxzYMQU.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:2912

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:3268

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQqwLMLKLp1M.bat" "
11⤵
PID:4780

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:4244

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3140

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4420

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKGfzKSuSulW.bat" "
13⤵
PID:1196

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4344

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:5020

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cKAkQ7dMuF2o.bat" "
15⤵
PID:516

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:732

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3056

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4184

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CK8jj1F2y28S.bat" "
17⤵
PID:1100

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:2596

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1268

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1436

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1tv8oDNKXEyD.bat" "
19⤵
PID:3356

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:3204

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2428

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3048

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dN3wtJb4Hzxm.bat" "
21⤵
PID:3452

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:3560

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4376

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b3TOvZ50bOZ4.bat" "
23⤵
PID:1984

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:2316

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:4532

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2056

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2RvZ0ZRCViiQ.bat" "
25⤵
PID:1524

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:2236

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4068

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4492

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:3460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWY9JZwQOwfH.bat" "
27⤵
PID:4744

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:712

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:540

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4472

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:4912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sDpvAb7aKN18.bat" "
29⤵
PID:2332

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:2928

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:1520

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loR42XOBPMYo.bat" "
31⤵
PID:4884

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:3064

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:464

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3196

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z6Dd8SqpUGsx.bat" "
33⤵
PID:3672

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:4044

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:4740

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a4SfwjAkplgl.bat" "
35⤵
PID:2060

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:4260

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:5060

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1864

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P6AT9GVWnuew.bat" "
37⤵
PID:776

C:\Windows\SysWOW64\chcp.com
chcp 65001
38⤵
PID:1152

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:4380

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4264

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUceEHqhiEoI.bat" "
39⤵
PID:3400

C:\Windows\SysWOW64\chcp.com
chcp 65001
40⤵
PID:592

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:3272

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1036

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uBtQ5J1rdeBA.bat" "
41⤵
PID:2676

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:4760

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:4792

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3928

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
43⤵
- Creates scheduled task(s)
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hGX0PIW5Ws71.bat" "
43⤵
PID:4304

C:\Windows\SysWOW64\chcp.com
chcp 65001
44⤵
PID:4316

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:4916

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:3604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9b3POrgpW7Ih.bat" "
45⤵
PID:3432

C:\Windows\SysWOW64\chcp.com
chcp 65001
46⤵
PID:4548

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:4036

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:1312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HJ8u2d1IxLMT.bat" "
47⤵
PID:1344

C:\Windows\SysWOW64\chcp.com
chcp 65001
48⤵
PID:1032

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:2356

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
49⤵
- Creates scheduled task(s)
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b7t1gUFKE0GR.bat" "
49⤵
PID:888

C:\Windows\SysWOW64\chcp.com
chcp 65001
50⤵
PID:3592

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:4568

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3SPQg3P4EFS8.bat" "
51⤵
PID:4004

C:\Windows\SysWOW64\chcp.com
chcp 65001
52⤵
PID:4840

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:768

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2540

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EBJf7ZtrBHDn.bat" "
53⤵
PID:3536

C:\Windows\SysWOW64\chcp.com
chcp 65001
54⤵
PID:4324

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:3528

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2056

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
55⤵
- Creates scheduled task(s)
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0CCkXM4JecU5.bat" "
55⤵
PID:4548

C:\Windows\SysWOW64\chcp.com
chcp 65001
56⤵
PID:1736

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:4720

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
56⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
57⤵
- Creates scheduled task(s)
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ylgq6aKnLKky.bat" "
57⤵
PID:2204

C:\Windows\SysWOW64\chcp.com
chcp 65001
58⤵
PID:1752

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
58⤵
- Runs ping.exe
PID:2528

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 1700
57⤵
- Program crash
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 1708
55⤵
- Program crash
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 1092
53⤵
- Program crash
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 2228
51⤵
- Program crash
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 2248
49⤵
- Program crash
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1092
47⤵
- Program crash
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1712
45⤵
- Program crash
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 2248
43⤵
- Program crash
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 2236
41⤵
- Program crash
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1092
39⤵
- Program crash
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 1708
37⤵
- Program crash
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 1600
35⤵
- Program crash
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1096
33⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 2232
31⤵
- Program crash
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1720
29⤵
- Program crash
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1720
27⤵
- Program crash
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 2236
25⤵
- Program crash
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 2180
23⤵
- Program crash
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 1708
21⤵
- Program crash
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1096
19⤵
- Program crash
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 2224
17⤵
- Program crash
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1708
15⤵
- Program crash
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 2248
13⤵
- Program crash
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1716
11⤵
- Program crash
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 1716
9⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 2196
7⤵
- Program crash
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 2172
5⤵
- Program crash
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 2184
3⤵
- Program crash
PID:2388

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1152 -ip 1152
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2400 -ip 2400
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3812 -ip 3812
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3132 -ip 3132
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4048 -ip 4048
1⤵
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4420 -ip 4420
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1592 -ip 1592
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4184 -ip 4184
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1436 -ip 1436
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3048 -ip 3048
1⤵
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1580 -ip 1580
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2056 -ip 2056
1⤵
PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4492 -ip 4492
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4472 -ip 4472
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2948 -ip 2948
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3196 -ip 3196
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1668 -ip 1668
1⤵
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1864 -ip 1864
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4264 -ip 4264
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1036 -ip 1036
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3928 -ip 3928
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2584 -ip 2584
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2388 -ip 2388
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1492 -ip 1492
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1828 -ip 1828
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2540 -ip 2540
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2056 -ip 2056
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4700 -ip 4700
1⤵
PID:5004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1tv8oDNKXEyD.bat
Filesize
207B

MD5
395ab8b3660e322ac5b7b03b6aa19b75

SHA1
dd1166165ea5767fdce61b9d0096410ec3d53326

SHA256
a5fa60617dbcf78dfe4298513e51cc83ae6d2acdd7d850e1cc50a33da6762a67

SHA512
0134561914ca3350c8e985eb46823b2e70f6b67b974a9dd06bea4335de37f71df41042cbcba32b4ef0dc52f6206a206f3eece54c4c8183f62ecbacc551880267

Download Submit
C:\Users\Admin\AppData\Local\Temp\2RvZ0ZRCViiQ.bat
Filesize
207B

MD5
c25941aaca715535c052c9f4ef3c5b67

SHA1
d01c905b389b3380ec5204c06b1bf8aae77c97ed

SHA256
3caf89c9296b332da0ba649c30e1855938d65d699221c6a4ac8cf147d05f4a59

SHA512
d2e477a4afa1d48c6c73f4b18bf21e58e268af0904ccadba7cace66ae68144078a2eb88fd1e377ef5fe522cfbfe65047a605946751e3dd0129ef05999a8b8dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CK8jj1F2y28S.bat
Filesize
207B

MD5
f0210c565ab114792b49f7049838ad31

SHA1
9edb2ecb60803293921a83fe0bf25caa0d27b63d

SHA256
db59b7bb2e463634ff7461e33e0d6321896d362756760decfe7a4047684e31f4

SHA512
f8efeaba030992a8c427dc39a122fcb2966cb4b546cc279d851cb1fa3365e7db1600fc424174755eb45133e06e605d8538b86d3fd56cab5abfae9150ccffcd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQqwLMLKLp1M.bat
Filesize
207B

MD5
c973e4d64532c5055055a8e9e934d317

SHA1
84614ce98661d8cfc468c2f3bd8969056f773d86

SHA256
5be1bfa88ab081d054a8fcb4056fa48f5b8011b8231b5cf8ddb0dfa6489350ea

SHA512
3d4c45e05ff0ed670ed635580a4d567b1814d7e622d1de5fa87f363aa659297ab96e3709928453d020e08c0ceebd6dac3ce3089e9d6729534aa72952eb545d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\P6AT9GVWnuew.bat
Filesize
207B

MD5
3b02be991315df87cf3a224f1a4b39b1

SHA1
ce47ce55622c7485bfef09c5f72d8ee219ebeb94

SHA256
5b16f356e8e4427245e7ded3bdc16e00dcb4830d2fd0ab89f549ac2697a8abb0

SHA512
d9f64f3a16c5a000b9ccbc2cd63a39621138e50e0cd06a5034f56cb149d938d5b3a9a3cfe234e84d47d41d489547f8ec38c0cd22aa33f0215c129cd4d8d1ec69

Download Submit
C:\Users\Admin\AppData\Local\Temp\PsUaVSKOMswV.bat
Filesize
207B

MD5
601d15851805267dfe3e316fd45e886f

SHA1
d8be1e5e29b50bfe7a3d0a7b3899c184e999cdd3

SHA256
7f5983efb062bbc9892b79c82b53b299d90b79165ce43757721b8d0212ab144c

SHA512
47e357bd6a0a36f51ce2ffa31e6ba7ba147368b8f356387751c9bdb005af1672dd4db91fbe1af3f67c4bf3b36bdf4c562eb025b3edb85db5f9f8e9adb1869c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\TZXV6C9yitwb.bat
Filesize
207B

MD5
88925355c7d0214eeb07660593574911

SHA1
3d337d375373b1d78a458760a24e7030d1715c71

SHA256
25a61323d88f14a7f25725238c80d497db7130f78cfab3b27040d99be6890e98

SHA512
8fa412e3b719ad41ec90674f57b41971480b358ef54d2e5979ccbb8f84add07a0eb422b73a360f44246d1b4959eafa7eb5612804fc638337d23681fae82ec1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4SfwjAkplgl.bat
Filesize
207B

MD5
709b5e80548f5678efbb6b407c22c62a

SHA1
da4880b867d91e3b8a6e76a6c64a20bd04d98682

SHA256
161d20e4683fd3aabdea82330f7df57f3c3d6ec87800489a9d3eeb57f9b263df

SHA512
39e73cddddc545ba6802132680021aff957de59b3011837f26810e754b9a1a64e87b14f37178201d20494234998c8760be0cfe8cf1e827ee6b0b6cb688958102

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3TOvZ50bOZ4.bat
Filesize
207B

MD5
70b6bb9e7110bc5b83e7cd76ee211ee6

SHA1
ec5d59fb5ca06a9468d2918a7c967a4dfd724d3c

SHA256
79fb9293a8fafb38bae78ad8749f02ccedbda3161a88bd9f1b5fceba25931c0c

SHA512
e99134c0e592c2aee127f430bd373afb7143a172d217ec9998253eb5aa4ac8b584e66b002cde958afbad402d473ba454413a999f0c22c8ecfcba0002ab7c4dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cKAkQ7dMuF2o.bat
Filesize
207B

MD5
e619addbe730adf36f2fb92aa3eb1452

SHA1
46b1b85e21a4034323ce7c6497baf5a349bcd73b

SHA256
faab1cbc68380ee3d6f2113a164280f3d00c28921d74b96ecc6d654793b23bea

SHA512
510ed2b293c03032580965abed9f70a348bd21d173bbc0f7b55fa02b339b7f741294da2b04330c7d24c547f9ffbf348e3375a8dead59c67f98d7fb3214daa12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dN3wtJb4Hzxm.bat
Filesize
207B

MD5
5f42676366615c3843357586a10e98e2

SHA1
eccf88a7e1f40588f191db50d7e85d190ef24175

SHA256
74a294c26278e34a3f12f82ae0cc87ffd5fe4a485dec644a57fbded777c6e44c

SHA512
b14da892542a0ae044ec073b3c79022aa5e628f5b6087b9982a245caaba3aca5f4fa1abc749113feab2975177e27452aa43e4b67505f0d882c9543fec4e25f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGX0PIW5Ws71.bat
Filesize
207B

MD5
85f85d655901f01c056c41e6910bc9f0

SHA1
b49f0fdaaa48ec1ade87b4d0c97478f581d93b8a

SHA256
7c57d99c19f111254e536befd12305700d6e3e01c8b60f41c427eceabfea0621

SHA512
28f571939ad9c7e971183fe8e8e5d3fdb44f60950aecd340263bc3f36c29217349c25452246d619e62dfc6c02e0031b3c32da9608c7049bec886a22dd9e30534

Download Submit
C:\Users\Admin\AppData\Local\Temp\loR42XOBPMYo.bat
Filesize
207B

MD5
4d114dc8343897f49af632e84e6dbc8b

SHA1
88cad694a2e4ad2187ad8a4952a4053af8608b2e

SHA256
26ff7f92d385f307eb1e10424bde2ee4423cdeef29cd07d2439bfcbe9730c7f0

SHA512
f735b30fb4d69fa65d8363f2e0012881f67c39c45f09c82ba22eee9b3e43d227f2ba62d5982045cb809b0aa3e2930d9ee4fbc1130cdfddbad770fe35754e569e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oWY9JZwQOwfH.bat
Filesize
207B

MD5
5b2534be8730fe5921265f3465e13cee

SHA1
7eafc6b9ca3c37beb092e196e3ff7cbaada9a4d5

SHA256
363118a5412b65e82161e8d262346fafd6be1f9d5bbf0f9acd1b3413d43756ba

SHA512
9a3624c0084909e68ee26d317979194a4b8cdd572510592567abcddbac8f01107326935a0145e493f87ca2961e28583812aa84aedb9a91a5b5206eeba339eb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptCaGzdV77Mi.bat
Filesize
207B

MD5
c20de08cd3ef585500d7406f451eb470

SHA1
6982438ea783c79481a753aef322d48a7c5f1236

SHA256
83fd00c8d1f4153c7ae9214211edc59e78faff78bfff6509b07e73de67ad5b7f

SHA512
b17dc68d47a8009387f52423ea3dc6a7252cc8d366966b0adf081a0c7d2b469146bf691fcb4f00fbea644be7655cdcf2c3952cc79d5d331a7f728c4e09bfbfbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKGfzKSuSulW.bat
Filesize
207B

MD5
f1d6cd9d0118f2893cc0aeaf38bdf2d2

SHA1
0c83674b5b24ffcdbf1a9ff8c4faac359022986f

SHA256
cf71d60f654dcccfbaa9b9f0e886eef28a3bbb7499ad8104f3d274b6cc668b67

SHA512
b4c745633dcdd20655b45796fd573405c2626db0519760a6a9611ae831c027ac0c785a0f953c4a87b36c6828de025bfe221ababf0a3a688cf74242ac22ad9e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUceEHqhiEoI.bat
Filesize
207B

MD5
dc8b2704c2002e1d9db120d0bc406f13

SHA1
5d3025e2cf0d770e5432458422edeb4f6d2b5f48

SHA256
db2a5e9d2dd6986739da8ea7ceceb715363e977d63e47086c80d5e88f71c6503

SHA512
72de84b4b506d9a96e497ed47d5ca1f057a36ee002d9405b4cfd2e97e77722a9a1c4e8a9c214011e7dbb16ba808a6531ba27b45bd8bee2008f60e941352c21d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sDpvAb7aKN18.bat
Filesize
207B

MD5
ea0d848dad4f5a128cdea47a0251ada5

SHA1
821f28d69c69f33beba45b3529675c92646e3656

SHA256
88ccb46dcc7fe02a58a78493379858bba225e51bf78c67946e7db5cbe135a3a5

SHA512
f16bd780fef6669ac8611a0eda37f55dd2d243904f3d265e13e8502eaa94d5feb43242cd23e1f24130cf0f78f928d12e7185590f5adf0b28ce220138a2e9e5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbH5vlxzYMQU.bat
Filesize
207B

MD5
73141d34be2d0d54e21a208b4d15fcbe

SHA1
4c50b7b12f909792c996371425cbd68badab0c07

SHA256
33e0f29ba774db40b2a1c57333ef6f5daca1c937994a109a206ddc19525dbbf8

SHA512
2bea8cee26d2575b7f16ee575fc8c926ac9b8dc24259d22ecb1f7ec7d6bc6ffc754f6c2d8c42494fe969229dea42450e43e402204d631f6d026e17fc9d32c113

Download Submit
C:\Users\Admin\AppData\Local\Temp\z6Dd8SqpUGsx.bat
Filesize
207B

MD5
b86ca15b8199fcef44d6e7b79906240c

SHA1
70bf62f9fa93699424000d197e5c2ad245047f6b

SHA256
45bc17cf770124829ae0ae092baf50c914942a61929434bd75af32716bff7516

SHA512
62d25f0faca0fb93320c30581e64fff47772edac6ccd937d0da9e694674c5e902d1ebe6ff81172809e0448e546aef714f2a6346b68bfef5d06da23ca40ca531b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
bde6e7d68ea39646c693cf28ce1747f6

SHA1
bd589d851444c1846dda3a65876e8d1d28b91ea5

SHA256
c0ce602a3356d446d1174b0b0df5a8f682359488bf460a4ad5c9281514db0a21

SHA512
2dbd0adaddec812ea2c363f27973419e9c0f40b4a47d922ad8d3e405e088a901eb50b6c225c34b7ca7637e1896923db0b85491da2ca996d21ef67cc12ff82b05

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
8b61194256050cb791df7c81b47ec121

SHA1
ecdd0adef74810f2becd70d34ae41d2eb0c10387

SHA256
4a2d716398ec9ad3b371e13c4cb0a250e55625a594ff0a414023f66d7e952d04

SHA512
13a2194789f54c8bfa7e68fffbb82664320d66463146706bb458eeacd563d742b258a05d44334266c1bd14526460e36c6ec0dddfa8acba1a728361fbdefdae0b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
235796324fe7aba9507b44abe2c53aae

SHA1
0d039659a5f0a0f286a234ce189b17d57f30e98c

SHA256
5cf97a8116a2db0bd7c404793966d4a8966cd076f107f293b56d8154da83e668

SHA512
7154fd0c60ea5ccb9521bf4678b224c8e914a70a18925da33accd56669a7d0fc245790260abe68312d5853d96f7aa640a986c3eeda5ee065805dd80a370bb145

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
4d48269df3c748e4592b1657ac228ff2

SHA1
2188f69b2208249232811dbdfd36da824bf73260

SHA256
1b003592021a9c56b96d6393ecb434eda8103757c0927c8c78de3b07d0571f06

SHA512
52db7f13a6879dab0e009126b2ba5a08cc219e4cb9e013d375b9a5126fa42836c5490b5f3fb3c8723988d3bea1522ed82cea23f8b2b4a35ce6f74dcd43def1c0

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
9e8e98c10e54c894d1ae6d2ebeb60c7e

SHA1
e4066fff0c4bb4e3b1cb7346373662f6a024cf49

SHA256
806ad9eec8e8fdbdb52a6a83922e09b50adf6a8a74e4fd1e26e320359d8b51c0

SHA512
deceafd6b455fbe297ac097115b1189e316ede382249709786eceda5b11ca2755ac09faa71a6dfe924f254845dab53bce94bf4597032e3e2a1f883400a61fbc3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
0ff5b51280c19a66501f35c8e08b7d99

SHA1
6ec0e425f7c409f28ef36bd4c1d24745e217c252

SHA256
25d307b59ae7e9b08b3e88f06ca2fd6b54bd576b7afd718d521a6deb8fc511dc

SHA512
2861b10b63305aebbbf453c99a9ef7b55edc772e3232d3bc7766092c17183027989550a7b07aeefa4d7234688c5cdc0e665888f33d51a0d030593f74b5a76cda

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
37177bc9fa11c8fe06c06d4977addf31

SHA1
5fbd4d981c10009b7805392939fb9d551a6e80ee

SHA256
123f9f6e1f102757e782f5cce1586dc6206750f2c8cfff462dd8e7855ac3b05d

SHA512
9356e2f2d25a186da1ea4d93016b75036b9c988bd5a3c17abef7e5b7f511936cd2e731c33ce5275b52f8f1cb07d2d85481b2fc6686b440dd28748db05433ba80

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
f580d9c43ff6df8c22ec05f2f7f8f35a

SHA1
370b00f413f37c3533c816535ff7346077d01546

SHA256
3028a600640ef1a888c0eeb9767fff5d9363b7f25683faf533adb7fcaa97bad0

SHA512
023d5964375cfd3ccd873a7808ad06ed8ee0b1ec0f4d22c3cf908cacb4165447f560ea976ff395145b1a0ab0dff24d972a4515081e38a77352078b29ca932763

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
02956c9eec9795cc2a8e6fb75e07652b

SHA1
ebd3bf67eb95dd3c70cdd216eda1eb77adedbfc3

SHA256
9ef0154f49eb0d89b562d99991be4630bae92982adf5eb1f41e826e4de9acf3e

SHA512
227511f0416497d59c92bc810c1d712126ea3aedda0072a853a33a904d7a487493cf88cc74fd97764d2de821e2b47c456ec153bcf879bd91cf299b3765b606e7

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1152-15-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/1152-19-0x0000000006820000-0x000000000682A000-memory.dmp

Filesize
40KB

Download
memory/1152-17-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/1152-24-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/2516-0-0x000000007480E000-0x000000007480F000-memory.dmp

Filesize
4KB

Download
memory/2516-16-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/2516-8-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/2516-7-0x000000007480E000-0x000000007480F000-memory.dmp

Filesize
4KB

Download
memory/2516-6-0x0000000005D90000-0x0000000005DA2000-memory.dmp

Filesize
72KB

Download
memory/2516-5-0x0000000005080000-0x00000000050E6000-memory.dmp

Filesize
408KB

Download
memory/2516-4-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/2516-3-0x0000000005110000-0x00000000051A2000-memory.dmp

Filesize
584KB

Download
memory/2516-2-0x0000000005580000-0x0000000005B24000-memory.dmp

Filesize
5.6MB

Download
memory/2516-1-0x0000000000650000-0x00000000006BC000-memory.dmp

Filesize
432KB

Download