quasar | 1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58

Analysis

max time kernel
591s
max time network
608s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (101) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral18/memory/3532-1-0x00000000001B0000-0x000000000021C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 27 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 28 IoCs

Processes:

pid	process
1348	Client.exe
2108	Client.exe
1712	Client.exe
3136	Client.exe
3356	Client.exe
4684	Client.exe
3036	Client.exe
4044	Client.exe
724	Client.exe
3804	Client.exe
1880	Client.exe
3384	Client.exe
2520	Client.exe
3888	Client.exe
624	Client.exe
4332	Client.exe
640	Client.exe
3640	Client.exe
1036	Client.exe
544	Client.exe
4980	Client.exe
3224	Client.exe
4572	Client.exe
4628	Client.exe
3576	Client.exe
696	Client.exe
4716	Client.exe
2636	Client.exe

Looks up external IP address via web service 27 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
28	ip-api.com
57	ip-api.com
26	ip-api.com
32	ip-api.com
36	ip-api.com
59	ip-api.com
62	ip-api.com
16	ip-api.com
18	ip-api.com
20	ip-api.com
13	ip-api.com
38	ip-api.com
41	ip-api.com
22	ip-api.com
30	ip-api.com
44	ip-api.com
49	ip-api.com
34	ip-api.com
68	ip-api.com
55	ip-api.com
3	ip-api.com
11	api.ipify.org
46	ip-api.com
66	ip-api.com
24	ip-api.com
52	ip-api.com
64	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 27 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4012	1348	WerFault.exe	Client.exe
1820	2108	WerFault.exe	Client.exe
4376	1712	WerFault.exe	Client.exe
1164	3136	WerFault.exe	Client.exe
4432	3356	WerFault.exe	Client.exe
3120	4684	WerFault.exe	Client.exe
968	3036	WerFault.exe	Client.exe
3540	4044	WerFault.exe	Client.exe
3356	724	WerFault.exe	Client.exe
2372	3804	WerFault.exe	Client.exe
2232	1880	WerFault.exe	Client.exe
2960	3384	WerFault.exe	Client.exe
3676	2520	WerFault.exe	Client.exe
364	3888	WerFault.exe	Client.exe
3208	624	WerFault.exe	Client.exe
1092	4332	WerFault.exe	Client.exe
4492	640	WerFault.exe	Client.exe
512	3640	WerFault.exe	Client.exe
3144	1036	WerFault.exe	Client.exe
2668	544	WerFault.exe	Client.exe
2152	4980	WerFault.exe	Client.exe
216	3224	WerFault.exe	Client.exe
3880	4572	WerFault.exe	Client.exe
1644	4628	WerFault.exe	Client.exe
548	3576	WerFault.exe	Client.exe
3732	696	WerFault.exe	Client.exe
4396	4716	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 29 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4572	schtasks.exe
1712	schtasks.exe
2756	schtasks.exe
1528	schtasks.exe
2720	schtasks.exe
228	SCHTASKS.exe
4656	schtasks.exe
4372	schtasks.exe
224	schtasks.exe
1160	schtasks.exe
2584	schtasks.exe
4364	schtasks.exe
4376	schtasks.exe
1476	schtasks.exe
1776	schtasks.exe
3928	schtasks.exe
4364	schtasks.exe
1412	schtasks.exe
4432	schtasks.exe
4436	schtasks.exe
2420	schtasks.exe
3712	schtasks.exe
4796	schtasks.exe
4332	schtasks.exe
1936	schtasks.exe
228	schtasks.exe
1828	schtasks.exe
4472	schtasks.exe
3828	schtasks.exe

Runs ping.exe 1 TTPs 27 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3576	PING.EXE
3708	PING.EXE
1436	PING.EXE
4672	PING.EXE
3216	PING.EXE
920	PING.EXE
2760	PING.EXE
1740	PING.EXE
2912	PING.EXE
4352	PING.EXE
3576	PING.EXE
3132	PING.EXE
3304	PING.EXE
2588	PING.EXE
1348	PING.EXE
4472	PING.EXE
1616	PING.EXE
5072	PING.EXE
1564	PING.EXE
1932	PING.EXE
1476	PING.EXE
2008	PING.EXE
3636	PING.EXE
2388	PING.EXE
4984	PING.EXE
676	PING.EXE
4904	PING.EXE

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

Uni - Copy (101) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3532	Uni - Copy (101) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	1348	Client.exe
Token: SeDebugPrivilege	2108	Client.exe
Token: SeDebugPrivilege	1712	Client.exe
Token: SeDebugPrivilege	3136	Client.exe
Token: SeDebugPrivilege	3356	Client.exe
Token: SeDebugPrivilege	4684	Client.exe
Token: SeDebugPrivilege	3036	Client.exe
Token: SeDebugPrivilege	4044	Client.exe
Token: SeDebugPrivilege	724	Client.exe
Token: SeDebugPrivilege	3804	Client.exe
Token: SeDebugPrivilege	1880	Client.exe
Token: SeDebugPrivilege	3384	Client.exe
Token: SeDebugPrivilege	2520	Client.exe
Token: SeDebugPrivilege	3888	Client.exe
Token: SeDebugPrivilege	624	Client.exe
Token: SeDebugPrivilege	4332	Client.exe
Token: SeDebugPrivilege	640	Client.exe
Token: SeDebugPrivilege	3640	Client.exe
Token: SeDebugPrivilege	1036	Client.exe
Token: SeDebugPrivilege	544	Client.exe
Token: SeDebugPrivilege	4980	Client.exe
Token: SeDebugPrivilege	3224	Client.exe
Token: SeDebugPrivilege	4572	Client.exe
Token: SeDebugPrivilege	4628	Client.exe
Token: SeDebugPrivilege	3576	Client.exe
Token: SeDebugPrivilege	696	Client.exe
Token: SeDebugPrivilege	4716	Client.exe
Token: SeDebugPrivilege	2636	Client.exe

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

pid	process
1348	Client.exe
2108	Client.exe
1712	Client.exe
3136	Client.exe
3356	Client.exe
4684	Client.exe
3036	Client.exe
4044	Client.exe
724	Client.exe
3804	Client.exe
1880	Client.exe
3384	Client.exe
2520	Client.exe
3888	Client.exe
624	Client.exe
4332	Client.exe
640	Client.exe
3640	Client.exe
1036	Client.exe
544	Client.exe
4980	Client.exe
3224	Client.exe
4572	Client.exe
4628	Client.exe
3576	Client.exe
696	Client.exe
4716	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (101) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 3532 wrote to memory of 1412	3532	Uni - Copy (101) - Copy - Copy - Copy.exe	schtasks.exe
PID 3532 wrote to memory of 1412	3532	Uni - Copy (101) - Copy - Copy - Copy.exe	schtasks.exe
PID 3532 wrote to memory of 1412	3532	Uni - Copy (101) - Copy - Copy - Copy.exe	schtasks.exe
PID 3532 wrote to memory of 1348	3532	Uni - Copy (101) - Copy - Copy - Copy.exe	Client.exe
PID 3532 wrote to memory of 1348	3532	Uni - Copy (101) - Copy - Copy - Copy.exe	Client.exe
PID 3532 wrote to memory of 1348	3532	Uni - Copy (101) - Copy - Copy - Copy.exe	Client.exe
PID 3532 wrote to memory of 228	3532	Uni - Copy (101) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 3532 wrote to memory of 228	3532	Uni - Copy (101) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 3532 wrote to memory of 228	3532	Uni - Copy (101) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 1348 wrote to memory of 4432	1348	Client.exe	schtasks.exe
PID 1348 wrote to memory of 4432	1348	Client.exe	schtasks.exe
PID 1348 wrote to memory of 4432	1348	Client.exe	schtasks.exe
PID 1348 wrote to memory of 748	1348	Client.exe	cmd.exe
PID 1348 wrote to memory of 748	1348	Client.exe	cmd.exe
PID 1348 wrote to memory of 748	1348	Client.exe	cmd.exe
PID 748 wrote to memory of 4316	748	cmd.exe	chcp.com
PID 748 wrote to memory of 4316	748	cmd.exe	chcp.com
PID 748 wrote to memory of 4316	748	cmd.exe	chcp.com
PID 748 wrote to memory of 3216	748	cmd.exe	PING.EXE
PID 748 wrote to memory of 3216	748	cmd.exe	PING.EXE
PID 748 wrote to memory of 3216	748	cmd.exe	PING.EXE
PID 748 wrote to memory of 2108	748	cmd.exe	Client.exe
PID 748 wrote to memory of 2108	748	cmd.exe	Client.exe
PID 748 wrote to memory of 2108	748	cmd.exe	Client.exe
PID 2108 wrote to memory of 2584	2108	Client.exe	schtasks.exe
PID 2108 wrote to memory of 2584	2108	Client.exe	schtasks.exe
PID 2108 wrote to memory of 2584	2108	Client.exe	schtasks.exe
PID 2108 wrote to memory of 4164	2108	Client.exe	cmd.exe
PID 2108 wrote to memory of 4164	2108	Client.exe	cmd.exe
PID 2108 wrote to memory of 4164	2108	Client.exe	cmd.exe
PID 4164 wrote to memory of 4324	4164	cmd.exe	chcp.com
PID 4164 wrote to memory of 4324	4164	cmd.exe	chcp.com
PID 4164 wrote to memory of 4324	4164	cmd.exe	chcp.com
PID 4164 wrote to memory of 2588	4164	cmd.exe	PING.EXE
PID 4164 wrote to memory of 2588	4164	cmd.exe	PING.EXE
PID 4164 wrote to memory of 2588	4164	cmd.exe	PING.EXE
PID 4164 wrote to memory of 1712	4164	cmd.exe	Client.exe
PID 4164 wrote to memory of 1712	4164	cmd.exe	Client.exe
PID 4164 wrote to memory of 1712	4164	cmd.exe	Client.exe
PID 1712 wrote to memory of 4572	1712	Client.exe	schtasks.exe
PID 1712 wrote to memory of 4572	1712	Client.exe	schtasks.exe
PID 1712 wrote to memory of 4572	1712	Client.exe	schtasks.exe
PID 1712 wrote to memory of 3980	1712	Client.exe	cmd.exe
PID 1712 wrote to memory of 3980	1712	Client.exe	cmd.exe
PID 1712 wrote to memory of 3980	1712	Client.exe	cmd.exe
PID 3980 wrote to memory of 4944	3980	cmd.exe	chcp.com
PID 3980 wrote to memory of 4944	3980	cmd.exe	chcp.com
PID 3980 wrote to memory of 4944	3980	cmd.exe	chcp.com
PID 3980 wrote to memory of 1564	3980	cmd.exe	PING.EXE
PID 3980 wrote to memory of 1564	3980	cmd.exe	PING.EXE
PID 3980 wrote to memory of 1564	3980	cmd.exe	PING.EXE
PID 3980 wrote to memory of 3136	3980	cmd.exe	Client.exe
PID 3980 wrote to memory of 3136	3980	cmd.exe	Client.exe
PID 3980 wrote to memory of 3136	3980	cmd.exe	Client.exe
PID 3136 wrote to memory of 1776	3136	Client.exe	schtasks.exe
PID 3136 wrote to memory of 1776	3136	Client.exe	schtasks.exe
PID 3136 wrote to memory of 1776	3136	Client.exe	schtasks.exe
PID 3136 wrote to memory of 3808	3136	Client.exe	cmd.exe
PID 3136 wrote to memory of 3808	3136	Client.exe	cmd.exe
PID 3136 wrote to memory of 3808	3136	Client.exe	cmd.exe
PID 3808 wrote to memory of 3996	3808	cmd.exe	chcp.com
PID 3808 wrote to memory of 3996	3808	cmd.exe	chcp.com
PID 3808 wrote to memory of 3996	3808	cmd.exe	chcp.com
PID 3808 wrote to memory of 3576	3808	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1412

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8xVKh48LzsYN.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4316

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3216

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xq4jWGZiUxWy.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4324

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2588

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0Y7TZ1Qx4r42.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4944

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1564

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JMraDsezLWy1.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:3996

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:3576

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3356

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dAchrks1cBsz.bat" "
11⤵
PID:2296

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:1388

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1348

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4684

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PBWmHX2T5W9G.bat" "
13⤵
PID:3148

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:5012

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:4984

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3036

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hm7v9TJ5BWgv.bat" "
15⤵
PID:2904

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:1736

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3132

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4044

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3rlWSTpI4jcm.bat" "
17⤵
PID:4608

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:2216

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:3576

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:724

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hVn195zqQU04.bat" "
19⤵
PID:2908

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2632

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:920

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3804

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEgFabUeNWlk.bat" "
21⤵
PID:3308

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:212

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:2760

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1880

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:1936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pLFw0UXegIsE.bat" "
23⤵
PID:3636

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:2460

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:4472

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3384

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4d2V6PzHkBCN.bat" "
25⤵
PID:3712

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:3244

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1932

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aXSEjM6srHwY.bat" "
27⤵
PID:2652

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:836

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:3304

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3888

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4wj9c7cNHPmo.bat" "
29⤵
PID:1596

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:724

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:676

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:624

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pxcE2umpjj35.bat" "
31⤵
PID:3112

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:3720

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:1740

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4332

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xfhjgg7IBy7r.bat" "
33⤵
PID:2984

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:3400

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:1616

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:640

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1MyUXiHT6OUj.bat" "
35⤵
PID:4972

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:404

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:4904

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3640

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mNsZyVSvZjl0.bat" "
37⤵
PID:4568

C:\Windows\SysWOW64\chcp.com
chcp 65001
38⤵
PID:2028

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:2008

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1036

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGFjZQ2bacRV.bat" "
39⤵
PID:3004

C:\Windows\SysWOW64\chcp.com
chcp 65001
40⤵
PID:3256

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:3708

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:544

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSNffGbgp4uS.bat" "
41⤵
PID:2456

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:4292

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:4352

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4980

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
43⤵
- Creates scheduled task(s)
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Iak6stp0ddjq.bat" "
43⤵
PID:3800

C:\Windows\SysWOW64\chcp.com
chcp 65001
44⤵
PID:4716

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:1436

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3224

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BBLFjp6cjdFV.bat" "
45⤵
PID:396

C:\Windows\SysWOW64\chcp.com
chcp 65001
46⤵
PID:2148

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:3636

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4572

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wCFLAcH4ByWm.bat" "
47⤵
PID:464

C:\Windows\SysWOW64\chcp.com
chcp 65001
48⤵
PID:4552

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:2388

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4628

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
49⤵
- Creates scheduled task(s)
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G00SoTU6SdQk.bat" "
49⤵
PID:1072

C:\Windows\SysWOW64\chcp.com
chcp 65001
50⤵
PID:4436

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:4672

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3576

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KhGDfVfGO3nc.bat" "
51⤵
PID:3100

C:\Windows\SysWOW64\chcp.com
chcp 65001
52⤵
PID:3492

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:1476

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:696

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMcsQeIduwzr.bat" "
53⤵
PID:3208

C:\Windows\SysWOW64\chcp.com
chcp 65001
54⤵
PID:3908

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:5072

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4716

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
55⤵
- Creates scheduled task(s)
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pm09cYBcDnJq.bat" "
55⤵
PID:380

C:\Windows\SysWOW64\chcp.com
chcp 65001
56⤵
PID:2324

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:2912

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 1688
55⤵
- Program crash
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 1672
53⤵
- Program crash
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1096
51⤵
- Program crash
PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1084
49⤵
- Program crash
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1092
47⤵
- Program crash
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 1096
45⤵
- Program crash
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1716
43⤵
- Program crash
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 1088
41⤵
- Program crash
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1608
39⤵
- Program crash
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 1688
37⤵
- Program crash
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 1096
35⤵
- Program crash
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 2236
33⤵
- Program crash
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 1092
31⤵
- Program crash
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 1092
29⤵
- Program crash
PID:364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1672
27⤵
- Program crash
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 2232
25⤵
- Program crash
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 1092
23⤵
- Program crash
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 1096
21⤵
- Program crash
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 2232
19⤵
- Program crash
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 1096
17⤵
- Program crash
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1708
15⤵
- Program crash
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1092
13⤵
- Program crash
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 1092
11⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 1708
9⤵
- Program crash
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 1088
7⤵
- Program crash
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1644
5⤵
- Program crash
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1656
3⤵
- Program crash
PID:4012

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (101) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (101) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1348 -ip 1348
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2108 -ip 2108
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1712 -ip 1712
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3136 -ip 3136
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3356 -ip 3356
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4684 -ip 4684
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3036 -ip 3036
1⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4044 -ip 4044
1⤵
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 724 -ip 724
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3804 -ip 3804
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1880 -ip 1880
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3384 -ip 3384
1⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2520 -ip 2520
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3888 -ip 3888
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 624 -ip 624
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4332 -ip 4332
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 640 -ip 640
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3640 -ip 3640
1⤵
PID:2604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1036 -ip 1036
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 544 -ip 544
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4980 -ip 4980
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3224 -ip 3224
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4572 -ip 4572
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4628 -ip 4628
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3576 -ip 3576
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 696 -ip 696
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4716 -ip 4716
1⤵
PID:3912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0Y7TZ1Qx4r42.bat
Filesize
207B

MD5
c5cdb812db7c5f95a4df7f882d54e92f

SHA1
9357bd13d520e91b8f8a2815eec808d9ee2fa62e

SHA256
0dd1c2c6df9d0d2615914692cb825a9c8032101902d4a161d60e32766132c3e1

SHA512
7c7be5905a858b7d83603469848decd5cf9e5f830bbf4be678c483524ccc01faeeebdf348820e7d6200cf1d5800d4b2af0a29057f43144da8ce30eba35946f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\1MyUXiHT6OUj.bat
Filesize
207B

MD5
c16ac140d242fe2fe8c42fafcb49611d

SHA1
5a4bf4b2bf54bb7c5028b5dba609f83dffe4fc0f

SHA256
2ab0b3327c98bd31a73cce0eb92caee2562fc760de0d5690ea4c5d1417b3b294

SHA512
172ba70e2b3bf7ee4a1b147990c9bbda93452bf6d0da9101450fb0bef00ac13ce8b4b48368a9112bac4baf93f7e588903d2a79a672d29b9a5bf7d5d04eb57075

Download Submit
C:\Users\Admin\AppData\Local\Temp\3rlWSTpI4jcm.bat
Filesize
207B

MD5
6649eba1f09647d86aa0c876ee69893c

SHA1
3c648f2cb004905bb7107b4ec1a910ea2bd570e4

SHA256
aa2245334d08a15d4c504a0a599e1d6ce97e03d47d458dfd91dbb95dbf54b7ad

SHA512
51c8e6a0a5d8da9483065c14d39c49b2e5c3369ad6ced4fbe6f188dc313d3b7fd4a64dc9baaef6fb409ca71691623a0418576007b179b9df4ebe0507634e39d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d2V6PzHkBCN.bat
Filesize
207B

MD5
f7dd8f696ad07af4f6978b1aa8790d1e

SHA1
487a1a49a603fc0e077b5457cb3f3bf6c9cb6e26

SHA256
2960d711b1e179e1254487c2e8350bee9be850f70006635154f0b7e099852b2a

SHA512
5bae2e1b350bf99023762e2d8eb13e562406ee3754edb0ec01a31af1c1670de29634273c41ef046b82740c18a1fbd658bc435b9370bf294cdaabbe929242d39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4wj9c7cNHPmo.bat
Filesize
207B

MD5
bb4818bf5607c8149aa7035744c4e653

SHA1
26d5cbc9fc8db0a9d5fc87ae7d95b3fab74d5c1e

SHA256
b717413d605f3cffd8b6aea9341bce0e9e37c36e8f3a47c98d493b3d2e5e829e

SHA512
c755ed84cb1629a7b26b9a4b93b25ecfbbc6d375d45abba365dc025a96e5130f3c1c3dd5aa602224ed759d5227ce215d429190721958947b1ad95a5457a64ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8xVKh48LzsYN.bat
Filesize
207B

MD5
2fb77a7eb41730ecb635bdfe3be20046

SHA1
54adb844ace55d034939a3379ee530e83f331508

SHA256
ce58350087d5852d1fa8b7f7b133ab97cb83c866aaa3f74092b87d036a112fb0

SHA512
94aac8c90f1af86226d5ae34552da35a27eb70abc39169ec4b6554df2e422b3b99cad32cd2b7bfd4ea414ead12855e9ebb1d2eee7b272c1fb2d1267f7f8f31a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGFjZQ2bacRV.bat
Filesize
207B

MD5
91989aab96c9d146e36cc386e5d796e0

SHA1
4a726d488a7bb2f40f936bfebe7acc8808488d5b

SHA256
ec338047be3267d4e11c301a2e1d10ffe5d25e491ddb918845ff02367c50a388

SHA512
c190a7974bda4293b966ea96a0413866b27767f72e50fb20ae07a1a9572ab69cc00b60901482eec583d1d401cc7d1435581e5f8065d48644b8bcbb66958e3a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\HSNffGbgp4uS.bat
Filesize
207B

MD5
f606f6c99541ee547dfe192091bb7800

SHA1
1d660a6dd5ebb05d5efd1ddc10e3fdc10b34f255

SHA256
17020724dc2feed0dc0de2027e3846735416cde4b663265ef163a79ef95cfdc0

SHA512
53fcbfceb236b242054eec60db9eb9e94b086f114cb49ee0a7a7752119952e548537562c0293cc025f85899ab05eba8b858568820a6b27eee154f8a796b9347f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hm7v9TJ5BWgv.bat
Filesize
207B

MD5
597f27b309833032c88b4dc42db8a08b

SHA1
ef26db2702d7c9eb6cdb7085e2226807979dc83c

SHA256
f8d881a10f0ba3df9c8f6cea962950a000b5cb5e6f4ce40c668fc0acf3004eec

SHA512
b89c50d588d29087ae2797201fd306ae174c0db16e07390e14a0f3234241bbfcf5df37ae104d492f873181d85e0475d0c7393ebe1df260f86a6e4c4b3f7c08d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iak6stp0ddjq.bat
Filesize
207B

MD5
64c378f3bd607eca0170320ec28b00d5

SHA1
aa2f32f16d952e98a916719ac1356497c7a21a08

SHA256
b9859cdd8dae1fe180fee3fe9762b242782285308401593741063290fe8c5675

SHA512
ec63f4b452812b17a132b8561b5f81ed65b746c63b6bdddb7e84169f7d12ece42dd025ffe8611c2103ec3c29042ea07445bd46ba2df8f9b39a0d8c038c67fca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\JMraDsezLWy1.bat
Filesize
207B

MD5
1549b9d6732d09bdb5dfc12edc086f71

SHA1
95cb59810c885d8612e76f583cacd8c054738486

SHA256
2008f5beac9a3d4e63b798679b23a7f4d66bb1c4ba08bbf3378b483d2c534f52

SHA512
1258bd61de98c22877cacd445b6e3fa6790858941190590735a0fdf6b14aa41cfd6ebdac6145571ee8f56f25ed9c2518381859409f8399e8b2cefe376e2ff5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\PBWmHX2T5W9G.bat
Filesize
207B

MD5
319c30a4359aa5f880ff6d290336af37

SHA1
9b577b03903b2fbb97e4eff4d6342270bcae0831

SHA256
67de5b0729d70b09d40b28db38aeb2c2e1bc3e8802899763841a8ffccf39a68e

SHA512
fcd2c7172739bbfd0a4cf11c89ad644bc10e74c58a75f49e4f4c59383660699c41b4dff2bf8bcf96bbf9b315ce7bb6fadce3a66dd41440aae32a0cbc24bd602f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xq4jWGZiUxWy.bat
Filesize
207B

MD5
034432c4aab8b76f236581376e9dc35a

SHA1
9ab1b728419e2bd7f43ecd91a7fecba85cdbc349

SHA256
23c245d3d0ef4aaa162c358c4fc2df87fc5985e62fb640281bde4fc8c7546faa

SHA512
e3138db589f17ae7d50eae4a7d2116ea29e965231d14f3b7924bfa0f6a18aa1444b2b883172d79abacd82e62133d62d0fbe6a70e9ae1fbc1a02a1df4ca98eff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aXSEjM6srHwY.bat
Filesize
207B

MD5
a0a8d9fed42c27c36af850465bde9279

SHA1
ee50ed9d6a55c0a6143bb17ff87d74f4bbdb84d7

SHA256
567bc429e2e07482c899b76468ae31e096263075fd671f87489b585c40ddb6c7

SHA512
80ad9a9e89a9ecfb75210555d92f02030c61c3d1b9690a6be3e20bfaf13a7afcfb812cd2dd410bcc93aa19c0cab664a0aabf9282d8e19eb88676b3f424d6edd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dAchrks1cBsz.bat
Filesize
207B

MD5
49a05ab9d9ee7e37d36d2f147ae63d51

SHA1
49a7544639b06d30d0c7347f0cf55c84016ae2f0

SHA256
abe58eb8e11f0dc8505b97de56fc14e30c5a96ba3298a2c0025c3cb7e9cc8eed

SHA512
9c12e7308d0ce686927b71519b6c21cc498e28e59f0bdb9af0692b0ab3a549d505876187f3e411d561d769a401245acee9269e05fd63478f579e8679339a88c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hVn195zqQU04.bat
Filesize
207B

MD5
a1ecc3acbe7d7efecc4340e727148b02

SHA1
e4c957549d1003aaed4a443d1e9b3a67bcf48767

SHA256
5026597f2de6e4587fd544b595acba6abec1cefcfd6a1f56a52d373c3376ba92

SHA512
fdee1a331e0dbe1010d4f16eb67826a67ebf43ff8ba5e16cd7c059042d0cd531314a2247d01cd23f55de977e9254b5b1b3a4a430a4a4a5fd12fcb92c4675efbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\mNsZyVSvZjl0.bat
Filesize
207B

MD5
073d8ec8b35206dbb53578611bc7bc5c

SHA1
22b70a44c5294682ca12a9327cccf691e1436c69

SHA256
95efaac2f215bfdff7442e031aad2a6d03a49d1787fd1f8e37b39c66cd161637

SHA512
f69d9c548bdb18f6721c2010309b98f26aa1d9a5ce412afd166a67314bbf892f88b97e8c1e50a6a5a7ede81f7ae8d259c8156d2ded60d8a6d367b19173f35c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\pLFw0UXegIsE.bat
Filesize
207B

MD5
4ff43a18e6545bf4d053eda478584ebc

SHA1
840acc065ef9bde16f9b85475c6bd5b2ad4f121c

SHA256
350689e461ad84b1841491d2246ea32fbb330e9696ee94353ee4e8e6c9252672

SHA512
69e7a88e6c4885fd485521dd9a0578a118857a81a60150b91addc7a56acb940fbfa53c5f246d549df9af5f7f649e51cd466921bc5d86db3e60189f17fff8c14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxcE2umpjj35.bat
Filesize
207B

MD5
1a53885a671bcf101f750552154d3ef4

SHA1
0a326b01b3de9883b64e321f2ae2a9c7d628a061

SHA256
8f883694ea499e213da8e6ed720a7bd83011345ebc248f5365324deb932a3e7e

SHA512
0da7a58f9951f2b4597845a40f2d219242aead6f95a05cdc2697069f6bb59f2f6dc4b6d3d6b42829c547509c8206cad7fbad544d0489c32f3343b162b941d93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEgFabUeNWlk.bat
Filesize
207B

MD5
df91acd44e98c114c832cd63061646d8

SHA1
7c889c3c51bd79cac904759869a8210eea320049

SHA256
d5685a6c19d3fc8fd4f82ac2bf94e73ce28ae0f5f563c7d0fecf4bba8483672d

SHA512
89400a1570bed6f05ea531c8fafead52997b7aaa92b48ce93017a8a6f7eb28252c21011741d876aa770bdd318eb2e55b65f506c28ceaded2e71afeb6260ba949

Download Submit
C:\Users\Admin\AppData\Local\Temp\xfhjgg7IBy7r.bat
Filesize
207B

MD5
f1be9c4222ab54dd94966556ac68b5e8

SHA1
b6b5be3bb05f5febf96c06e0437c53116123420a

SHA256
13452919c5e10dd5c961b79f81a4d9b6a9e2f75655e483d0425890297293379e

SHA512
4bb6d02b3a89f5b2a0b7a70bf48b4bdd9a980dc51c854b6c280538d176462876c629abac748a09270d6f250b132852acaa867efc85edfd5ae2a5e20b7d524292

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
5257121c0fcad93affd93a083cd7c543

SHA1
96c1487c34c7eea41be4205c4d9c37b7de727152

SHA256
6ca2b7f90daedc4ca1b57c4865192c3b5f156fd286078df0e1a9a8657961ff7e

SHA512
d9b795667738b48fe8d477860683418b64f268dd1284f8397bf092552a378339261078f8ed3bbd2c35bbcba2dfdda47a5ba53e8a97ddf4c3bd1b9d0160f68ba9

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
a8f782bf8cf6732d162c3e212d341f1b

SHA1
ff8e342b0341c663c04f7aa8e4cebbc9f878b1a9

SHA256
bc7ac75f6c88fdc41f6a3aec455241925ede7e714aa4dc3bb4444894803dab99

SHA512
b0aad21040fc2695a707dea51f864007594d2b5a0bb56514f39fdbdebc129c998358079b32d146654a51afa3a7226e20f8fc8f57b8382b4927dedb5c2d0df195

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
d1c6747e8edef6a2d34e19d4e4646886

SHA1
54a1f2df5720472af05adfeb20b908b959a50697

SHA256
b008ad933c010486f5fdab9c2c2976db2206a5cd6d70798b14350dfc967ca27e

SHA512
6b2b3ef3182855b3e1ce558959d573921062ae40d3398eb6b7434db06bb87941bd1a7394d90dac4e23f90b9d2f7966c683de62e2dfb52205c0882e1f9a948760

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
e38e0b0856f2f6655f0075afe892f17e

SHA1
53e5377bd397f6d1bf096e92a0fde5c75f371042

SHA256
52a1d86e0e5645d81f00d63aa7d6419bc42d8f1bf58438bbe1fae2ca97d50aed

SHA512
a793a7a64d4643563e08ed9a62c64f40c07f66e06c506726161c7badd6474bb833df6f6edddea94d2738e8f1faf2d5880a7c8b99ae84020ee19b4837117e39f1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
61375e3b5150c9d0974fee19cd7fdf34

SHA1
cc14c07103e471e1eca4c5f944a1981e7b7fc752

SHA256
b342a9a01a69f83a6811da6fbc6e2e003b798f2d979631456ff9a21388703741

SHA512
1f9a64e32b17a3fb761adcc042015b4fbddf6e7fcae7a4e7562d97bade5b4f0bc5bfd5e2ad24b03bb58b1faf2a6df66810fa4c82f9dfd3461fbae9985833cdea

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
789ab233d652a44799a2d47be8aae68f

SHA1
06488a4ea820724d459a59d6dac855b3743090e6

SHA256
65291c42e90b1fae1a56d83bccccb4fa652ef8624852162fe522af8d7ef6d2e0

SHA512
3cc2f37d09164379a4b2220ef0dae1d8a717fe242e1ec7ad5c85d868330baf150aed73ae07c237ca504673f151bbb2e0efd67688e554ac21392569a36fdf5ebf

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
550defdc406882950ff92a966a0c0349

SHA1
88cc02a23efc904b0398372606170fb85bc82137

SHA256
f282a9a6f41c61f5f392fce0c2bd1dcd1cc769f9f9e2df65874cf9fed92bd4e1

SHA512
c64c92e14700a8b8346cb4bcab39fc12a7c765bb1280ba8f0bd137f35716ff08c144f9cc8ab3f16f40327af88233dc01e858ca1a950fc1829cd013b0e6833716

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
a645fe501d50bfe3a79b7d9cd3c15905

SHA1
cd10be40c4edda3ffa09c5ea4ed9d0c7523f3052

SHA256
00b94e0a66535f13ed3855d21c3ac321c61c8fe9bd61c0d5ff1533c39977c0db

SHA512
ccf9b2bedf207d9377902fd9808c104d39aa09bd06072ab232832ceee1cebe70bf9d4a104032926dbc4f1772be46b2f927e829930ca2a158dbbd55a637ae86f5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
5ed09496a054e37734f32547cb56522d

SHA1
cc86e2095755cfe03476a658e64f8408c774b864

SHA256
f65ec7edb28fc084584dd5322d55f33c21e492af5f39d3fe91346e7cc36c36de

SHA512
808af52fd413c1ce8af46c4dcfa8b8260e016b7d90f560afd9f1a0dd6d759583acd20befd981b8c5bbfef0da98c645dd16b42bebab812f7e8e309ff28302e70d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1348-19-0x0000000006B20000-0x0000000006B2A000-memory.dmp

Filesize
40KB

Download
memory/1348-24-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/1348-15-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/1348-16-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/3532-8-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/3532-5-0x0000000004DD0000-0x0000000004E36000-memory.dmp

Filesize
408KB

Download
memory/3532-6-0x0000000005A30000-0x0000000005A42000-memory.dmp

Filesize
72KB

Download
memory/3532-4-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/3532-7-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

Filesize
4KB

Download
memory/3532-17-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/3532-0-0x0000000074E6E000-0x0000000074E6F000-memory.dmp

Filesize
4KB

Download
memory/3532-3-0x0000000004D30000-0x0000000004DC2000-memory.dmp

Filesize
584KB

Download
memory/3532-2-0x0000000005240000-0x00000000057E4000-memory.dmp

Filesize
5.6MB

Download
memory/3532-1-0x00000000001B0000-0x000000000021C000-memory.dmp

Filesize
432KB

Download