quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
598s
max time network
604s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (11) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral8/memory/336-1-0x0000000000960000-0x00000000009CC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 29 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 30 IoCs

Processes:

pid	process
4388	Client.exe
4348	Client.exe
4552	Client.exe
4800	Client.exe
4284	Client.exe
3468	Client.exe
4364	Client.exe
4544	Client.exe
760	Client.exe
4996	Client.exe
4536	Client.exe
3884	Client.exe
1484	Client.exe
5020	Client.exe
4024	Client.exe
4468	Client.exe
804	Client.exe
4356	Client.exe
4784	Client.exe
556	Client.exe
4576	Client.exe
4788	Client.exe
2044	Client.exe
1888	Client.exe
3104	Client.exe
4176	Client.exe
4252	Client.exe
2904	Client.exe
752	Client.exe
2324	Client.exe

Looks up external IP address via web service 26 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
57	ip-api.com
60	ip-api.com
62	ip-api.com
15	ip-api.com
24	ip-api.com
35	ip-api.com
48	ip-api.com
55	ip-api.com
64	ip-api.com
17	ip-api.com
27	ip-api.com
30	ip-api.com
53	ip-api.com
2	ip-api.com
42	ip-api.com
44	ip-api.com
37	ip-api.com
50	ip-api.com
8	api.ipify.org
13	ip-api.com
46	ip-api.com
22	ip-api.com
66	ip-api.com
19	ip-api.com
32	ip-api.com
40	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 29 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3028	4388	WerFault.exe	Client.exe
1864	4348	WerFault.exe	Client.exe
4544	4552	WerFault.exe	Client.exe
2248	4800	WerFault.exe	Client.exe
4444	4284	WerFault.exe	Client.exe
5056	3468	WerFault.exe	Client.exe
3096	4364	WerFault.exe	Client.exe
4356	4544	WerFault.exe	Client.exe
1264	760	WerFault.exe	Client.exe
3360	4996	WerFault.exe	Client.exe
4556	4536	WerFault.exe	Client.exe
3368	3884	WerFault.exe	Client.exe
1956	1484	WerFault.exe	Client.exe
3120	5020	WerFault.exe	Client.exe
4048	4024	WerFault.exe	Client.exe
2328	4468	WerFault.exe	Client.exe
1000	804	WerFault.exe	Client.exe
4740	4356	WerFault.exe	Client.exe
4908	4784	WerFault.exe	Client.exe
1460	556	WerFault.exe	Client.exe
5048	4576	WerFault.exe	Client.exe
1428	4788	WerFault.exe	Client.exe
4924	2044	WerFault.exe	Client.exe
2924	1888	WerFault.exe	Client.exe
4296	3104	WerFault.exe	Client.exe
3112	4176	WerFault.exe	Client.exe
3076	4252	WerFault.exe	Client.exe
3956	2904	WerFault.exe	Client.exe
2572	752	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 31 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1660	schtasks.exe
4296	schtasks.exe
3360	schtasks.exe
5080	schtasks.exe
4928	schtasks.exe
1512	schtasks.exe
4316	schtasks.exe
1868	schtasks.exe
1428	schtasks.exe
3832	schtasks.exe
3324	schtasks.exe
624	schtasks.exe
4924	schtasks.exe
2896	schtasks.exe
3864	schtasks.exe
3712	schtasks.exe
2916	schtasks.exe
1372	schtasks.exe
3620	schtasks.exe
2640	schtasks.exe
2696	schtasks.exe
920	schtasks.exe
2812	schtasks.exe
3532	schtasks.exe
2728	schtasks.exe
1572	SCHTASKS.exe
2772	schtasks.exe
4328	schtasks.exe
2684	schtasks.exe
4964	schtasks.exe
5020	schtasks.exe

Runs ping.exe 1 TTPs 29 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4724	PING.EXE
2812	PING.EXE
5056	PING.EXE
2168	PING.EXE
4308	PING.EXE
2952	PING.EXE
2888	PING.EXE
4176	PING.EXE
1136	PING.EXE
5092	PING.EXE
2216	PING.EXE
2224	PING.EXE
4844	PING.EXE
1312	PING.EXE
2416	PING.EXE
4580	PING.EXE
3980	PING.EXE
208	PING.EXE
3928	PING.EXE
1872	PING.EXE
2476	PING.EXE
4244	PING.EXE
1260	PING.EXE
4860	PING.EXE
3804	PING.EXE
1524	PING.EXE
4008	PING.EXE
3076	PING.EXE
1700	PING.EXE

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

Uni - Copy (11) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	336	Uni - Copy (11) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	4388	Client.exe
Token: SeDebugPrivilege	4348	Client.exe
Token: SeDebugPrivilege	4552	Client.exe
Token: SeDebugPrivilege	4800	Client.exe
Token: SeDebugPrivilege	4284	Client.exe
Token: SeDebugPrivilege	3468	Client.exe
Token: SeDebugPrivilege	4364	Client.exe
Token: SeDebugPrivilege	4544	Client.exe
Token: SeDebugPrivilege	760	Client.exe
Token: SeDebugPrivilege	4996	Client.exe
Token: SeDebugPrivilege	4536	Client.exe
Token: SeDebugPrivilege	3884	Client.exe
Token: SeDebugPrivilege	1484	Client.exe
Token: SeDebugPrivilege	5020	Client.exe
Token: SeDebugPrivilege	4024	Client.exe
Token: SeDebugPrivilege	4468	Client.exe
Token: SeDebugPrivilege	804	Client.exe
Token: SeDebugPrivilege	4356	Client.exe
Token: SeDebugPrivilege	4784	Client.exe
Token: SeDebugPrivilege	556	Client.exe
Token: SeDebugPrivilege	4576	Client.exe
Token: SeDebugPrivilege	4788	Client.exe
Token: SeDebugPrivilege	2044	Client.exe
Token: SeDebugPrivilege	1888	Client.exe
Token: SeDebugPrivilege	3104	Client.exe
Token: SeDebugPrivilege	4176	Client.exe
Token: SeDebugPrivilege	4252	Client.exe
Token: SeDebugPrivilege	2904	Client.exe
Token: SeDebugPrivilege	752	Client.exe
Token: SeDebugPrivilege	2324	Client.exe

Suspicious use of SetWindowsHookEx 29 IoCs

Processes:

pid	process
4388	Client.exe
4348	Client.exe
4552	Client.exe
4800	Client.exe
4284	Client.exe
3468	Client.exe
4364	Client.exe
4544	Client.exe
760	Client.exe
4996	Client.exe
4536	Client.exe
3884	Client.exe
1484	Client.exe
5020	Client.exe
4024	Client.exe
4468	Client.exe
804	Client.exe
4356	Client.exe
4784	Client.exe
556	Client.exe
4576	Client.exe
4788	Client.exe
2044	Client.exe
1888	Client.exe
3104	Client.exe
4176	Client.exe
4252	Client.exe
2904	Client.exe
752	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (11) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 336 wrote to memory of 2896	336	Uni - Copy (11) - Copy - Copy - Copy.exe	schtasks.exe
PID 336 wrote to memory of 2896	336	Uni - Copy (11) - Copy - Copy - Copy.exe	schtasks.exe
PID 336 wrote to memory of 2896	336	Uni - Copy (11) - Copy - Copy - Copy.exe	schtasks.exe
PID 336 wrote to memory of 4388	336	Uni - Copy (11) - Copy - Copy - Copy.exe	Client.exe
PID 336 wrote to memory of 4388	336	Uni - Copy (11) - Copy - Copy - Copy.exe	Client.exe
PID 336 wrote to memory of 4388	336	Uni - Copy (11) - Copy - Copy - Copy.exe	Client.exe
PID 336 wrote to memory of 1572	336	Uni - Copy (11) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 336 wrote to memory of 1572	336	Uni - Copy (11) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 336 wrote to memory of 1572	336	Uni - Copy (11) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 4388 wrote to memory of 2696	4388	Client.exe	schtasks.exe
PID 4388 wrote to memory of 2696	4388	Client.exe	schtasks.exe
PID 4388 wrote to memory of 2696	4388	Client.exe	schtasks.exe
PID 4388 wrote to memory of 1404	4388	Client.exe	cmd.exe
PID 4388 wrote to memory of 1404	4388	Client.exe	cmd.exe
PID 4388 wrote to memory of 1404	4388	Client.exe	cmd.exe
PID 1404 wrote to memory of 2536	1404	cmd.exe	chcp.com
PID 1404 wrote to memory of 2536	1404	cmd.exe	chcp.com
PID 1404 wrote to memory of 2536	1404	cmd.exe	chcp.com
PID 1404 wrote to memory of 5056	1404	cmd.exe	PING.EXE
PID 1404 wrote to memory of 5056	1404	cmd.exe	PING.EXE
PID 1404 wrote to memory of 5056	1404	cmd.exe	PING.EXE
PID 1404 wrote to memory of 4348	1404	cmd.exe	Client.exe
PID 1404 wrote to memory of 4348	1404	cmd.exe	Client.exe
PID 1404 wrote to memory of 4348	1404	cmd.exe	Client.exe
PID 4348 wrote to memory of 1372	4348	Client.exe	schtasks.exe
PID 4348 wrote to memory of 1372	4348	Client.exe	schtasks.exe
PID 4348 wrote to memory of 1372	4348	Client.exe	schtasks.exe
PID 4348 wrote to memory of 2900	4348	Client.exe	cmd.exe
PID 4348 wrote to memory of 2900	4348	Client.exe	cmd.exe
PID 4348 wrote to memory of 2900	4348	Client.exe	cmd.exe
PID 2900 wrote to memory of 2152	2900	cmd.exe	chcp.com
PID 2900 wrote to memory of 2152	2900	cmd.exe	chcp.com
PID 2900 wrote to memory of 2152	2900	cmd.exe	chcp.com
PID 2900 wrote to memory of 208	2900	cmd.exe	PING.EXE
PID 2900 wrote to memory of 208	2900	cmd.exe	PING.EXE
PID 2900 wrote to memory of 208	2900	cmd.exe	PING.EXE
PID 2900 wrote to memory of 4552	2900	cmd.exe	Client.exe
PID 2900 wrote to memory of 4552	2900	cmd.exe	Client.exe
PID 2900 wrote to memory of 4552	2900	cmd.exe	Client.exe
PID 4552 wrote to memory of 3832	4552	Client.exe	schtasks.exe
PID 4552 wrote to memory of 3832	4552	Client.exe	schtasks.exe
PID 4552 wrote to memory of 3832	4552	Client.exe	schtasks.exe
PID 4552 wrote to memory of 2236	4552	Client.exe	cmd.exe
PID 4552 wrote to memory of 2236	4552	Client.exe	cmd.exe
PID 4552 wrote to memory of 2236	4552	Client.exe	cmd.exe
PID 2236 wrote to memory of 4624	2236	cmd.exe	chcp.com
PID 2236 wrote to memory of 4624	2236	cmd.exe	chcp.com
PID 2236 wrote to memory of 4624	2236	cmd.exe	chcp.com
PID 2236 wrote to memory of 4580	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 4580	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 4580	2236	cmd.exe	PING.EXE
PID 2236 wrote to memory of 4800	2236	cmd.exe	Client.exe
PID 2236 wrote to memory of 4800	2236	cmd.exe	Client.exe
PID 2236 wrote to memory of 4800	2236	cmd.exe	Client.exe
PID 4800 wrote to memory of 2772	4800	Client.exe	schtasks.exe
PID 4800 wrote to memory of 2772	4800	Client.exe	schtasks.exe
PID 4800 wrote to memory of 2772	4800	Client.exe	schtasks.exe
PID 4800 wrote to memory of 2460	4800	Client.exe	cmd.exe
PID 4800 wrote to memory of 2460	4800	Client.exe	cmd.exe
PID 4800 wrote to memory of 2460	4800	Client.exe	cmd.exe
PID 2460 wrote to memory of 2368	2460	cmd.exe	chcp.com
PID 2460 wrote to memory of 2368	2460	cmd.exe	chcp.com
PID 2460 wrote to memory of 2368	2460	cmd.exe	chcp.com
PID 2460 wrote to memory of 2224	2460	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2896

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nG0j0f3YARsq.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2536

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:5056

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSCTNcUDDQlr.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:2152

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:208

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3gCwYI4BmDLl.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4624

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4580

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KUuT98mKyfA4.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:2368

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2224

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4284

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcF8lkVPvvTk.bat" "
11⤵
PID:1136

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:1700

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1524

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3468

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:3864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9xlXlIf9uAeR.bat" "
13⤵
PID:1644

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:1464

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2476

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4364

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KgflCpAwsCP6.bat" "
15⤵
PID:4324

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:2044

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4844

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4544

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ttt5bn6U0OMm.bat" "
17⤵
PID:4140

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:4312

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4244

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:760

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k8ksbGNgACiG.bat" "
19⤵
PID:4384

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:3192

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4176

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4996

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jJ35uLmSsrUK.bat" "
21⤵
PID:3736

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:3248

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4724

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4536

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:2640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iUMIDQBDbVHN.bat" "
23⤵
PID:100

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:1768

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:4008

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:1660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DOn1rNInib1Y.bat" "
25⤵
PID:3620

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:3860

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1260

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hn3wj8nJ8jro.bat" "
27⤵
PID:2304

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:2004

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:2812

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5020

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scsVdgWZiTys.bat" "
29⤵
PID:2052

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:4080

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:1136

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4024

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwbBqUW0CuSf.bat" "
31⤵
PID:2536

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:4768

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:5092

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pukQMeyLjtrP.bat" "
33⤵
PID:2456

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:3988

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:1312

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:804

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:1428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROsDRkD5Tery.bat" "
35⤵
PID:3472

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:1272

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:2416

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4356

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GyfdWwKN3phj.bat" "
37⤵
PID:4272

C:\Windows\SysWOW64\chcp.com
chcp 65001
38⤵
PID:4816

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:2216

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4784

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\33JDpwqbw3dZ.bat" "
39⤵
PID:3532

C:\Windows\SysWOW64\chcp.com
chcp 65001
40⤵
PID:3080

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:2888

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:556

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:4296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqFbg3uJhuqe.bat" "
41⤵
PID:3432

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:4328

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:2168

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
43⤵
- Creates scheduled task(s)
PID:3360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8sxQtbE4f3op.bat" "
43⤵
PID:1488

C:\Windows\SysWOW64\chcp.com
chcp 65001
44⤵
PID:2016

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:3076

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cHEKmMja5Bf5.bat" "
45⤵
PID:1280

C:\Windows\SysWOW64\chcp.com
chcp 65001
46⤵
PID:3320

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:3980

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jzJpQ843XPjr.bat" "
47⤵
PID:2952

C:\Windows\SysWOW64\chcp.com
chcp 65001
48⤵
PID:1112

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:4308

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1888

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
49⤵
- Creates scheduled task(s)
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tCX9q60cfbgX.bat" "
49⤵
PID:2492

C:\Windows\SysWOW64\chcp.com
chcp 65001
50⤵
PID:3900

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:1700

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3104

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pox1UmSXGPu6.bat" "
51⤵
PID:2668

C:\Windows\SysWOW64\chcp.com
chcp 65001
52⤵
PID:4868

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:4860

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4176

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zZ25W8q2QFLb.bat" "
53⤵
PID:3432

C:\Windows\SysWOW64\chcp.com
chcp 65001
54⤵
PID:4724

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:3928

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4252

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
55⤵
- Creates scheduled task(s)
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsdOOnSz0xMe.bat" "
55⤵
PID:4576

C:\Windows\SysWOW64\chcp.com
chcp 65001
56⤵
PID:1488

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:3804

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
56⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2904

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
57⤵
- Creates scheduled task(s)
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2tXTpacRTHdv.bat" "
57⤵
PID:3216

C:\Windows\SysWOW64\chcp.com
chcp 65001
58⤵
PID:2240

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
58⤵
- Runs ping.exe
PID:1872

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
58⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:752

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
59⤵
- Creates scheduled task(s)
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKjUoEfkJxep.bat" "
59⤵
PID:1560

C:\Windows\SysWOW64\chcp.com
chcp 65001
60⤵
PID:3452

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
60⤵
- Runs ping.exe
PID:2952

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
60⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 1724
59⤵
- Program crash
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 2248
57⤵
- Program crash
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1092
55⤵
- Program crash
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 2196
53⤵
- Program crash
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1704
51⤵
- Program crash
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 2248
49⤵
- Program crash
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 2236
47⤵
- Program crash
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1076
45⤵
- Program crash
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 1732
43⤵
- Program crash
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 1708
41⤵
- Program crash
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 1096
39⤵
- Program crash
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1096
37⤵
- Program crash
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 1708
35⤵
- Program crash
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1716
33⤵
- Program crash
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1092
31⤵
- Program crash
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 2172
29⤵
- Program crash
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 2232
27⤵
- Program crash
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 1720
25⤵
- Program crash
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1092
23⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1084
21⤵
- Program crash
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 1712
19⤵
- Program crash
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 2248
17⤵
- Program crash
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 1708
15⤵
- Program crash
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 2248
13⤵
- Program crash
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1644
11⤵
- Program crash
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1640
9⤵
- Program crash
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 2184
7⤵
- Program crash
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1656
5⤵
- Program crash
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 2200
3⤵
- Program crash
PID:3028

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4388 -ip 4388
1⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4348 -ip 4348
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4552 -ip 4552
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4800 -ip 4800
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4284 -ip 4284
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3468 -ip 3468
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4364 -ip 4364
1⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4544 -ip 4544
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 760 -ip 760
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4996 -ip 4996
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4536 -ip 4536
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3884 -ip 3884
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1484 -ip 1484
1⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5020 -ip 5020
1⤵
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4024 -ip 4024
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4468 -ip 4468
1⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 804 -ip 804
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4356 -ip 4356
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4784 -ip 4784
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 556 -ip 556
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4576 -ip 4576
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4788 -ip 4788
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2044 -ip 2044
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1888 -ip 1888
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3104 -ip 3104
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4176 -ip 4176
1⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4252 -ip 4252
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2904 -ip 2904
1⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 752 -ip 752
1⤵
PID:2368

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\33JDpwqbw3dZ.bat
Filesize
207B

MD5
0efe7d35f83f70876be8681826183eb6

SHA1
178eefad4ec39a3e88b2bffcc5846c7f80291232

SHA256
d25f4bd36e98afb20d5aa51ba9d471becead496042e85bf85acbbfe7da4ca390

SHA512
06bfd5b29e3219d9ba2cf3d5c44e87da500353b7001c4452faf0b64dbd9cf9a059c21bc2503da1447462b99d20575de74891f26e9e202490cf35734bd61dd39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3gCwYI4BmDLl.bat
Filesize
207B

MD5
e8092b6c194c7c3c4cb212bc84611787

SHA1
c2fba16cf6c1ef08524c1a3c4355b7ed31706a0d

SHA256
eb3394e91ce073e3eb41127fdc86bfd1612fc868114e09aebc03b27919ccc408

SHA512
2d8f5b787d1f63caa1c9150215312d5cc9fc24383f9f2f607447d59126dfc3343215ce9f800e58c7b6f5f3b13af56bdad2d88debb45bdb67a03c0b6efefd8a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\8sxQtbE4f3op.bat
Filesize
207B

MD5
329065c92f871064da89efc378fee2b6

SHA1
9ead04314d0b82d5ba1db6a6f29d2e5695839ef1

SHA256
1af200a305183b9b023180d524589204fa6bd8a61a8d0f025d5b29e6f020c35d

SHA512
a97701f6126a39f8335b5048bbf398dbe147dca9cd4c5591d168e3787a112f88b534b67a25669504e2d5febf8f07be63ec60fdc51f7737119c37121ab03fbffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9xlXlIf9uAeR.bat
Filesize
207B

MD5
718b5369bf5601fe70ce1ac6ab9a2405

SHA1
d7ad5b8874f0737a7849248e1377a8eb27bf5ab3

SHA256
cde74835d66388f8334b7d5a7765fd931a4747c38f790bea3918238b11388946

SHA512
b93f73c1989d1cd180d4849cf14f8391a9bad0e1e1960e8da4e2151ff7b129a9a541e6d8b9ddc0916c09fe5dc3ab77a99d6bc7d62bd58213a17b8f1b80fe1cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DOn1rNInib1Y.bat
Filesize
207B

MD5
f825fe31d745a063c51303065e2804f6

SHA1
bab9ac29cb6089f59def57ca944d4595956e6298

SHA256
0206f06ce2344c916ab6921effe9d365b9dc67e7c1b7528dec844101b8b3a6c2

SHA512
e0ba5fd93a61530b3d4e9995d449e9c298570bf9ffd36a251b71bea5d58f1029d006b700515ded96f70c097ea90f44ad26782135a0eb52476ecf545dd225cbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\GyfdWwKN3phj.bat
Filesize
207B

MD5
17237905064d3c745c10881c247ceb9e

SHA1
9424593a2fb81dea421d5a96d552949d2a4283a7

SHA256
c10e9942d7c94a82609a8d3ac7bedc82bceb4acc6cf86d9c8dc80c9c00b41086

SHA512
b0ea803fb3922316f054ee64285689061ec922f79e71c44efbef48bb6c60be9204cf6484d29f30d2be366549ebcbe5907806a335aaf49629e26c5a9de217e6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwbBqUW0CuSf.bat
Filesize
207B

MD5
9b4add305190b62866ec55caa1e7d603

SHA1
45cd1c67d81394449dd5d00c817eb0a75ce94202

SHA256
ab1851ce9f71cbca272880eb621e62a50c7ea34fb5e4c8c1f0e530584ece3c98

SHA512
724b04d4131c0fb474463a50b0bd8c4228ed8bdd07a8ba6c8fa706589533fd7a99accfff7c0d3289511c3113431010cc00f8f96d314303286d013eb6b9fea5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JqFbg3uJhuqe.bat
Filesize
207B

MD5
7858e730cc66ae5fb089a7acc7fbbbf1

SHA1
0b7c915b224db9b30a3fa3f6243186b620fa43c8

SHA256
b7750ed678d2bd7db26c94721568f548a4f39aa81d7e1a61c8c971fe98e483bc

SHA512
aafb57725bdb9265428bba9ba4c4288a1c39d1313647e6dfd333a37ccd1d718ed870ee6ad4e0862af14149493779d16b0947e32a36bb4158fffdb0336b8b4392

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUuT98mKyfA4.bat
Filesize
207B

MD5
8c114427e5b16c9afaaf2be3d97b7f3f

SHA1
d4491765c8949385477afccb0cf92e7a35e182a7

SHA256
25f6a53412cc3089729df5b6758594fc64e309d0091fcdebda58ab4446a6efdb

SHA512
682d8f69ad2705dacf8d8d1fd02137a89672046b6b58523fc6a8a07140e3fee73af23c7bbaafcc45f9c1e24014f19cb9cf16a35dbf71e8fb9bcb2cd01ecb5ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgflCpAwsCP6.bat
Filesize
207B

MD5
44f4bc64094ecf5114f6fcd9d870af5f

SHA1
b2e5be8ed75dddbd38c09ff42c1af6dff256f119

SHA256
0f58f20f2bb865b92dcf1119f7a8ad108231d01d210fdfc921b81ec427debdb0

SHA512
37c301ad48f809602c6ebcdd921a1a9f4763427e2c32081230be7c0fee7b6cbe3c53dd4ad4e198f5416e5ba1bd81c3e0e255a0feb95bcc613927a90876d70db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROsDRkD5Tery.bat
Filesize
207B

MD5
1732db9cba1a2a760f55bdd198948017

SHA1
39ed80b883b5ee8207f971087678d238b5c8dfbd

SHA256
7ba74de328bc887b7d702f6063d256333b2b964ffd8c82204b01b0c855d6677f

SHA512
e3670cf041baf7a6cac5e859cae453d8b1113bedb6071aeef514b6da26ce06af87b7c5589e29570eb6151b33dffe80b11a252b060fd37d25fd89e19003be90d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ttt5bn6U0OMm.bat
Filesize
207B

MD5
c073569e501956926edc2986b63e12a7

SHA1
b9d3b05c0583d868d26bf130a7d0b971b55cf608

SHA256
79502ed020d1028bce8db03da429054922221edec524e15ff0b0ae5e616f69d5

SHA512
a52078f42843c225fdb6f757385737780f45029f2393d0e12ceda9e60ab68ed6f6923e537709dc12642783a3cb366704f299c53e65be98a941f0eb2eb2a4fb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcF8lkVPvvTk.bat
Filesize
207B

MD5
d6b3557261c1ce3d3e7b4425f3e8ec12

SHA1
3f3a6164ce58309fe2e88b22132df9954943bcf0

SHA256
11b9d9ea96b7645d2c775e8527c72ab14ba300becf0ea748a585396682214030

SHA512
3fc6d88a4709fc0f310b9805acb575723048a98b660ecde75734b2767745aec662fca07d356a772470ceeacd552cd9d796abb60e3a5c3ec231d6782f49441df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hn3wj8nJ8jro.bat
Filesize
207B

MD5
d0b959b95b0787ec6711b30fe5b88376

SHA1
cd8c1be60731b34c88ed24144953d073ef79fea2

SHA256
a5d401d4e9666822b41b37ce2aa222d24b955aa1ca184f800c4b69734c40e3bb

SHA512
cb68cb765e95cb3eb8bd669aa287782a782ae3f41bd5c31ee687bedea5d2b5b626cc8bd06aff8588e037df3123fe9826db3ea372f72c672b1f0166be41ad1af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUMIDQBDbVHN.bat
Filesize
207B

MD5
e38bd10fef1b5243d2825b1f919ce44b

SHA1
f63427c0edff83296658cf6eddf1f41fce782152

SHA256
34f3ba8cf7c813931035bfc3ef170a1793f5301069944a72656aa8f5b2f3cfa4

SHA512
774af49164b2e7134bc1d347deeb38fbb9a0d119144ca4f434713a8e6a6ce3e4cfea8db6c5496610f5fc41901994964488c95c09615d449668d2113325d181aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\jJ35uLmSsrUK.bat
Filesize
207B

MD5
98832cc185801d3ba7fbeaf98a89b972

SHA1
fb1ce59d3d2db15d474831306f7387ad4b42639b

SHA256
eaf5eb73ea1990b790e86f8e6fb5fa653d8e4c5188aac25ab3431ea6a9f244f2

SHA512
4ccb37b55f5fadb6c227a02d493293c155309659e8b2f296d52167fa05c5f8d654b02f2816645a19924c43801c820732de5d4802782e6a1df6cb1cb8d2249813

Download Submit
C:\Users\Admin\AppData\Local\Temp\k8ksbGNgACiG.bat
Filesize
207B

MD5
9331c73d1298fd8491447544a7ba3241

SHA1
97c50e28f76f6de8908804e30cbb839e568f9389

SHA256
3dcd0538ef56d55fe8963773006a13f3f9f499cdb037118c2a3bef2533736766

SHA512
23c393c950a56e4f622ddc6cf8b0d0a5ee5d0267fd29227212b72d49e26af82553c6359a613dc09de40b0bde9b2a40789679501057034d90c799c5f3afa3710c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nG0j0f3YARsq.bat
Filesize
207B

MD5
1735e9d69feec044017cea3982187e2d

SHA1
f1dc6cd98b5525a44b79df1f5c0208280fdd6593

SHA256
0b75affed3433f7806b8b3c7a4e394fd1bbca5d832d91fd1dadee4d1a20dbe71

SHA512
e14847c56f7af002a7383039cad013acc1ead8801dc9e82e10806e80d721397abac06d2f57a0ce2612793dabe74ac25c1f3e2cf133f9faf90413507ccce2a940

Download Submit
C:\Users\Admin\AppData\Local\Temp\pukQMeyLjtrP.bat
Filesize
207B

MD5
2a5e666e498fb26c08980d1bdbc30adb

SHA1
98160bd99e5de98d98d12dc010ffbb11723d8df5

SHA256
f7f231284737f5c74a5657ccbac33c6ff904b6146516698a7af6077d90de1e29

SHA512
a1f786ede89ae5849921384c3f43f6e77b622a8244075bddd9d05168476bdc2d69a289b4e46891655de520e39d70ed989a49e3aae50eb6ed605ebac1762bd95d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scsVdgWZiTys.bat
Filesize
207B

MD5
ed063f38502abfe72281d5034a461cfe

SHA1
ef8faf86f186cd5de769b71f4d107bc7b90ddba9

SHA256
e1a86896a7e1e3c5e1ad46170e28dd540ae3365dd5084f5f00243831496620cd

SHA512
bd2fd41f1d7fa9c06a8260506a5d7e30c429f110e20f40d12db96c887189f1169840d2ee3d7508bba0ce6f537df3515780e66da291ae019549769b64d76c03ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tSCTNcUDDQlr.bat
Filesize
207B

MD5
6ca4dfbaf26c5cfec8f05eecf7e2224b

SHA1
cc03ab55c4fd0b9f4ccf98f6895372bd6161dca9

SHA256
1018b1911f264a3a51930c9501b7ef062e38d2ef57a050418ff73c8f529bd26a

SHA512
60982d741ca116505a911b3d61c7f3c9e8778ddb3def15171a9ec536439d6cf088fffab766b8b8e5f18d5da9b208942f498ad07153df26ec95cd67efa465b3f5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
f6478a7a9a0944a45479b623970e5d87

SHA1
d53f154afe4ec5ce1810892bedb7efee6e20226b

SHA256
401f6205c12e4ec92ee58f2c10fa320e60fcd84fc2ddaec1fb8a7e8e3f2c528f

SHA512
b1e49249dfebebde07f2359caf96a2c2d041f486b5c27f46c3af2f9057f004da32ea3e57e709a116e31346a97bdd868877b0d1240520ee0ff5af147ad1aedd64

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
24445c1e0868943d7a0ed39d6c531b7d

SHA1
63e012bb341bb71a4133fb74133a4faff23115a1

SHA256
44f3d8ffb683f327a92fe595c16ead64346e7b0c3c3f3ebb5e8eb4b6d0ec8a29

SHA512
d87f3626edbf2c4310e32f982d520659c3c8f175c4008a6e093e3e4ae3bf9eab9234be2028f945be3c5b25611f75448b18bf93189c098d725c029a72dbbb3cf8

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
4862545659bc2fa711ffb90978296cb4

SHA1
de358db7eb2bb77566f92721fed3838d573c0d2e

SHA256
ea51272057e34f68a8bb01a0944ba30d819510312fca5cedc58cb77cf88509b0

SHA512
d0d5a2fc9ad2e95c4a30ec10f1ee178ccbc70c6304709fe29d1923f125f92486819c3f2cf25d1f100384330288dd4dcea3baa0323f491b5217561b1332ba64b6

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
05ebaab7e7c1b41ee19dcb4b5fc3e8c9

SHA1
4a24d9238a256c76f427561fb4424fca1956b6ed

SHA256
b0e7c2940dcb74b9bb001ab39104f12a1d4461d7b3b766cc9980e16e1889dfcc

SHA512
4a1ec9bd93ec7562bcfb3561003e3ab4a8d5494e3613277f0159779ab579065e090d7508c9c261f85e8ec423b9091ca3727165b544ea3b1b99e22b62224f63da

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
89c72292b3e5370014c999b4a827157d

SHA1
bdcea97e811d3d2ee6556ba5d589f825d8aff06c

SHA256
a0d94e6e67cfbad5465fb41be978bc7b740c976073cda809d51702a51ab71d31

SHA512
fbeb713d82902fc2ace18017d1f6e045defc2647ef8aa048e82ef887f012043b2d37e9c9f9ebfd620cba283d1642170c914563bfa15497d49be4ed57992a4d52

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
79fdbd797117b5d8c8be198385814136

SHA1
cbcf9cf0ee16200e9580a91b3865ea3f2b4f8bd1

SHA256
85c632b1659c90e03f0e0b2354d26f29e409349703e5d12d0081a8b28ac8c613

SHA512
4aadf01e0fb38c8e4fcfb71ecc9b73304a7b42eb73c6e285aec3c244e09c3f99cd83de50b059b77158ee7a862f28155a1cfb7681e48f8366ae11e7eba0ac0c89

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
a15447b4c29e3ecc8551e6f58e4a19bc

SHA1
75dfe6fc8dd3b39a42669c57759788cb8d9c30a3

SHA256
538d4a8b3f5689a1cf936739b3ef47c7a3216d30e5d3120bb05a71199c7f16c2

SHA512
82436f90065093f24c457d827f29fc51a1d2e17623b95a4662e364bfa7a49c88e0ddf0075de3bb8144e1c76ab448b4c849665b95cb4902cfbd9119831eeb2628

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
f6ae2693b187c2bc9702a985f1029239

SHA1
52b1860cd25e3b07922398bb490d01a4af8feae5

SHA256
6f0d0a3e78e412d40ae6e96c9e63441baf08a457ec3024ddf09e573f285fdd83

SHA512
e7c4a811c0e82d5c15535950d12bc92c6d11953dbef2360f3530907215b62f3cec18d42a3a4e404d7dec6719a55592313447f42ebf741c028253596f346b4e75

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
e480dceda255912073911d446f93c4e3

SHA1
bc5b640fe9998ce2163f770106590fbd7ed3de86

SHA256
b0b80d6de43192b9095a5f22beac384be9959e02d1f748dc06366d00c39227d3

SHA512
4ec7f38bb92fa7ddade34975b8b1daf2806bdb87eeb7cac9b8838b16d95b9b6ec04edcbc9c91d47c46a2c5f6a4dad734199082baddcd308d2939f4ce7ccdab2f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-10-2024
Filesize
224B

MD5
283f52d4ac5428415e438beb1108e497

SHA1
22301d2213250d12a663a75dcbd9387d214550d8

SHA256
af075725c2df4b13abbc531f51617e158e7c5f83bb391e67a23229c0375c8b9e

SHA512
f43f3b4a3799ba032d7d67a2df52bf573ae80e914ce7adfd5b97b85f18679f3d1d9aa556c195d4caf499fd458e11bd2156adcfa41a212ecca08ddf8c17b82119

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/336-16-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/336-4-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/336-1-0x0000000000960000-0x00000000009CC000-memory.dmp

Filesize
432KB

Download
memory/336-2-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/336-3-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/336-0-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download
memory/336-8-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/336-7-0x000000007487E000-0x000000007487F000-memory.dmp

Filesize
4KB

Download
memory/336-6-0x00000000060E0000-0x00000000060F2000-memory.dmp

Filesize
72KB

Download
memory/336-5-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/4388-19-0x00000000062E0000-0x00000000062EA000-memory.dmp

Filesize
40KB

Download
memory/4388-15-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/4388-24-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/4388-17-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download