Overview

overview

10

Static

static

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

uni/Uni - ...py.exe

windows7-x64

10

uni/Uni - ...py.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    600s
  • max time network
    613s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 07:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    uni/Uni - Copy (100) - Copy - Copy - Copy.exe

  • Size

    409KB

  • MD5

    b70fdac25a99501e3cae11f1b775249e

  • SHA1

    3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

  • SHA256

    51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

  • SHA512

    43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

  • SSDEEP

    12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score
10/10
quasarseroxenpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892
Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes
  • encryption_key

    Lme7VBS3l58VwLM69PNM

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    SeroXen

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 27 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 28 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 26 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 27 IoCs
  • Creates scheduled task(s) 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:656
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:3380
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d0OfDxCtX5DJ.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4776
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:672
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:5028
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2764
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Creates scheduled task(s)
              PID:4100
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Wblxpb7v3gMC.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:684
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                6⤵
                  PID:1848
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • Runs ping.exe
                  PID:4280
                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2860
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Creates scheduled task(s)
                    PID:3924
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N8dboL4mimEI.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:964
                    • C:\Windows\SysWOW64\chcp.com
                      chcp 65001
                      8⤵
                        PID:3956
                      • C:\Windows\SysWOW64\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • Runs ping.exe
                        PID:5036
                      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:3808
                        • C:\Windows\SysWOW64\schtasks.exe
                          "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                          9⤵
                          • Creates scheduled task(s)
                          PID:5084
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ik2TT1VhKaSr.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3564
                          • C:\Windows\SysWOW64\chcp.com
                            chcp 65001
                            10⤵
                              PID:4004
                            • C:\Windows\SysWOW64\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • Runs ping.exe
                              PID:2900
                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              PID:4104
                              • C:\Windows\SysWOW64\schtasks.exe
                                "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                11⤵
                                • Creates scheduled task(s)
                                PID:3216
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piCizBy2rZrb.bat" "
                                11⤵
                                  PID:2544
                                  • C:\Windows\SysWOW64\chcp.com
                                    chcp 65001
                                    12⤵
                                      PID:4716
                                    • C:\Windows\SysWOW64\PING.EXE
                                      ping -n 10 localhost
                                      12⤵
                                      • Runs ping.exe
                                      PID:1260
                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                      12⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of SetWindowsHookEx
                                      PID:4440
                                      • C:\Windows\SysWOW64\schtasks.exe
                                        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                        13⤵
                                        • Creates scheduled task(s)
                                        PID:1004
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U9Okyp1LhEsU.bat" "
                                        13⤵
                                          PID:2468
                                          • C:\Windows\SysWOW64\chcp.com
                                            chcp 65001
                                            14⤵
                                              PID:2868
                                            • C:\Windows\SysWOW64\PING.EXE
                                              ping -n 10 localhost
                                              14⤵
                                              • Runs ping.exe
                                              PID:2688
                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                              14⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of SetWindowsHookEx
                                              PID:1788
                                              • C:\Windows\SysWOW64\schtasks.exe
                                                "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                15⤵
                                                • Creates scheduled task(s)
                                                PID:932
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VHmABSEeVohs.bat" "
                                                15⤵
                                                  PID:3148
                                                  • C:\Windows\SysWOW64\chcp.com
                                                    chcp 65001
                                                    16⤵
                                                      PID:4900
                                                    • C:\Windows\SysWOW64\PING.EXE
                                                      ping -n 10 localhost
                                                      16⤵
                                                      • Runs ping.exe
                                                      PID:1764
                                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                      16⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:2424
                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                        17⤵
                                                        • Creates scheduled task(s)
                                                        PID:4312
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\naNT47qc5Vhw.bat" "
                                                        17⤵
                                                          PID:4356
                                                          • C:\Windows\SysWOW64\chcp.com
                                                            chcp 65001
                                                            18⤵
                                                              PID:3388
                                                            • C:\Windows\SysWOW64\PING.EXE
                                                              ping -n 10 localhost
                                                              18⤵
                                                              • Runs ping.exe
                                                              PID:1184
                                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                              18⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Adds Run key to start application
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:1200
                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                19⤵
                                                                • Creates scheduled task(s)
                                                                PID:2132
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UFDhXTAUy4m8.bat" "
                                                                19⤵
                                                                  PID:4916
                                                                  • C:\Windows\SysWOW64\chcp.com
                                                                    chcp 65001
                                                                    20⤵
                                                                      PID:4828
                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                      ping -n 10 localhost
                                                                      20⤵
                                                                      • Runs ping.exe
                                                                      PID:4784
                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                      20⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:3960
                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                        21⤵
                                                                        • Creates scheduled task(s)
                                                                        PID:2828
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9gPiW7Dmnjn1.bat" "
                                                                        21⤵
                                                                          PID:1212
                                                                          • C:\Windows\SysWOW64\chcp.com
                                                                            chcp 65001
                                                                            22⤵
                                                                              PID:4832
                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                              ping -n 10 localhost
                                                                              22⤵
                                                                              • Runs ping.exe
                                                                              PID:1944
                                                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                              22⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:4788
                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                23⤵
                                                                                • Creates scheduled task(s)
                                                                                PID:4988
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAXVbESWXUna.bat" "
                                                                                23⤵
                                                                                  PID:1908
                                                                                  • C:\Windows\SysWOW64\chcp.com
                                                                                    chcp 65001
                                                                                    24⤵
                                                                                      PID:1948
                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                      ping -n 10 localhost
                                                                                      24⤵
                                                                                      • Runs ping.exe
                                                                                      PID:3772
                                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                      24⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:3480
                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                        25⤵
                                                                                        • Creates scheduled task(s)
                                                                                        PID:4688
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5yHdF5fYo9hY.bat" "
                                                                                        25⤵
                                                                                          PID:1404
                                                                                          • C:\Windows\SysWOW64\chcp.com
                                                                                            chcp 65001
                                                                                            26⤵
                                                                                              PID:992
                                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                                              ping -n 10 localhost
                                                                                              26⤵
                                                                                              • Runs ping.exe
                                                                                              PID:2492
                                                                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                              26⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                              PID:956
                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                27⤵
                                                                                                • Creates scheduled task(s)
                                                                                                PID:1984
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NHsv8lHVOqic.bat" "
                                                                                                27⤵
                                                                                                  PID:1896
                                                                                                  • C:\Windows\SysWOW64\chcp.com
                                                                                                    chcp 65001
                                                                                                    28⤵
                                                                                                      PID:5088
                                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                                      ping -n 10 localhost
                                                                                                      28⤵
                                                                                                      • Runs ping.exe
                                                                                                      PID:4160
                                                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                      28⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                      PID:3916
                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                        29⤵
                                                                                                        • Creates scheduled task(s)
                                                                                                        PID:2024
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aVvyLTON2qMC.bat" "
                                                                                                        29⤵
                                                                                                          PID:4284
                                                                                                          • C:\Windows\SysWOW64\chcp.com
                                                                                                            chcp 65001
                                                                                                            30⤵
                                                                                                              PID:1872
                                                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                                                              ping -n 10 localhost
                                                                                                              30⤵
                                                                                                              • Runs ping.exe
                                                                                                              PID:3256
                                                                                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                              30⤵
                                                                                                              • Checks computer location settings
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:1280
                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                31⤵
                                                                                                                • Creates scheduled task(s)
                                                                                                                PID:3208
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\njy1XCVFhq0m.bat" "
                                                                                                                31⤵
                                                                                                                  PID:4984
                                                                                                                  • C:\Windows\SysWOW64\chcp.com
                                                                                                                    chcp 65001
                                                                                                                    32⤵
                                                                                                                      PID:3892
                                                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                                                      ping -n 10 localhost
                                                                                                                      32⤵
                                                                                                                      • Runs ping.exe
                                                                                                                      PID:4144
                                                                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                                      32⤵
                                                                                                                      • Checks computer location settings
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                      PID:1148
                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                        33⤵
                                                                                                                        • Creates scheduled task(s)
                                                                                                                        PID:1212
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcLB876vijgH.bat" "
                                                                                                                        33⤵
                                                                                                                          PID:4676
                                                                                                                          • C:\Windows\SysWOW64\chcp.com
                                                                                                                            chcp 65001
                                                                                                                            34⤵
                                                                                                                              PID:2888
                                                                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                                                                              ping -n 10 localhost
                                                                                                                              34⤵
                                                                                                                              • Runs ping.exe
                                                                                                                              PID:2104
                                                                                                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                                              34⤵
                                                                                                                              • Checks computer location settings
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:1252
                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                                35⤵
                                                                                                                                • Creates scheduled task(s)
                                                                                                                                PID:4432
                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pXZdZpNpLd7M.bat" "
                                                                                                                                35⤵
                                                                                                                                  PID:2508
                                                                                                                                  • C:\Windows\SysWOW64\chcp.com
                                                                                                                                    chcp 65001
                                                                                                                                    36⤵
                                                                                                                                      PID:4220
                                                                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                      ping -n 10 localhost
                                                                                                                                      36⤵
                                                                                                                                      • Runs ping.exe
                                                                                                                                      PID:2952
                                                                                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                                                      36⤵
                                                                                                                                      • Checks computer location settings
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                      PID:4108
                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                                        37⤵
                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                        PID:5084
                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qfx4mRa99Cvj.bat" "
                                                                                                                                        37⤵
                                                                                                                                          PID:1640
                                                                                                                                          • C:\Windows\SysWOW64\chcp.com
                                                                                                                                            chcp 65001
                                                                                                                                            38⤵
                                                                                                                                              PID:2172
                                                                                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                              ping -n 10 localhost
                                                                                                                                              38⤵
                                                                                                                                              • Runs ping.exe
                                                                                                                                              PID:4188
                                                                                                                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                                                              38⤵
                                                                                                                                              • Checks computer location settings
                                                                                                                                              • Executes dropped EXE
                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                              PID:1988
                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                                                39⤵
                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                PID:4724
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N52jRxFy58Tt.bat" "
                                                                                                                                                39⤵
                                                                                                                                                  PID:408
                                                                                                                                                  • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                    chcp 65001
                                                                                                                                                    40⤵
                                                                                                                                                      PID:3732
                                                                                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                      ping -n 10 localhost
                                                                                                                                                      40⤵
                                                                                                                                                      • Runs ping.exe
                                                                                                                                                      PID:3448
                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                                                                      40⤵
                                                                                                                                                      • Checks computer location settings
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                      PID:1164
                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                                                        41⤵
                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                        PID:5024
                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmIUIyQ81Zql.bat" "
                                                                                                                                                        41⤵
                                                                                                                                                          PID:3652
                                                                                                                                                          • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                            chcp 65001
                                                                                                                                                            42⤵
                                                                                                                                                              PID:1824
                                                                                                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                              ping -n 10 localhost
                                                                                                                                                              42⤵
                                                                                                                                                              • Runs ping.exe
                                                                                                                                                              PID:416
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                                                                              42⤵
                                                                                                                                                              • Checks computer location settings
                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                              PID:4264
                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                                                                43⤵
                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                PID:4336
                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uggduu1p2SVG.bat" "
                                                                                                                                                                43⤵
                                                                                                                                                                  PID:3960
                                                                                                                                                                  • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                    chcp 65001
                                                                                                                                                                    44⤵
                                                                                                                                                                      PID:5008
                                                                                                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                      ping -n 10 localhost
                                                                                                                                                                      44⤵
                                                                                                                                                                      • Runs ping.exe
                                                                                                                                                                      PID:1996
                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                                                                                      44⤵
                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                      PID:1948
                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                                                                        45⤵
                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                        PID:3428
                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zNwOlwCzyss8.bat" "
                                                                                                                                                                        45⤵
                                                                                                                                                                          PID:2660
                                                                                                                                                                          • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                            chcp 65001
                                                                                                                                                                            46⤵
                                                                                                                                                                              PID:2352
                                                                                                                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                              ping -n 10 localhost
                                                                                                                                                                              46⤵
                                                                                                                                                                              • Runs ping.exe
                                                                                                                                                                              PID:404
                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                                                                                              46⤵
                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                              PID:932
                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                                                                                47⤵
                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                PID:3852
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\34DAcxM9tIF0.bat" "
                                                                                                                                                                                47⤵
                                                                                                                                                                                  PID:3624
                                                                                                                                                                                  • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                    chcp 65001
                                                                                                                                                                                    48⤵
                                                                                                                                                                                      PID:3596
                                                                                                                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                      ping -n 10 localhost
                                                                                                                                                                                      48⤵
                                                                                                                                                                                      • Runs ping.exe
                                                                                                                                                                                      PID:1920
                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                                                                                                      48⤵
                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                      PID:1660
                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                                                                                        49⤵
                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                        PID:1692
                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LNoSVdy6T0G3.bat" "
                                                                                                                                                                                        49⤵
                                                                                                                                                                                          PID:1640
                                                                                                                                                                                          • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                            chcp 65001
                                                                                                                                                                                            50⤵
                                                                                                                                                                                              PID:2396
                                                                                                                                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                              ping -n 10 localhost
                                                                                                                                                                                              50⤵
                                                                                                                                                                                              • Runs ping.exe
                                                                                                                                                                                              PID:2072
                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                                                                                                              50⤵
                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                              PID:4016
                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                                                                                                51⤵
                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                PID:2380
                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eBZZ9UC8kf91.bat" "
                                                                                                                                                                                                51⤵
                                                                                                                                                                                                  PID:3156
                                                                                                                                                                                                  • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                    chcp 65001
                                                                                                                                                                                                    52⤵
                                                                                                                                                                                                      PID:2392
                                                                                                                                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                      ping -n 10 localhost
                                                                                                                                                                                                      52⤵
                                                                                                                                                                                                      • Runs ping.exe
                                                                                                                                                                                                      PID:2028
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                                                                                                                      52⤵
                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                      PID:3620
                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                                                                                                        53⤵
                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                        PID:4744
                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yzJgnMQ91K30.bat" "
                                                                                                                                                                                                        53⤵
                                                                                                                                                                                                          PID:2764
                                                                                                                                                                                                          • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                            chcp 65001
                                                                                                                                                                                                            54⤵
                                                                                                                                                                                                              PID:2868
                                                                                                                                                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                              ping -n 10 localhost
                                                                                                                                                                                                              54⤵
                                                                                                                                                                                                              • Runs ping.exe
                                                                                                                                                                                                              PID:4932
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                                                                                                                              54⤵
                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                              PID:1568
                                                                                                                                                                                                              • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                                                                                                                55⤵
                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                PID:4264
                                                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BDMjz4X2fKia.bat" "
                                                                                                                                                                                                                55⤵
                                                                                                                                                                                                                  PID:684
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\chcp.com
                                                                                                                                                                                                                    chcp 65001
                                                                                                                                                                                                                    56⤵
                                                                                                                                                                                                                      PID:4672
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                      ping -n 10 localhost
                                                                                                                                                                                                                      56⤵
                                                                                                                                                                                                                      • Runs ping.exe
                                                                                                                                                                                                                      PID:2036
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                                                                                                                                                                                                                      56⤵
                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                      PID:4676
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                        "schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                                                                                                                                                                                                                        57⤵
                                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                                        PID:1948
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1708
                                                                                                                                                                                                                    55⤵
                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                    PID:2400
                                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1092
                                                                                                                                                                                                                53⤵
                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                PID:4784
                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 2248
                                                                                                                                                                                                            51⤵
                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                            PID:4308
                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1212
                                                                                                                                                                                                        49⤵
                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                        PID:1724
                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 1676
                                                                                                                                                                                                    47⤵
                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                    PID:4920
                                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 1708
                                                                                                                                                                                                45⤵
                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                PID:4788
                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 2184
                                                                                                                                                                                            43⤵
                                                                                                                                                                                            • Program crash
                                                                                                                                                                                            PID:4984
                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 1724
                                                                                                                                                                                        41⤵
                                                                                                                                                                                        • Program crash
                                                                                                                                                                                        PID:1616
                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 2196
                                                                                                                                                                                    39⤵
                                                                                                                                                                                    • Program crash
                                                                                                                                                                                    PID:3828
                                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 2248
                                                                                                                                                                                37⤵
                                                                                                                                                                                • Program crash
                                                                                                                                                                                PID:4824
                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 1096
                                                                                                                                                                            35⤵
                                                                                                                                                                            • Program crash
                                                                                                                                                                            PID:2032
                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1640
                                                                                                                                                                        33⤵
                                                                                                                                                                        • Program crash
                                                                                                                                                                        PID:4664
                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 2232
                                                                                                                                                                    31⤵
                                                                                                                                                                    • Program crash
                                                                                                                                                                    PID:2328
                                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 2224
                                                                                                                                                                29⤵
                                                                                                                                                                • Program crash
                                                                                                                                                                PID:2520
                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 2248
                                                                                                                                                            27⤵
                                                                                                                                                            • Program crash
                                                                                                                                                            PID:1796
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 1664
                                                                                                                                                        25⤵
                                                                                                                                                        • Program crash
                                                                                                                                                        PID:4540
                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 1096
                                                                                                                                                    23⤵
                                                                                                                                                    • Program crash
                                                                                                                                                    PID:4972
                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 1092
                                                                                                                                                21⤵
                                                                                                                                                • Program crash
                                                                                                                                                PID:208
                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1696
                                                                                                                                            19⤵
                                                                                                                                            • Program crash
                                                                                                                                            PID:5028
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 1668
                                                                                                                                        17⤵
                                                                                                                                        • Program crash
                                                                                                                                        PID:1076
                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 2164
                                                                                                                                    15⤵
                                                                                                                                    • Program crash
                                                                                                                                    PID:792
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 1712
                                                                                                                                13⤵
                                                                                                                                • Program crash
                                                                                                                                PID:2244
                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1708
                                                                                                                            11⤵
                                                                                                                            • Program crash
                                                                                                                            PID:3360
                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1088
                                                                                                                        9⤵
                                                                                                                        • Program crash
                                                                                                                        PID:4656
                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 1720
                                                                                                                    7⤵
                                                                                                                    • Program crash
                                                                                                                    PID:1408
                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 2176
                                                                                                                5⤵
                                                                                                                • Program crash
                                                                                                                PID:1148
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 2192
                                                                                                            3⤵
                                                                                                            • Program crash
                                                                                                            PID:5024
                                                                                                        • C:\Windows\SysWOW64\SCHTASKS.exe
                                                                                                          "SCHTASKS.exe" /create /tn "$77Uni - Copy (100) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
                                                                                                          2⤵
                                                                                                          • Creates scheduled task(s)
                                                                                                          PID:4772
                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2544 -ip 2544
                                                                                                        1⤵
                                                                                                          PID:3448
                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2764 -ip 2764
                                                                                                          1⤵
                                                                                                            PID:4176
                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2860 -ip 2860
                                                                                                            1⤵
                                                                                                              PID:4296
                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3808 -ip 3808
                                                                                                              1⤵
                                                                                                                PID:1960
                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4104 -ip 4104
                                                                                                                1⤵
                                                                                                                  PID:2256
                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4440 -ip 4440
                                                                                                                  1⤵
                                                                                                                    PID:208
                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1788 -ip 1788
                                                                                                                    1⤵
                                                                                                                      PID:2460
                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2424 -ip 2424
                                                                                                                      1⤵
                                                                                                                        PID:464
                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1200 -ip 1200
                                                                                                                        1⤵
                                                                                                                          PID:2016
                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3960 -ip 3960
                                                                                                                          1⤵
                                                                                                                            PID:4896
                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4788 -ip 4788
                                                                                                                            1⤵
                                                                                                                              PID:2692
                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3480 -ip 3480
                                                                                                                              1⤵
                                                                                                                                PID:2732
                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 956 -ip 956
                                                                                                                                1⤵
                                                                                                                                  PID:1184
                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3916 -ip 3916
                                                                                                                                  1⤵
                                                                                                                                    PID:2960
                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1280 -ip 1280
                                                                                                                                    1⤵
                                                                                                                                      PID:4532
                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1148 -ip 1148
                                                                                                                                      1⤵
                                                                                                                                        PID:2064
                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1252 -ip 1252
                                                                                                                                        1⤵
                                                                                                                                          PID:4900
                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4108 -ip 4108
                                                                                                                                          1⤵
                                                                                                                                            PID:324
                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1988 -ip 1988
                                                                                                                                            1⤵
                                                                                                                                              PID:3932
                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1164 -ip 1164
                                                                                                                                              1⤵
                                                                                                                                                PID:4916
                                                                                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4264 -ip 4264
                                                                                                                                                1⤵
                                                                                                                                                  PID:1568
                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1948 -ip 1948
                                                                                                                                                  1⤵
                                                                                                                                                    PID:4988
                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 932 -ip 932
                                                                                                                                                    1⤵
                                                                                                                                                      PID:992
                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1660 -ip 1660
                                                                                                                                                      1⤵
                                                                                                                                                        PID:3864
                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4016 -ip 4016
                                                                                                                                                        1⤵
                                                                                                                                                          PID:2256
                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3620 -ip 3620
                                                                                                                                                          1⤵
                                                                                                                                                            PID:3236
                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1568 -ip 1568
                                                                                                                                                            1⤵
                                                                                                                                                              PID:512

                                                                                                                                                            Network

                                                                                                                                                            MITRE ATT&CK Matrix ATT&CK v13

                                                                                                                                                            Initial Access

                                                                                                                                                            Execution

                                                                                                                                                            Scheduled Task/Job

                                                                                                                                                            1
                                                                                                                                                            T1053

                                                                                                                                                            Persistence

                                                                                                                                                            Boot or Logon Autostart Execution

                                                                                                                                                            1
                                                                                                                                                            T1547

                                                                                                                                                            Registry Run Keys / Startup Folder

                                                                                                                                                            1
                                                                                                                                                            T1547.001

                                                                                                                                                            Scheduled Task/Job

                                                                                                                                                            1
                                                                                                                                                            T1053

                                                                                                                                                            Privilege Escalation

                                                                                                                                                            Boot or Logon Autostart Execution

                                                                                                                                                            1
                                                                                                                                                            T1547

                                                                                                                                                            Registry Run Keys / Startup Folder

                                                                                                                                                            1
                                                                                                                                                            T1547.001

                                                                                                                                                            Scheduled Task/Job

                                                                                                                                                            1
                                                                                                                                                            T1053

                                                                                                                                                            Defense Evasion

                                                                                                                                                            Modify Registry

                                                                                                                                                            1
                                                                                                                                                            T1112

                                                                                                                                                            Credential Access

                                                                                                                                                            Discovery

                                                                                                                                                            Query Registry

                                                                                                                                                            1
                                                                                                                                                            T1012

                                                                                                                                                            System Information Discovery

                                                                                                                                                            2
                                                                                                                                                            T1082

                                                                                                                                                            Remote System Discovery

                                                                                                                                                            1
                                                                                                                                                            T1018

                                                                                                                                                            Lateral Movement

                                                                                                                                                            Collection

                                                                                                                                                            Exfiltration

                                                                                                                                                            Command and Control

                                                                                                                                                            Impact

                                                                                                                                                            Resource Development

                                                                                                                                                            Reconnaissance

                                                                                                                                                            Replay Monitor

                                                                                                                                                            Loading Replay Monitor...

                                                                                                                                                            Downloads

                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\5yHdF5fYo9hY.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              f5b805645db9c00af35081ca53afd07d

                                                                                                                                                              SHA1

                                                                                                                                                              ba03ef9d4d8db80834ad9b121efe5ff9f6a4c408

                                                                                                                                                              SHA256

                                                                                                                                                              fd4c202e87d5482d37b4220aa7221422a6b62aaa6a7650da5f6e372c5a6979d1

                                                                                                                                                              SHA512

                                                                                                                                                              4abffc87f0bf7f44d92f0e07b6054aad2da2ea29877598e5b9b9e9dd1b1649d1a342004bce64b24e8842f78e9f5b43e7485db59020bdf4d3027268465c8b7d10

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\9gPiW7Dmnjn1.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              606add5b3a500aa9b738c8255bb22924

                                                                                                                                                              SHA1

                                                                                                                                                              99ead88a4e5bfaecc610c4817aa5ac628203cc97

                                                                                                                                                              SHA256

                                                                                                                                                              5470e7883109cde6db07824d3e478d467fd96bfbde2bfcb40186be75ba19fa48

                                                                                                                                                              SHA512

                                                                                                                                                              2e40ed3c2a4f6585059d19f3063d7ed439f8498be6de65f6e79a316a1957a255fc9a7ca3d8cc55a444300b43a3bbe482c81e7aaeeafa92271813a52a016c81cc

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\GcLB876vijgH.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              85bf724415fa21b938d8b66981415675

                                                                                                                                                              SHA1

                                                                                                                                                              675547f3eb24e736d861de2411b96ad3339c114e

                                                                                                                                                              SHA256

                                                                                                                                                              34041a060db904d085d9fa039ca3e1588342bb51a3dedc387ea49752fa1bafb7

                                                                                                                                                              SHA512

                                                                                                                                                              27719b90eef93422af684575f54830a6760a93e23a458df1afb3e259427732762f90152baebadfd7a4466dc003e5c9408615391f14cb42820cc4da9bd068b1c5

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Ik2TT1VhKaSr.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              b3dbb6b1cae1e7dbce2e87b3a8a51e18

                                                                                                                                                              SHA1

                                                                                                                                                              f8dd91894c6cfc9fa555829f74f7ca5562ae6893

                                                                                                                                                              SHA256

                                                                                                                                                              c580bfbae6ce455262537607aa879887939225d8d3212a7ffed67e7846fe3cbb

                                                                                                                                                              SHA512

                                                                                                                                                              a70eceb99ddbc6d060fcefa3d42396cba54254ac18300b30b08f1c6b9752b171902df6d19080c6480655e554509c7cb355a58cdb75e98592b97e6b6c820fdc75

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\N52jRxFy58Tt.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              06e1e1638f411888ebea131d9931460a

                                                                                                                                                              SHA1

                                                                                                                                                              f9ecd7a66c068a45e43769228cf7c24e4c16167a

                                                                                                                                                              SHA256

                                                                                                                                                              2722d368b0cd54cf85a9fe5cbaa41c3029bad3574bf69ea11893a4503d067570

                                                                                                                                                              SHA512

                                                                                                                                                              bc0b93a1da5ada78542e0d98f69501f61a922f2e23e2723b894f9b71031ddcd75904f862b9a62f3e2f88155fa2bef8e6c340c6572548d4c52a04a65467589921

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\N8dboL4mimEI.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              4317297fe3dbebaa55943a12fd8e4912

                                                                                                                                                              SHA1

                                                                                                                                                              669ff38af185c8c3607d31c5f07c9d292ff2c47e

                                                                                                                                                              SHA256

                                                                                                                                                              3efa2ed7ee7ce505a47d2098ad27d7fc3e151fd1f70d6fc5593391c325d08269

                                                                                                                                                              SHA512

                                                                                                                                                              79f4d4aa83488f154473d73d6d35db9255e96ef2eed09f6371cbfb230c7160621a4cdcca51b2e872147dde0f009fabf3e0b5a826d127c5db5a5d92837cd2bb72

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\NHsv8lHVOqic.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              446cf58a7eed6c9744c373299b6d2ef5

                                                                                                                                                              SHA1

                                                                                                                                                              3ab9e0010b1c4edbff3ae1368364712975367f5e

                                                                                                                                                              SHA256

                                                                                                                                                              bdc38b8523196fd610033e4c9b82fb607d693ede378151988e1e7be62e638934

                                                                                                                                                              SHA512

                                                                                                                                                              bd526009d8f0feccfb3a0d57f9e6dea354e727f70436f1e73ea746e32594bc40a1770ed7716c4b2233eec530cabada8f978646f48220f72602bfcb1e689913d6

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\SmIUIyQ81Zql.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              92840da3dfb39be6744e0d61b403260d

                                                                                                                                                              SHA1

                                                                                                                                                              d9f8f4504a3c776c47528b3f7cde7b8f399711dd

                                                                                                                                                              SHA256

                                                                                                                                                              c756d620d9095a8aec8625e345525dc04ce2357045f07262e08381aaba82c09c

                                                                                                                                                              SHA512

                                                                                                                                                              675d44d150a898d381f74623819dcc06fb01760f62db220b70878caf35235f2abae4c620b3b436d30393a5e90982a8788f642d82b9e023942d2dc8d9949b42d0

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\U9Okyp1LhEsU.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              90521c83563d4469787aab3a207106a5

                                                                                                                                                              SHA1

                                                                                                                                                              76de4eab3204100e700077cdfb330004e8679c4a

                                                                                                                                                              SHA256

                                                                                                                                                              35b364484a8bb203ae2d6be2e56ba8e532a18a344f387eae3425154e25d339fb

                                                                                                                                                              SHA512

                                                                                                                                                              456babc3b30d3840175e1de35314a989023f1bebb1b0156c5bce2c1c91f766bdadd7e2fb4429e465c7d1353d83f8e5600cae6d61ec49fcb0fd1f230dcdc38518

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\UFDhXTAUy4m8.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              cb77f0b1fa30dcc3e147640913d2b673

                                                                                                                                                              SHA1

                                                                                                                                                              611c86883698f436218d7190e8cc1620e2636435

                                                                                                                                                              SHA256

                                                                                                                                                              85c0771a4a48d74de7e748430e585d2ad3a7cd3d0ba29d2b285602b42073d1e9

                                                                                                                                                              SHA512

                                                                                                                                                              7b1da70ff18472613e4cd916d429a844c57489a17882175dbcfbb9fd391fe3a5b1eaf8aca1ebaba2662cd530538fc441e757e8723a2085417cd5a9d614b76d8a

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\VHmABSEeVohs.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              2c24240a379f8a3d3dd369be19628a4c

                                                                                                                                                              SHA1

                                                                                                                                                              2a7be66fe2156df7cd8a89b2176fe9fc4ea6472d

                                                                                                                                                              SHA256

                                                                                                                                                              e41114a6da7d8506b6698a4a96e761b0e39fd901295908f14ebce9fc37f1063c

                                                                                                                                                              SHA512

                                                                                                                                                              40b1c7dea0f3cb06d1e8555da783d1ebe652ec942c3652132a14f42b506aac305c0b03da4e8dba2197cd3e09b60566e4629eb81cfc0fb3e920c1f48a59874569

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Wblxpb7v3gMC.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              efb246bafad3c49bc3e485b39b115101

                                                                                                                                                              SHA1

                                                                                                                                                              92cec8251689589c688336e0bda3203bf1451a5f

                                                                                                                                                              SHA256

                                                                                                                                                              34ac06f791b14f1e547a951031dc2792fc3cda35c8ffe57b51dfee5e1ab11d05

                                                                                                                                                              SHA512

                                                                                                                                                              4e4fa0225c90d2bcca554062b3146b340b9c4f03dc98bfbe566d9d5e09d5ed22d051011823a56a128275728799769504159fb2faad268d09facacab3f31b55f8

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\aVvyLTON2qMC.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              a83a6358ed4c29be6cfad396556412f0

                                                                                                                                                              SHA1

                                                                                                                                                              24654baf48dba10aa13e821334be3f18d485f678

                                                                                                                                                              SHA256

                                                                                                                                                              0f4517d5e72108face1b593f6617ded192da619b36933cbc5fab3c525cb02443

                                                                                                                                                              SHA512

                                                                                                                                                              db941833423131b7412c4a7f4b4adf5e93d0afe252dc1a8e34470d77c215874f6c886aa5f3805d13fb47b8c7749a25c4ffc49b33ba9cdc4ef3bf4bbf5949dd54

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\d0OfDxCtX5DJ.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              a84675a9877aac37cf32a26a8787809a

                                                                                                                                                              SHA1

                                                                                                                                                              dd85dd1144ce8e2e1139f32692d735e508e148d2

                                                                                                                                                              SHA256

                                                                                                                                                              edab949cfa8e818350636a04e7164fbb3c713bf666ab2c61025538a87c00ac69

                                                                                                                                                              SHA512

                                                                                                                                                              bbd07ad5ba4a9f7703e630dc13b0d93ee9a7a052e587fe4f1cdf4635db479185733862f3798de85934601fd98c63dbb309bba211683f8ce2dd28bff83b2560a9

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\lAXVbESWXUna.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              a3a9594738fb7ce024c36391862a225a

                                                                                                                                                              SHA1

                                                                                                                                                              c410d71cbaeae202b98305c164c8402972270356

                                                                                                                                                              SHA256

                                                                                                                                                              a7a8ef235fa821601083ff5c3b910e9fccf71f02513b8f893453818c5cf45b6a

                                                                                                                                                              SHA512

                                                                                                                                                              bf2903b13074de0ab9133c256051e0ebe5712543e1a956aa680aedb566b17520ef5d6c9f5d75fc949615505d791cb4f0b85c1a6973954cba78b1f6dc37cad58c

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\naNT47qc5Vhw.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              397ef4eee5a4fc92ea464b6d12427a8b

                                                                                                                                                              SHA1

                                                                                                                                                              654a3a7ce30afee75952383c06bd970ead656712

                                                                                                                                                              SHA256

                                                                                                                                                              7a0a78e9505968616854124e1d3c5144afd74ad604469bebcd3f8b79cac47340

                                                                                                                                                              SHA512

                                                                                                                                                              b8c405b0a45a1f3c04949b1769b9e909e176fb50d87f4a62d6dc8a08744e8ae1f0cb5689006b69ddaf08cf7c823e91aef8fde034e8d8a7c5c6fb249da8ede221

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\njy1XCVFhq0m.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              49faba1dbddf82b18fc351e4c89aa0a4

                                                                                                                                                              SHA1

                                                                                                                                                              d45891929a219cac34ec3675d341bc62c92f5bef

                                                                                                                                                              SHA256

                                                                                                                                                              0c463eab4194dc84e5a441fd19c3667a90db33732426afd022cf26f37b85d9c8

                                                                                                                                                              SHA512

                                                                                                                                                              2504b322fba8f8aade75bbfd1db19544007e08167ef435c10f275bf0ae8bd64aa370b088ec53900c8a9471aa4ed2424bc05f961fe62ebbb652849c57a68bc99e

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\pXZdZpNpLd7M.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              44b10ef9fbda7df88eb5170a47125f3a

                                                                                                                                                              SHA1

                                                                                                                                                              03a7cfcbab5a605c773dd549edfc422e3c024377

                                                                                                                                                              SHA256

                                                                                                                                                              8ac5b3124b7b6ca0d318b63460b47326ea7226595d82864b11d7070a3d391850

                                                                                                                                                              SHA512

                                                                                                                                                              0381def451f3aaabdf9f1481215d24fe50e53d1a23b4c1a7d7fc0d2a72b9c75b877888a4404e0675ff88a13d8d9648798035ca31ca5b5ea17deaf525fe96f2e9

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\piCizBy2rZrb.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              e91072e5dc7814aa7a6a486df022c3e9

                                                                                                                                                              SHA1

                                                                                                                                                              de4928a3fd71e7aa44d34feea3b4dfd51fe2e4a7

                                                                                                                                                              SHA256

                                                                                                                                                              ba04469b33e569a9c49bfe8c10245fa1f01d47e263da8ca277174d96b4381d4d

                                                                                                                                                              SHA512

                                                                                                                                                              1dfefbc9f00f6b2bf514270c05193fc2807d625ee0ae24d14886436f91a46f61294d0159eb961b124258f830e3e144a0a269bb6a88a76a09f3642c7061ed1107

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\qfx4mRa99Cvj.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              52b94be366a4b6e83fcc47a27a99fd6a

                                                                                                                                                              SHA1

                                                                                                                                                              54591967c128803b585d67f3be852b592dfde72a

                                                                                                                                                              SHA256

                                                                                                                                                              9c7ac6ef4751406f182d57fb4e545c5c8c03d9b70335a4c7cc319bf065c76950

                                                                                                                                                              SHA512

                                                                                                                                                              e03912fcba511a80a6136bd9a5f7825b05b5fa76585df1f8cea65616bab477cc14dfc7c731634e68648dbcf76d7c9d1ad050bec1e7fc9c222434fb54ac99f2ca

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\uggduu1p2SVG.bat
                                                                                                                                                              Filesize

                                                                                                                                                              207B

                                                                                                                                                              MD5

                                                                                                                                                              af481af63baa7743d55acea2ddd49723

                                                                                                                                                              SHA1

                                                                                                                                                              0b7d851f8383b705c1932ff94ec362daa0799099

                                                                                                                                                              SHA256

                                                                                                                                                              f94765618287b327a202d1211eefbfbe6b8af16d98acc71fa97b1587fcfeba0d

                                                                                                                                                              SHA512

                                                                                                                                                              8a41b0339ec7cb3e6d1a6f73780dd40ce1725b9aaa5d900c44601d0157804275c9ede55ecb56b6b79e1ef4a21218a75251bc9f70fcb2ce5c3139a49b5ffbc201

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
                                                                                                                                                              Filesize

                                                                                                                                                              224B

                                                                                                                                                              MD5

                                                                                                                                                              bffb95fde3b7f42718926bf99f2d3674

                                                                                                                                                              SHA1

                                                                                                                                                              95cf1b8bccb2ac67a519e6ed438972ee9dfca682

                                                                                                                                                              SHA256

                                                                                                                                                              085d6280f55dd24087c8694d65d4316127792678b427f25cd2adb2906da26d2e

                                                                                                                                                              SHA512

                                                                                                                                                              e054c6b64531f7ec9e3d67a3fb478dcd675a5316f753ac351fdb3111468e9a152a8b5f82cd17568184be378b49d88ae74036c0c1d103ac27f15e9c2908c32921

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
                                                                                                                                                              Filesize

                                                                                                                                                              224B

                                                                                                                                                              MD5

                                                                                                                                                              71691191d57c29711fb5e398a9d721db

                                                                                                                                                              SHA1

                                                                                                                                                              dd43a3449df86c6fd77bf2e541e6257e2eb29ef4

                                                                                                                                                              SHA256

                                                                                                                                                              f23a9f273ebd4e54c0ce3faa847014deff17d47c6b8c10f3e8d9abb0f2bc43e5

                                                                                                                                                              SHA512

                                                                                                                                                              eb8b115be54c9114da1869e60def180b9991aa302087abbd9174b1ee9c366b740a5656df94975e09a2fe05208ff4db71869a1d89f52593f7b2a2aa8a02ef1776

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
                                                                                                                                                              Filesize

                                                                                                                                                              224B

                                                                                                                                                              MD5

                                                                                                                                                              1eda66d9cdedf0f115eb0d94687a557b

                                                                                                                                                              SHA1

                                                                                                                                                              3fee5a222df7e23fee51ec79f9bd370678ec3e73

                                                                                                                                                              SHA256

                                                                                                                                                              9301351159f6130e09bfd49e40b02e50b3ad8d3165b3f23f6622624feafcb451

                                                                                                                                                              SHA512

                                                                                                                                                              a6634baa0a8c1f378feea3b0009c96597e91ad418fc493f602605fb7e3a189fe90c8e3f89ab70bc10b9eea3e5bc36c76da23a500616eb82a6dce55ee2ce70533

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
                                                                                                                                                              MD5

                                                                                                                                                              d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                              SHA1

                                                                                                                                                              da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                              SHA256

                                                                                                                                                              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                              SHA512

                                                                                                                                                              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
                                                                                                                                                              Filesize

                                                                                                                                                              224B

                                                                                                                                                              MD5

                                                                                                                                                              53f9d61a9d9aa16a3b1627585315bfe7

                                                                                                                                                              SHA1

                                                                                                                                                              e2e715a275a97443c5bb07dad3346e93846b7dd2

                                                                                                                                                              SHA256

                                                                                                                                                              75a8a96f05a58eb0dd203a5af4cb933093f638b40cd17284e37bfbf07a7e464f

                                                                                                                                                              SHA512

                                                                                                                                                              8193bf34637e03c111e2aadea3e7271084714f2b4e03741dac60c12cff57883151af32e4147785a58e1435d1152e732c2ba35be5f74557f1d20565abed38ba7a

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
                                                                                                                                                              Filesize

                                                                                                                                                              224B

                                                                                                                                                              MD5

                                                                                                                                                              784d15b80552313ee23a00d65e595d14

                                                                                                                                                              SHA1

                                                                                                                                                              079389a4ce828b0e5eb5982693dca649a920844f

                                                                                                                                                              SHA256

                                                                                                                                                              251971ef1590ec056c70ce59b0b8abb7763c38c8d9971a37d6bf0811e41b5e75

                                                                                                                                                              SHA512

                                                                                                                                                              dfd97d39a468404cc382155bc70d2f63ac75b1be7bfa6da9175310c89779dcc3730c305cd7d2e5eeb559d73950118c05d8c20f8ae864ef7477a5b4e2d9e57e9d

                                                                                                                                                              Download Submit
                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                                                                                                                                                              Filesize

                                                                                                                                                              409KB

                                                                                                                                                              MD5

                                                                                                                                                              b70fdac25a99501e3cae11f1b775249e

                                                                                                                                                              SHA1

                                                                                                                                                              3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

                                                                                                                                                              SHA256

                                                                                                                                                              51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

                                                                                                                                                              SHA512

                                                                                                                                                              43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

                                                                                                                                                              Download Submit
                                                                                                                                                            • memory/1232-2-0x00000000054C0000-0x0000000005A64000-memory.dmp
                                                                                                                                                              Filesize

                                                                                                                                                              5.6MB

                                                                                                                                                              Download
                                                                                                                                                            • memory/1232-1-0x0000000000460000-0x00000000004CC000-memory.dmp
                                                                                                                                                              Filesize

                                                                                                                                                              432KB

                                                                                                                                                              Download
                                                                                                                                                            • memory/1232-3-0x0000000004FF0000-0x0000000005082000-memory.dmp
                                                                                                                                                              Filesize

                                                                                                                                                              584KB

                                                                                                                                                              Download
                                                                                                                                                            • memory/1232-17-0x0000000074840000-0x0000000074FF0000-memory.dmp
                                                                                                                                                              Filesize

                                                                                                                                                              7.7MB

                                                                                                                                                              Download
                                                                                                                                                            • memory/1232-8-0x0000000074840000-0x0000000074FF0000-memory.dmp
                                                                                                                                                              Filesize

                                                                                                                                                              7.7MB

                                                                                                                                                              Download
                                                                                                                                                            • memory/1232-7-0x000000007484E000-0x000000007484F000-memory.dmp
                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                              Download
                                                                                                                                                            • memory/1232-0-0x000000007484E000-0x000000007484F000-memory.dmp
                                                                                                                                                              Filesize

                                                                                                                                                              4KB

                                                                                                                                                              Download
                                                                                                                                                            • memory/1232-5-0x0000000005090000-0x00000000050F6000-memory.dmp
                                                                                                                                                              Filesize

                                                                                                                                                              408KB

                                                                                                                                                              Download
                                                                                                                                                            • memory/1232-6-0x0000000005CE0000-0x0000000005CF2000-memory.dmp
                                                                                                                                                              Filesize

                                                                                                                                                              72KB

                                                                                                                                                              Download
                                                                                                                                                            • memory/1232-4-0x0000000074840000-0x0000000074FF0000-memory.dmp
                                                                                                                                                              Filesize

                                                                                                                                                              7.7MB

                                                                                                                                                              Download
                                                                                                                                                            • memory/2544-19-0x00000000061D0000-0x00000000061DA000-memory.dmp
                                                                                                                                                              Filesize

                                                                                                                                                              40KB

                                                                                                                                                              Download
                                                                                                                                                            • memory/2544-14-0x0000000074840000-0x0000000074FF0000-memory.dmp
                                                                                                                                                              Filesize

                                                                                                                                                              7.7MB

                                                                                                                                                              Download
                                                                                                                                                            • memory/2544-16-0x0000000074840000-0x0000000074FF0000-memory.dmp
                                                                                                                                                              Filesize

                                                                                                                                                              7.7MB

                                                                                                                                                              Download
                                                                                                                                                            • memory/2544-24-0x0000000074840000-0x0000000074FF0000-memory.dmp
                                                                                                                                                              Filesize

                                                                                                                                                              7.7MB

                                                                                                                                                              Download