quasar | 1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58

Analysis

max time kernel
599s
max time network
606s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (100) - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral14/memory/2968-1-0x0000000000730000-0x000000000079C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 26 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 27 IoCs

Processes:

pid	process
2904	Client.exe
604	Client.exe
1028	Client.exe
3408	Client.exe
1528	Client.exe
3644	Client.exe
376	Client.exe
1580	Client.exe
1712	Client.exe
4264	Client.exe
2556	Client.exe
4556	Client.exe
2532	Client.exe
1856	Client.exe
1908	Client.exe
692	Client.exe
1344	Client.exe
3232	Client.exe
1200	Client.exe
1804	Client.exe
3884	Client.exe
4704	Client.exe
2520	Client.exe
5060	Client.exe
2356	Client.exe
4596	Client.exe
4784	Client.exe

Looks up external IP address via web service 27 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
14	ip-api.com
55	ip-api.com
51	ip-api.com
57	ip-api.com
61	ip-api.com
28	ip-api.com
31	ip-api.com
63	ip-api.com
37	ip-api.com
59	ip-api.com
46	ip-api.com
2	ip-api.com
12	ip-api.com
20	ip-api.com
32	ip-api.com
34	ip-api.com
8	api.ipify.org
18	ip-api.com
42	ip-api.com
22	ip-api.com
39	ip-api.com
48	ip-api.com
26	ip-api.com
30	ip-api.com
44	ip-api.com
16	ip-api.com
24	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 26 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
432	2904	WerFault.exe	Client.exe
2436	604	WerFault.exe	Client.exe
4484	1028	WerFault.exe	Client.exe
4284	3408	WerFault.exe	Client.exe
2588	1528	WerFault.exe	Client.exe
4116	3644	WerFault.exe	Client.exe
1144	376	WerFault.exe	Client.exe
1276	1580	WerFault.exe	Client.exe
1508	1712	WerFault.exe	Client.exe
1680	4264	WerFault.exe	Client.exe
4320	2556	WerFault.exe	Client.exe
1788	4556	WerFault.exe	Client.exe
1252	2532	WerFault.exe	Client.exe
2968	1856	WerFault.exe	Client.exe
5108	1908	WerFault.exe	Client.exe
1704	692	WerFault.exe	Client.exe
4416	1344	WerFault.exe	Client.exe
664	3232	WerFault.exe	Client.exe
2408	1200	WerFault.exe	Client.exe
4992	1804	WerFault.exe	Client.exe
4352	3884	WerFault.exe	Client.exe
4776	4704	WerFault.exe	Client.exe
1632	2520	WerFault.exe	Client.exe
4460	5060	WerFault.exe	Client.exe
2064	2356	WerFault.exe	Client.exe
3096	4596	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 28 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5080	schtasks.exe
4780	schtasks.exe
2728	schtasks.exe
2576	schtasks.exe
876	schtasks.exe
1932	schtasks.exe
1632	schtasks.exe
2036	schtasks.exe
3940	schtasks.exe
3584	schtasks.exe
752	schtasks.exe
628	schtasks.exe
4092	schtasks.exe
2688	SCHTASKS.exe
1708	schtasks.exe
1192	schtasks.exe
1372	schtasks.exe
1096	schtasks.exe
3368	schtasks.exe
1480	schtasks.exe
4500	schtasks.exe
3624	schtasks.exe
1104	schtasks.exe
3364	schtasks.exe
548	schtasks.exe
2228	schtasks.exe
2312	schtasks.exe
3952	schtasks.exe

Runs ping.exe 1 TTPs 26 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4940	PING.EXE
2872	PING.EXE
4244	PING.EXE
4172	PING.EXE
4904	PING.EXE
4912	PING.EXE
4032	PING.EXE
1476	PING.EXE
3784	PING.EXE
4624	PING.EXE
3664	PING.EXE
1588	PING.EXE
3952	PING.EXE
1916	PING.EXE
3884	PING.EXE
1300	PING.EXE
216	PING.EXE
2332	PING.EXE
3624	PING.EXE
3940	PING.EXE
4836	PING.EXE
4144	PING.EXE
3328	PING.EXE
4148	PING.EXE
4500	PING.EXE
2052	PING.EXE

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

Uni - Copy (100) - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2968	Uni - Copy (100) - Copy - Copy.exe
Token: SeDebugPrivilege	2904	Client.exe
Token: SeDebugPrivilege	604	Client.exe
Token: SeDebugPrivilege	1028	Client.exe
Token: SeDebugPrivilege	3408	Client.exe
Token: SeDebugPrivilege	1528	Client.exe
Token: SeDebugPrivilege	3644	Client.exe
Token: SeDebugPrivilege	376	Client.exe
Token: SeDebugPrivilege	1580	Client.exe
Token: SeDebugPrivilege	1712	Client.exe
Token: SeDebugPrivilege	4264	Client.exe
Token: SeDebugPrivilege	2556	Client.exe
Token: SeDebugPrivilege	4556	Client.exe
Token: SeDebugPrivilege	2532	Client.exe
Token: SeDebugPrivilege	1856	Client.exe
Token: SeDebugPrivilege	1908	Client.exe
Token: SeDebugPrivilege	692	Client.exe
Token: SeDebugPrivilege	1344	Client.exe
Token: SeDebugPrivilege	3232	Client.exe
Token: SeDebugPrivilege	1200	Client.exe
Token: SeDebugPrivilege	1804	Client.exe
Token: SeDebugPrivilege	3884	Client.exe
Token: SeDebugPrivilege	4704	Client.exe
Token: SeDebugPrivilege	2520	Client.exe
Token: SeDebugPrivilege	5060	Client.exe
Token: SeDebugPrivilege	2356	Client.exe
Token: SeDebugPrivilege	4596	Client.exe
Token: SeDebugPrivilege	4784	Client.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

pid	process
2904	Client.exe
604	Client.exe
1028	Client.exe
3408	Client.exe
1528	Client.exe
3644	Client.exe
376	Client.exe
1580	Client.exe
1712	Client.exe
4264	Client.exe
2556	Client.exe
4556	Client.exe
2532	Client.exe
1856	Client.exe
1908	Client.exe
692	Client.exe
1344	Client.exe
3232	Client.exe
1200	Client.exe
1804	Client.exe
3884	Client.exe
4704	Client.exe
2520	Client.exe
5060	Client.exe
2356	Client.exe
4596	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (100) - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 2968 wrote to memory of 4092	2968	Uni - Copy (100) - Copy - Copy.exe	schtasks.exe
PID 2968 wrote to memory of 4092	2968	Uni - Copy (100) - Copy - Copy.exe	schtasks.exe
PID 2968 wrote to memory of 4092	2968	Uni - Copy (100) - Copy - Copy.exe	schtasks.exe
PID 2968 wrote to memory of 2904	2968	Uni - Copy (100) - Copy - Copy.exe	Client.exe
PID 2968 wrote to memory of 2904	2968	Uni - Copy (100) - Copy - Copy.exe	Client.exe
PID 2968 wrote to memory of 2904	2968	Uni - Copy (100) - Copy - Copy.exe	Client.exe
PID 2968 wrote to memory of 2688	2968	Uni - Copy (100) - Copy - Copy.exe	SCHTASKS.exe
PID 2968 wrote to memory of 2688	2968	Uni - Copy (100) - Copy - Copy.exe	SCHTASKS.exe
PID 2968 wrote to memory of 2688	2968	Uni - Copy (100) - Copy - Copy.exe	SCHTASKS.exe
PID 2904 wrote to memory of 5080	2904	Client.exe	schtasks.exe
PID 2904 wrote to memory of 5080	2904	Client.exe	schtasks.exe
PID 2904 wrote to memory of 5080	2904	Client.exe	schtasks.exe
PID 2904 wrote to memory of 4144	2904	Client.exe	cmd.exe
PID 2904 wrote to memory of 4144	2904	Client.exe	cmd.exe
PID 2904 wrote to memory of 4144	2904	Client.exe	cmd.exe
PID 4144 wrote to memory of 2636	4144	cmd.exe	chcp.com
PID 4144 wrote to memory of 2636	4144	cmd.exe	chcp.com
PID 4144 wrote to memory of 2636	4144	cmd.exe	chcp.com
PID 4144 wrote to memory of 4904	4144	cmd.exe	PING.EXE
PID 4144 wrote to memory of 4904	4144	cmd.exe	PING.EXE
PID 4144 wrote to memory of 4904	4144	cmd.exe	PING.EXE
PID 4144 wrote to memory of 604	4144	cmd.exe	Client.exe
PID 4144 wrote to memory of 604	4144	cmd.exe	Client.exe
PID 4144 wrote to memory of 604	4144	cmd.exe	Client.exe
PID 604 wrote to memory of 4780	604	Client.exe	schtasks.exe
PID 604 wrote to memory of 4780	604	Client.exe	schtasks.exe
PID 604 wrote to memory of 4780	604	Client.exe	schtasks.exe
PID 604 wrote to memory of 1300	604	Client.exe	cmd.exe
PID 604 wrote to memory of 1300	604	Client.exe	cmd.exe
PID 604 wrote to memory of 1300	604	Client.exe	cmd.exe
PID 1300 wrote to memory of 3096	1300	cmd.exe	chcp.com
PID 1300 wrote to memory of 3096	1300	cmd.exe	chcp.com
PID 1300 wrote to memory of 3096	1300	cmd.exe	chcp.com
PID 1300 wrote to memory of 3940	1300	cmd.exe	PING.EXE
PID 1300 wrote to memory of 3940	1300	cmd.exe	PING.EXE
PID 1300 wrote to memory of 3940	1300	cmd.exe	PING.EXE
PID 1300 wrote to memory of 1028	1300	cmd.exe	Client.exe
PID 1300 wrote to memory of 1028	1300	cmd.exe	Client.exe
PID 1300 wrote to memory of 1028	1300	cmd.exe	Client.exe
PID 1028 wrote to memory of 1932	1028	Client.exe	schtasks.exe
PID 1028 wrote to memory of 1932	1028	Client.exe	schtasks.exe
PID 1028 wrote to memory of 1932	1028	Client.exe	schtasks.exe
PID 1028 wrote to memory of 3820	1028	Client.exe	cmd.exe
PID 1028 wrote to memory of 3820	1028	Client.exe	cmd.exe
PID 1028 wrote to memory of 3820	1028	Client.exe	cmd.exe
PID 3820 wrote to memory of 372	3820	cmd.exe	chcp.com
PID 3820 wrote to memory of 372	3820	cmd.exe	chcp.com
PID 3820 wrote to memory of 372	3820	cmd.exe	chcp.com
PID 3820 wrote to memory of 1916	3820	cmd.exe	PING.EXE
PID 3820 wrote to memory of 1916	3820	cmd.exe	PING.EXE
PID 3820 wrote to memory of 1916	3820	cmd.exe	PING.EXE
PID 3820 wrote to memory of 3408	3820	cmd.exe	Client.exe
PID 3820 wrote to memory of 3408	3820	cmd.exe	Client.exe
PID 3820 wrote to memory of 3408	3820	cmd.exe	Client.exe
PID 3408 wrote to memory of 2036	3408	Client.exe	schtasks.exe
PID 3408 wrote to memory of 2036	3408	Client.exe	schtasks.exe
PID 3408 wrote to memory of 2036	3408	Client.exe	schtasks.exe
PID 3408 wrote to memory of 1712	3408	Client.exe	cmd.exe
PID 3408 wrote to memory of 1712	3408	Client.exe	cmd.exe
PID 3408 wrote to memory of 1712	3408	Client.exe	cmd.exe
PID 1712 wrote to memory of 2432	1712	cmd.exe	chcp.com
PID 1712 wrote to memory of 2432	1712	cmd.exe	chcp.com
PID 1712 wrote to memory of 2432	1712	cmd.exe	chcp.com
PID 1712 wrote to memory of 4940	1712	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4092

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyM8gNhIB3tq.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2636

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:4904

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zxOuHOBX2MOX.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:3096

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:3940

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCFhHqSiCAk2.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:372

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1916

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KtWS8scs8b6t.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:2432

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4940

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tolvZaumkVXy.bat" "
11⤵
PID:2088

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:4708

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3884

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3644

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lPM4RWBOqU4d.bat" "
13⤵
PID:4856

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:624

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:1300

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:376

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kafHkbaAZ9rg.bat" "
15⤵
PID:1368

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:1928

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:216

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7PE8ADyVMcSY.bat" "
17⤵
PID:1984

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:1784

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4912

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wz1XFP5nvnHK.bat" "
19⤵
PID:4720

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:4576

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2332

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4264

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuF0g6MhYhiO.bat" "
21⤵
PID:552

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:4116

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1476

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2556

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hv956tX912zg.bat" "
23⤵
PID:2660

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:2340

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3784

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4556

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:3368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9WkEypol61WL.bat" "
25⤵
PID:3300

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:1916

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4032

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2532

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:3624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ae8fBS25vbKi.bat" "
27⤵
PID:380

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:1984

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:4624

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1856

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HMDApEMYMpOU.bat" "
29⤵
PID:1116

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:4300

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:4836

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAxHT6aadUIS.bat" "
31⤵
PID:3188

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:4868

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:3664

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:692

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwmI04GpUc1n.bat" "
33⤵
PID:800

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:3120

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:4148

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e2XFdDAWHZRN.bat" "
35⤵
PID:4236

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:4860

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:1588

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3232

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KXTmV3YZX88q.bat" "
37⤵
PID:4080

C:\Windows\SysWOW64\chcp.com
chcp 65001
38⤵
PID:2580

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:3952

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1200

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6XNrvri1zSP7.bat" "
39⤵
PID:1772

C:\Windows\SysWOW64\chcp.com
chcp 65001
40⤵
PID:2008

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:2872

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1804

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOkS9DGgIjht.bat" "
41⤵
PID:3100

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:4768

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:4144

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
43⤵
- Creates scheduled task(s)
PID:752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UUJ9Z5KhbVpN.bat" "
43⤵
PID:2932

C:\Windows\SysWOW64\chcp.com
chcp 65001
44⤵
PID:2188

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:4500

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4704

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\im6if0mKfO8W.bat" "
45⤵
PID:4880

C:\Windows\SysWOW64\chcp.com
chcp 65001
46⤵
PID:1572

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:4244

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Lj9usSDXo6GV.bat" "
47⤵
PID:4120

C:\Windows\SysWOW64\chcp.com
chcp 65001
48⤵
PID:2012

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:3624

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5060

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
49⤵
- Creates scheduled task(s)
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PPPfkUOhjWdN.bat" "
49⤵
PID:4972

C:\Windows\SysWOW64\chcp.com
chcp 65001
50⤵
PID:2416

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:2052

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jDAnOLcj0BXL.bat" "
51⤵
PID:2500

C:\Windows\SysWOW64\chcp.com
chcp 65001
52⤵
PID:4636

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:3328

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4596

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kLXDbyp3olLj.bat" "
53⤵
PID:3896

C:\Windows\SysWOW64\chcp.com
chcp 65001
54⤵
PID:4456

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:4172

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 2236
53⤵
- Program crash
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 1092
51⤵
- Program crash
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1096
49⤵
- Program crash
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1092
47⤵
- Program crash
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1676
45⤵
- Program crash
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 1092
43⤵
- Program crash
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 1096
41⤵
- Program crash
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 2232
39⤵
- Program crash
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 2236
37⤵
- Program crash
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 1720
35⤵
- Program crash
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 2220
33⤵
- Program crash
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1092
31⤵
- Program crash
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1668
29⤵
- Program crash
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 1092
27⤵
- Program crash
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 2220
25⤵
- Program crash
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 2232
23⤵
- Program crash
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1688
21⤵
- Program crash
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 2248
19⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1608
17⤵
- Program crash
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 2248
15⤵
- Program crash
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 1728
13⤵
- Program crash
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 940
11⤵
- Program crash
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 2252
9⤵
- Program crash
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 2232
7⤵
- Program crash
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 604 -s 2196
5⤵
- Program crash
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 1652
3⤵
- Program crash
PID:432

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (100) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2904 -ip 2904
1⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 604 -ip 604
1⤵
PID:732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1028 -ip 1028
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3408 -ip 3408
1⤵
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1528 -ip 1528
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3644 -ip 3644
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 376 -ip 376
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1580 -ip 1580
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1712 -ip 1712
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4264 -ip 4264
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2556 -ip 2556
1⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4556 -ip 4556
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2532 -ip 2532
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1856 -ip 1856
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1908 -ip 1908
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 692 -ip 692
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1344 -ip 1344
1⤵
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3232 -ip 3232
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1200 -ip 1200
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1804 -ip 1804
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3884 -ip 3884
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4704 -ip 4704
1⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2520 -ip 2520
1⤵
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5060 -ip 5060
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 2356 -ip 2356
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4596 -ip 4596
1⤵
PID:2176

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6XNrvri1zSP7.bat
Filesize
207B

MD5
bd49d33e60e8a5818d2980f57a129f90

SHA1
6b64c06b84641fc80b50a12ae93b3f201156ac3b

SHA256
463a77ea919df4a526ec244d1396f49b30e8fff2c45ce57c3ed8838b167d654b

SHA512
de4e8edc93bd5fcbc854ede49cce8fc4fe9539861f200f2184b836ed37582d9f73965be936c8cc523cd019dde79bb89b9f71e4c7898a6a76bd7168f6737ec07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7PE8ADyVMcSY.bat
Filesize
207B

MD5
bc3c5b993c4da7794cb9cb7fbd55fc7a

SHA1
0d94d13e78ed01cd16318eeb285158b95dc01832

SHA256
fd9f8efbc1a29bccc5f185be030656a4ac1b27bc59e51d8b0b7f6d047433c2bc

SHA512
88412ec9f521e13fa5306bfeed9c63c292bf7e4ba0a98f068565a12b8b5053ecd2a15853e76a73bec565582bec5fdd3be6ce0f24b8f74037277abe34b0f0ff5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9WkEypol61WL.bat
Filesize
207B

MD5
069b9f9f37fc556f08c7fb10c65c2b95

SHA1
529c55437356023ee4a88adc2919f7bc576dec17

SHA256
550f230b4889d789783f8689794f2d620f55a5ee4dfc4053037900407360cff5

SHA512
beeea687325036534a470042f45021dc0a3ffafe99a361d172cb9b0c9dbd2fa43302353fd21b0850d6e7833c61498c143937ed5c56e35970cc3b31dd168bd2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ae8fBS25vbKi.bat
Filesize
207B

MD5
642fb61a26ab58ca0e7b670d1b102db2

SHA1
0a22eea84de1806bccdeab63a292d67225f26a51

SHA256
463504bb9812d135cc96c480187c192cb50878a0f1ac8efbfc8adcdf1cf57032

SHA512
25385ac784cda144f92e8ed8f89757787f27fbddb31729840d105e8f6743c9489d4576adc8e071c706e5b6037c6bac5c65338503940a636f567c62e283dcd242

Download Submit
C:\Users\Admin\AppData\Local\Temp\GCFhHqSiCAk2.bat
Filesize
207B

MD5
6d09e018e667eefc7bd5a64b37a30580

SHA1
c21d1d3c883617c80301e2de71e83f0eaa8612a0

SHA256
e53cf16ae5aae848ff111df60ee4bd8a311825fc85a9b4f307257af5d247c4c7

SHA512
fc4fa3bc4b126bffbc336f9448f25ba7dee298023ef9bafd1d3253e92fd0f4bdcce274ce400073f171e381b5ff0d2be5182275c815f70738fde1a806da68da71

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMDApEMYMpOU.bat
Filesize
207B

MD5
69b26fd7d552746ebe71721e3f8ad3f7

SHA1
fbd1f929d55e6e832f2e3ba1eb605931edfd1db7

SHA256
4679ce8ee600428be3dc91836d7bd06549bf4df672e492216e9601900939c83b

SHA512
5ea02e349ea41bc03eb67881423d7a50a56d9793daed0e53ff6ab99224963a08d5a73dc39e2373e7c1e8e806ba7cc8a7ada374a2065fda64e56681eb3aeac08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hv956tX912zg.bat
Filesize
207B

MD5
1dbbdd51870908a64ddef12ab5eca127

SHA1
33eedf8ba9523219ec40fc3de232e3bb6246e8f5

SHA256
ba5b8648aed458137f71935e68f84a68e07116e16d40d609343a528a6299dfa3

SHA512
6811bad1f851784930a22e4a657771b0bfc5eb974f6e8bb996fa3e140acf9417d8bb82b59fd342253d16cff4fc350fcea32c14a9126cb96dcb9058b71d09c63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KXTmV3YZX88q.bat
Filesize
207B

MD5
8ea39ca02c14475cd5e792b3e53eee62

SHA1
b052284bdc1acc5605753bd102e207eb8929058c

SHA256
091e47c638bc5c865ba1928bfbefa6df6103112dddd7e7a18ea144a4e5d66ec9

SHA512
e132d02ca62310a0a4264d979e2b625fc1e0f91d974c53956ad4f1210ccc164d81481ab8f5288a52084ea09d68d09ba55a038c2ae1c9cbb32419bf823960381b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KtWS8scs8b6t.bat
Filesize
207B

MD5
53421eeedb270282a8889f12556865b8

SHA1
3aba43acee4b5db9ee9b88b39e04ef3555c12b5a

SHA256
a43e0b92091cb8768c9e3f70b4b23cbd4329ef45b7dff1733427a33489a239e4

SHA512
83ec53ae30404f1278b400ed5b7d73538deae0ced6c45fa96a92d812580b76f45d7d48a4a79287db0b91d03fd3b6cf1bde7022b437af9e59b9846ae786e5cc52

Download Submit
C:\Users\Admin\AppData\Local\Temp\KyM8gNhIB3tq.bat
Filesize
207B

MD5
5c1876b15a610acc45fd8fe1ca3f83ba

SHA1
6fa5bd40b43d61185e53990db266a6b4119187bb

SHA256
9371218023c47b44d9133bf4d1b6610bf74d2d954192fb94cf708d848badb838

SHA512
bbbce39d79940f5af5b2cb5eda4de967f226fae06d9923563a46142cc749ef46ff3f02e7ed9ce75bf110e9679322c9a1719b1c18e90aa84e735192333ec11313

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUJ9Z5KhbVpN.bat
Filesize
207B

MD5
7555300c7a40a741aa2dadb0a92ef439

SHA1
671f862e2dd5b2792890a41f705ed4e0f9fa12c9

SHA256
18dfb583053ac9bae1cff8b231577eba4238d59d339300f7d30c6384caa648d2

SHA512
175ce2840cd975b4f1b2c45eaca7e34170c387c06631023b85a8b20d2afe4b565a588ceafa409763a5831ca4697c45bccb2b54add5b5bc3f86d76d172a4fe909

Download Submit
C:\Users\Admin\AppData\Local\Temp\VuF0g6MhYhiO.bat
Filesize
207B

MD5
b4c5dfabb5be0bc437ff176ae36ed98c

SHA1
2222811d2edf7ff5a86b2a2e90ee0654fd9d1913

SHA256
0a8b9311fdaf16e12802b24d09a872a734be4f817958c4e5a34cdf043877c34e

SHA512
179a34a821cd5f2845921793c8561121cf63e387db4477b5b6146513f0cd7c71013bd41de31e486797d2dbdb6f61219bf7e17861a048950f15cc9c4c4a1c2bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOkS9DGgIjht.bat
Filesize
207B

MD5
10873dc762ee87cbbf70e7ff38be5162

SHA1
bfeb2bf2f4e1d1f44c6d340104bc87ff165bfa88

SHA256
9a151071c5fd4f73bf6e53ae9af85d5bcd49b6d65ee30854cc21fc767e37050b

SHA512
63b7526e011d58a33f448675a7ae16e0b32e2fe8b2a4fa51e5416620eff94e0914e97e8e9b162dc60c50649d17b16f5628b6c2eb2c30d7dfe1a818113e7a4102

Download Submit
C:\Users\Admin\AppData\Local\Temp\bAxHT6aadUIS.bat
Filesize
207B

MD5
50f19a4c82d69b04647d0b2bd9aa460f

SHA1
77137f1cc512351b82f58d2aa075a8f266b66e6a

SHA256
a2e53dec28ec1fc45149d10696cefa0b4a7b8b4526d5db1d13817e5a47f932d4

SHA512
bdb591568597f3ddf58759e4d9a430fb1ce53b99a7358105bf06af63f7dc486b8aab2713daea611c796e184e8445407d1c71005b2ea2c6c2cdb539d44eaf391c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2XFdDAWHZRN.bat
Filesize
207B

MD5
8b7ab6a4a5ecb6572fa9549d3e039213

SHA1
11bc407cbbd6292300b6a99f8876c9fd11bc4e76

SHA256
92b96086c8a583218c49837b55ca5db30bc338d85bd9dd9834f0f6580c35322a

SHA512
9633c90aa07c8eb82971e29f7ca2078ac098582035d6367afb99e1419b68e84c7dfe1e3587e3290a27fa17d0731808eb5173d2a8da5fd32393d7f21bac05f89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kafHkbaAZ9rg.bat
Filesize
207B

MD5
6b3dca641d6ddce5f33ae9dd2562535e

SHA1
0e89b41c55d53d9fc3e53584a5750f78d5916f76

SHA256
fe1f462cebd7c3c437e23c7ca0126948c7e2df4726ad59a2457c9df6692b8f41

SHA512
195d77e18fd610c467a2a8a69215bfd3af9f25fff3c917639c821d983138a68b1065e1c8ecc2f3b3f67a7981c6e5af1842abdd20f72e3d0aef6727d97ee103e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwmI04GpUc1n.bat
Filesize
207B

MD5
742d080041128cffca351e1ce471c335

SHA1
b6c1d590daa5568fc1d19821bbff42709373b12d

SHA256
1145f6f937be9cf5b5377422174ff758ca4cd0401b45582612204f2f51321180

SHA512
b8c970432e5f4e095581729b65c70750daa7aa779c3657b3dbc6025c35734fd140eac1f053337187d2024bf4899edd97224ddf44a553e1a5a9f413b74f5d3fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\lPM4RWBOqU4d.bat
Filesize
207B

MD5
dee43e7885f0dd3515c65ad620fae1b1

SHA1
847efc04ce6118bb27c8e90bbc754af0264090c7

SHA256
c1c23edd3dc0d36b9ec2671b730ab3b4c4a644b4af1a41a4b75b0eb151145176

SHA512
3e62daeeac4c3aa3bce434bf0f204b69c9ad872dfb81199433eaec21cb45c62cb21ca58814454ae4c3664d391fe55047ee54734914c43dc9ad0ddf73dac07e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tolvZaumkVXy.bat
Filesize
207B

MD5
f0d1a7947d010b7b4925d7f1a9321b31

SHA1
8c53030c4b3da36a8a09092dcdbd7b3e7cfe1e33

SHA256
1cee2e253c92edb298be842e4abd3676d711f5d31b135a1066006f81b6fa028a

SHA512
056acefc0742649a60d87d3e97db30dfd617517cedb11f9019c009cc87b7b4aecaf12918e9b63688f0586c59aa41812cc5c929a1af0c675722211362984b07ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\wz1XFP5nvnHK.bat
Filesize
207B

MD5
5757f2012a03d1df927f965f72f792c6

SHA1
eeb99424cc10d2dbe8e7662cfd33b04a9433ee4b

SHA256
2939dd2e4b8eeded0dd9f8095d75cd2d3574b688f05d7a678ea8a13953d85926

SHA512
0ec1f89846fac7aae0d3d30cf6b3a4fe00c277e3469b844f1e9c6a7a9647ef70f8a76f48e110154a5bec360f6e31dd6b735d70885026b1ee7aa2e25ddfcbf0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxOuHOBX2MOX.bat
Filesize
207B

MD5
801ec63946e547281ef802433a2f983e

SHA1
e9e35aae7f324d2d3b62e12489319bc2ee7c9814

SHA256
47fc06faf6dc604be3bc15625f6b5453cde89d0737e2f011cedcea9c4a420952

SHA512
daba53c7f99ad03f5a89bf00b64a608ce1e09e5128a323c8b112860d3bcbc1e9eeab1a94441eceeb32322cb2c0c721acab732ebf40bca557a84584da65bf0b6f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
54771e6b9d60860b7034837b65e94bbf

SHA1
d3e29d50c870c65506fe133792f655e2f6c67fd1

SHA256
275ca756d1f09d9f4e95faed0a5b0fdf0f43b143d8cd875e047853b57fded292

SHA512
ef85240c567c7a08cb571906201fc2369b390f5f73637ee0f1506e20654fbeabad1091311af1d893ddf668392f49f50bd8c8331920d5689af4818f1e05b91de5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
2e1ac8f2f90a1d7aa82ea67218888257

SHA1
80aaf29d4df08219c694937784582fe83733d394

SHA256
6806ceca8d36245d49fd89ba685a08ed6ae48de14d4ca8b4680cfcddb6801fc0

SHA512
151ca309f4cc49a08a4e1e203d11481a523ba1b4f009240b171c7b300461c4fcac271a9027481cdf6412dc4999d96c758945af26fe0b03ca02d8365a9032fd87

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
0353ff67c8d57ad04574dc8608020243

SHA1
b1d5bc6a497321adfd511b0b1fdf07dd4295ba5c

SHA256
59971f0ae6e7eaf9b88bbc2a8f99b10407c5931f61d7c59be575cd2db38a7d19

SHA512
cf5514d37c2a22bb3b0fd181f6969fed28d45e30fee159d5655d767754e9950ef6da8394165952940923b3f06ce1b1a5d59b6b82a701575cefc919f9894f0702

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
4b64df39a852084c776f05ab268d1c5f

SHA1
93bfaa9f8205ae8aeb392acfebebea52483c01f6

SHA256
3ac0a991e31c8d4167b2a9986f4f852823be8cbdd85a381688799ee7543ca8e6

SHA512
fcf19f3753cecaa2649478b700920a3b2b9768ebdca4c2b3e948d2241f1b636eff2eefacbbfca29ebf014111bf713b543fdb084068869c10f2b7dee003a18ee5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
9aadae02c98246885f041af00a166652

SHA1
6a61ba9f59eb3b819af28c47ae27cb4a246d500d

SHA256
d4ae0b65b735ea0f438c0e7c398a66c4abb5e8fe68e3c718e9708424067a15b4

SHA512
d9f856b4fb04f7ca03187fa5619c9f8c9269c696de4356967237f35579914ca97a6951020ccb9268c175d55313cb0fbbcddce5f845e648ce2dfb64e3c04d7fc3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
b73381a4642b5a47a8cb584bd422ce43

SHA1
3a9248e21ba00fb7e9e3ecf9f618c38cf907558f

SHA256
4ad722e533a9d419e60bc9bd0d146b8edb3ed5cc93d4c57df654b8926ebb791b

SHA512
13f15a69bf9f97e8fc92c9d5cf3b405a1412a12d4c373b9c2bf24450762f96e0da9061d075b4b1fc155795287e132d5e1fe0b57df19db06a8cff56122ca38fd8

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
487a81712b117e1382d05a2c66f8e37f

SHA1
d8f381a7de7c6618749dc4737964f3048de93447

SHA256
45b403c0c2fe1fd2179a2951daf3ab70339ff28bceb8d72255a37d9e54faf6bd

SHA512
53a307a67805cd5b6e2be44dec06b9fe6e63c333cd80efbea1939546f202b4f6fbf567fb9112fed486bff03a7c6c66c6a1c475f18f830ac6e0448bcfeb31372f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/2904-19-0x0000000006000000-0x000000000600A000-memory.dmp

Filesize
40KB

Download
memory/2904-17-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2904-24-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2904-15-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2968-16-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2968-8-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2968-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/2968-7-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/2968-6-0x0000000005EB0000-0x0000000005EC2000-memory.dmp

Filesize
72KB

Download
memory/2968-5-0x00000000051B0000-0x0000000005216000-memory.dmp

Filesize
408KB

Download
memory/2968-4-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2968-3-0x0000000005230000-0x00000000052C2000-memory.dmp

Filesize
584KB

Download
memory/2968-2-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download
memory/2968-1-0x0000000000730000-0x000000000079C000-memory.dmp

Filesize
432KB

Download