quasar | 1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58

Analysis

max time kernel
598s
max time network
606s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (102) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral22/memory/4372-1-0x0000000000B40000-0x0000000000BAC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 27 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 28 IoCs

Processes:

pid	process
1932	Client.exe
2812	Client.exe
2320	Client.exe
3816	Client.exe
2164	Client.exe
3656	Client.exe
5080	Client.exe
5024	Client.exe
4888	Client.exe
1548	Client.exe
1092	Client.exe
1564	Client.exe
1420	Client.exe
1724	Client.exe
1736	Client.exe
2200	Client.exe
1556	Client.exe
2188	Client.exe
1684	Client.exe
668	Client.exe
3168	Client.exe
4412	Client.exe
1900	Client.exe
1172	Client.exe
4200	Client.exe
3052	Client.exe
3620	Client.exe
3212	Client.exe

Looks up external IP address via web service 27 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
16	ip-api.com
18	ip-api.com
24	ip-api.com
44	ip-api.com
54	ip-api.com
56	ip-api.com
63	ip-api.com
12	api.ipify.org
67	ip-api.com
26	ip-api.com
30	ip-api.com
22	ip-api.com
48	ip-api.com
51	ip-api.com
28	ip-api.com
34	ip-api.com
65	ip-api.com
3	ip-api.com
38	ip-api.com
14	ip-api.com
32	ip-api.com
20	ip-api.com
46	ip-api.com
58	ip-api.com
61	ip-api.com
36	ip-api.com
42	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 27 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
916	1932	WerFault.exe	Client.exe
2840	2812	WerFault.exe	Client.exe
4100	2320	WerFault.exe	Client.exe
2680	3816	WerFault.exe	Client.exe
2140	2164	WerFault.exe	Client.exe
4488	3656	WerFault.exe	Client.exe
1236	5080	WerFault.exe	Client.exe
632	5024	WerFault.exe	Client.exe
4556	4888	WerFault.exe	Client.exe
4488	1548	WerFault.exe	Client.exe
2228	1092	WerFault.exe	Client.exe
2696	1564	WerFault.exe	Client.exe
916	1420	WerFault.exe	Client.exe
2884	1724	WerFault.exe	Client.exe
4944	1736	WerFault.exe	Client.exe
736	2200	WerFault.exe	Client.exe
4832	1556	WerFault.exe	Client.exe
428	2188	WerFault.exe	Client.exe
832	1684	WerFault.exe	Client.exe
4548	668	WerFault.exe	Client.exe
708	3168	WerFault.exe	Client.exe
4448	4412	WerFault.exe	Client.exe
2584	1900	WerFault.exe	Client.exe
1000	1172	WerFault.exe	Client.exe
4904	4200	WerFault.exe	Client.exe
4080	3052	WerFault.exe	Client.exe
4884	3620	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 29 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exe

pid	process
2240	schtasks.exe
3812	schtasks.exe
5024	schtasks.exe
4908	schtasks.exe
2000	schtasks.exe
2748	schtasks.exe
4724	schtasks.exe
2380	schtasks.exe
2284	schtasks.exe
4468	schtasks.exe
5048	schtasks.exe
2692	schtasks.exe
116	schtasks.exe
684	schtasks.exe
4312	schtasks.exe
2020	schtasks.exe
3852	schtasks.exe
1096	schtasks.exe
556	schtasks.exe
1456	schtasks.exe
392	schtasks.exe
452	schtasks.exe
2452	schtasks.exe
3388	schtasks.exe
3564	schtasks.exe
4380	schtasks.exe
1432	schtasks.exe
2720	schtasks.exe
2664	SCHTASKS.exe

Runs ping.exe 1 TTPs 27 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3112	PING.EXE
2748	PING.EXE
2276	PING.EXE
1844	PING.EXE
1112	PING.EXE
3968	PING.EXE
4744	PING.EXE
3716	PING.EXE
4236	PING.EXE
1044	PING.EXE
3916	PING.EXE
3460	PING.EXE
3780	PING.EXE
1016	PING.EXE
2880	PING.EXE
4204	PING.EXE
3008	PING.EXE
4020	PING.EXE
4312	PING.EXE
1800	PING.EXE
3060	PING.EXE
868	PING.EXE
4380	PING.EXE
2736	PING.EXE
4340	PING.EXE
4504	PING.EXE
1476	PING.EXE

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

Uni - Copy (102) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4372	Uni - Copy (102) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	1932	Client.exe
Token: SeDebugPrivilege	2812	Client.exe
Token: SeDebugPrivilege	2320	Client.exe
Token: SeDebugPrivilege	3816	Client.exe
Token: SeDebugPrivilege	2164	Client.exe
Token: SeDebugPrivilege	3656	Client.exe
Token: SeDebugPrivilege	5080	Client.exe
Token: SeDebugPrivilege	5024	Client.exe
Token: SeDebugPrivilege	4888	Client.exe
Token: SeDebugPrivilege	1548	Client.exe
Token: SeDebugPrivilege	1092	Client.exe
Token: SeDebugPrivilege	1564	Client.exe
Token: SeDebugPrivilege	1420	Client.exe
Token: SeDebugPrivilege	1724	Client.exe
Token: SeDebugPrivilege	1736	Client.exe
Token: SeDebugPrivilege	2200	Client.exe
Token: SeDebugPrivilege	1556	Client.exe
Token: SeDebugPrivilege	2188	Client.exe
Token: SeDebugPrivilege	1684	Client.exe
Token: SeDebugPrivilege	668	Client.exe
Token: SeDebugPrivilege	3168	Client.exe
Token: SeDebugPrivilege	4412	Client.exe
Token: SeDebugPrivilege	1900	Client.exe
Token: SeDebugPrivilege	1172	Client.exe
Token: SeDebugPrivilege	4200	Client.exe
Token: SeDebugPrivilege	3052	Client.exe
Token: SeDebugPrivilege	3620	Client.exe
Token: SeDebugPrivilege	3212	Client.exe

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

pid	process
1932	Client.exe
2812	Client.exe
2320	Client.exe
3816	Client.exe
2164	Client.exe
3656	Client.exe
5080	Client.exe
5024	Client.exe
4888	Client.exe
1548	Client.exe
1092	Client.exe
1564	Client.exe
1420	Client.exe
1724	Client.exe
1736	Client.exe
2200	Client.exe
1556	Client.exe
2188	Client.exe
1684	Client.exe
668	Client.exe
3168	Client.exe
4412	Client.exe
1900	Client.exe
1172	Client.exe
4200	Client.exe
3052	Client.exe
3620	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (102) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 4372 wrote to memory of 2720	4372	Uni - Copy (102) - Copy - Copy - Copy.exe	schtasks.exe
PID 4372 wrote to memory of 2720	4372	Uni - Copy (102) - Copy - Copy - Copy.exe	schtasks.exe
PID 4372 wrote to memory of 2720	4372	Uni - Copy (102) - Copy - Copy - Copy.exe	schtasks.exe
PID 4372 wrote to memory of 1932	4372	Uni - Copy (102) - Copy - Copy - Copy.exe	Client.exe
PID 4372 wrote to memory of 1932	4372	Uni - Copy (102) - Copy - Copy - Copy.exe	Client.exe
PID 4372 wrote to memory of 1932	4372	Uni - Copy (102) - Copy - Copy - Copy.exe	Client.exe
PID 4372 wrote to memory of 2664	4372	Uni - Copy (102) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 4372 wrote to memory of 2664	4372	Uni - Copy (102) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 4372 wrote to memory of 2664	4372	Uni - Copy (102) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 1932 wrote to memory of 2020	1932	Client.exe	schtasks.exe
PID 1932 wrote to memory of 2020	1932	Client.exe	schtasks.exe
PID 1932 wrote to memory of 2020	1932	Client.exe	schtasks.exe
PID 1932 wrote to memory of 4524	1932	Client.exe	cmd.exe
PID 1932 wrote to memory of 4524	1932	Client.exe	cmd.exe
PID 1932 wrote to memory of 4524	1932	Client.exe	cmd.exe
PID 4524 wrote to memory of 3432	4524	cmd.exe	chcp.com
PID 4524 wrote to memory of 3432	4524	cmd.exe	chcp.com
PID 4524 wrote to memory of 3432	4524	cmd.exe	chcp.com
PID 4524 wrote to memory of 1016	4524	cmd.exe	PING.EXE
PID 4524 wrote to memory of 1016	4524	cmd.exe	PING.EXE
PID 4524 wrote to memory of 1016	4524	cmd.exe	PING.EXE
PID 4524 wrote to memory of 2812	4524	cmd.exe	Client.exe
PID 4524 wrote to memory of 2812	4524	cmd.exe	Client.exe
PID 4524 wrote to memory of 2812	4524	cmd.exe	Client.exe
PID 2812 wrote to memory of 3852	2812	Client.exe	schtasks.exe
PID 2812 wrote to memory of 3852	2812	Client.exe	schtasks.exe
PID 2812 wrote to memory of 3852	2812	Client.exe	schtasks.exe
PID 2812 wrote to memory of 1744	2812	Client.exe	cmd.exe
PID 2812 wrote to memory of 1744	2812	Client.exe	cmd.exe
PID 2812 wrote to memory of 1744	2812	Client.exe	cmd.exe
PID 1744 wrote to memory of 3092	1744	cmd.exe	chcp.com
PID 1744 wrote to memory of 3092	1744	cmd.exe	chcp.com
PID 1744 wrote to memory of 3092	1744	cmd.exe	chcp.com
PID 1744 wrote to memory of 2736	1744	cmd.exe	PING.EXE
PID 1744 wrote to memory of 2736	1744	cmd.exe	PING.EXE
PID 1744 wrote to memory of 2736	1744	cmd.exe	PING.EXE
PID 1744 wrote to memory of 2320	1744	cmd.exe	Client.exe
PID 1744 wrote to memory of 2320	1744	cmd.exe	Client.exe
PID 1744 wrote to memory of 2320	1744	cmd.exe	Client.exe
PID 2320 wrote to memory of 4724	2320	Client.exe	schtasks.exe
PID 2320 wrote to memory of 4724	2320	Client.exe	schtasks.exe
PID 2320 wrote to memory of 4724	2320	Client.exe	schtasks.exe
PID 2320 wrote to memory of 4288	2320	Client.exe	cmd.exe
PID 2320 wrote to memory of 4288	2320	Client.exe	cmd.exe
PID 2320 wrote to memory of 4288	2320	Client.exe	cmd.exe
PID 4288 wrote to memory of 4308	4288	cmd.exe	chcp.com
PID 4288 wrote to memory of 4308	4288	cmd.exe	chcp.com
PID 4288 wrote to memory of 4308	4288	cmd.exe	chcp.com
PID 4288 wrote to memory of 4340	4288	cmd.exe	PING.EXE
PID 4288 wrote to memory of 4340	4288	cmd.exe	PING.EXE
PID 4288 wrote to memory of 4340	4288	cmd.exe	PING.EXE
PID 4288 wrote to memory of 3816	4288	cmd.exe	Client.exe
PID 4288 wrote to memory of 3816	4288	cmd.exe	Client.exe
PID 4288 wrote to memory of 3816	4288	cmd.exe	Client.exe
PID 3816 wrote to memory of 2380	3816	Client.exe	schtasks.exe
PID 3816 wrote to memory of 2380	3816	Client.exe	schtasks.exe
PID 3816 wrote to memory of 2380	3816	Client.exe	schtasks.exe
PID 3816 wrote to memory of 2500	3816	Client.exe	cmd.exe
PID 3816 wrote to memory of 2500	3816	Client.exe	cmd.exe
PID 3816 wrote to memory of 2500	3816	Client.exe	cmd.exe
PID 2500 wrote to memory of 4588	2500	cmd.exe	chcp.com
PID 2500 wrote to memory of 4588	2500	cmd.exe	chcp.com
PID 2500 wrote to memory of 4588	2500	cmd.exe	chcp.com
PID 2500 wrote to memory of 3060	2500	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2720

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rAon6FRDnPi5.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:3432

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1016

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAfIU05lAXvg.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:3092

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2736

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vJzx6coq7nDM.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4308

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4340

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\prfKr6u0IhmM.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:4588

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:3060

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGwFkqPWipdc.bat" "
11⤵
PID:740

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:1224

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3008

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOJgxTdqXOR0.bat" "
13⤵
PID:1372

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:1096

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:3916

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5080

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:3812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UaYzMSZOfaOg.bat" "
15⤵
PID:1160

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:2576

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4020

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5024

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rQ6qn4xkS3zY.bat" "
17⤵
PID:3500

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:2312

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1112

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v6Nbf58uNUMQ.bat" "
19⤵
PID:3976

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:4364

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4504

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3oS6JrTNpiQB.bat" "
21⤵
PID:5048

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:3264

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:868

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1092

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQszxYuJQVek.bat" "
23⤵
PID:2416

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:1236

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2880

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nSanB5F4Pecw.bat" "
25⤵
PID:4860

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:4708

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:3460

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1420

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\StmoAjIMEJdp.bat" "
27⤵
PID:1000

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:3304

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:4744

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1724

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\abrJoVcqfYha.bat" "
29⤵
PID:4736

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:1436

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:3968

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ek3Uos0T0vDs.bat" "
31⤵
PID:4320

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:4764

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:3716

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2200

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sXwHcyYIgZLH.bat" "
33⤵
PID:4356

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:3340

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:1476

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1556

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuajvEjA45oj.bat" "
35⤵
PID:1788

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:3964

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:4204

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2188

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vPWGn57EKeUC.bat" "
37⤵
PID:744

C:\Windows\SysWOW64\chcp.com
chcp 65001
38⤵
PID:4452

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:4312

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1684

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:3564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYiQmSVre10T.bat" "
39⤵
PID:2392

C:\Windows\SysWOW64\chcp.com
chcp 65001
40⤵
PID:856

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:1800

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:668

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7GnvREpL5G4F.bat" "
41⤵
PID:3036

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:3936

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:4236

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3168

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
43⤵
- Creates scheduled task(s)
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N3jJILt3q7GJ.bat" "
43⤵
PID:4800

C:\Windows\SysWOW64\chcp.com
chcp 65001
44⤵
PID:2208

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:3112

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ZTZxwSQcUeg.bat" "
45⤵
PID:4072

C:\Windows\SysWOW64\chcp.com
chcp 65001
46⤵
PID:64

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:3780

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1900

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zu0ywUbAciqM.bat" "
47⤵
PID:408

C:\Windows\SysWOW64\chcp.com
chcp 65001
48⤵
PID:2912

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:2748

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1172

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
49⤵
- Creates scheduled task(s)
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSgLiyiKndOM.bat" "
49⤵
PID:4308

C:\Windows\SysWOW64\chcp.com
chcp 65001
50⤵
PID:3272

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:1044

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4200

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rHEB8a5ga6zE.bat" "
51⤵
PID:4940

C:\Windows\SysWOW64\chcp.com
chcp 65001
52⤵
PID:1724

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:4380

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3052

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mte4nGXbCtDn.bat" "
53⤵
PID:220

C:\Windows\SysWOW64\chcp.com
chcp 65001
54⤵
PID:3456

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:2276

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3620

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
55⤵
- Creates scheduled task(s)
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2gaSeObJxkQr.bat" "
55⤵
PID:1288

C:\Windows\SysWOW64\chcp.com
chcp 65001
56⤵
PID:640

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:1844

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1708
55⤵
- Program crash
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 1688
53⤵
- Program crash
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 1096
51⤵
- Program crash
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 2248
49⤵
- Program crash
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 1668
47⤵
- Program crash
PID:2584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 2248
45⤵
- Program crash
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 2248
43⤵
- Program crash
PID:708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 2240
41⤵
- Program crash
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 1092
39⤵
- Program crash
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1096
37⤵
- Program crash
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1088
35⤵
- Program crash
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1644
33⤵
- Program crash
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 2228
31⤵
- Program crash
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1708
29⤵
- Program crash
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 2224
27⤵
- Program crash
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1664
25⤵
- Program crash
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 796
23⤵
- Program crash
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 2224
21⤵
- Program crash
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1716
19⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 1092
17⤵
- Program crash
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1092
15⤵
- Program crash
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 1712
13⤵
- Program crash
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 1088
11⤵
- Program crash
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 1684
9⤵
- Program crash
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 2200
7⤵
- Program crash
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 1636
5⤵
- Program crash
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 2144
3⤵
- Program crash
PID:916

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (102) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (102) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1932 -ip 1932
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2812 -ip 2812
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2320 -ip 2320
1⤵
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3816 -ip 3816
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2164 -ip 2164
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3656 -ip 3656
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5080 -ip 5080
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5024 -ip 5024
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4888 -ip 4888
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1548 -ip 1548
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1092 -ip 1092
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1564 -ip 1564
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1420 -ip 1420
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1724 -ip 1724
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1736 -ip 1736
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2200 -ip 2200
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1556 -ip 1556
1⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2188 -ip 2188
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1684 -ip 1684
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 668 -ip 668
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3168 -ip 3168
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4412 -ip 4412
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1900 -ip 1900
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1172 -ip 1172
1⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4200 -ip 4200
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3052 -ip 3052
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3620 -ip 3620
1⤵
PID:3296

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3oS6JrTNpiQB.bat
Filesize
207B

MD5
c5faf23198dc7c905a8ef0f89220937f

SHA1
0794f93081cb3971f22523a61b9464db1388785c

SHA256
14379593c3cfd92084b92ccc5d64c7c343af8316ac8272db7ee58c7a3dc0196c

SHA512
d5e14cd63316106f17406df100883624ede71ab623fd8758e88e4ddb3d48c21488430c2ad774fc3f7618af934f6a44db59de31e947d63453effb1ddaed2c9645

Download Submit
C:\Users\Admin\AppData\Local\Temp\7GnvREpL5G4F.bat
Filesize
207B

MD5
c8a3fb2dd8720fc39807f8f6123542a8

SHA1
2e54f86b44c5e860d49cae1611ce868ab908de14

SHA256
6703efeed2bf38ecd143d0db0a4278ab55a964daf8a36717c15091878071d0c0

SHA512
4a68716ca1bba7181cdc7de9bdf687404e43fc16ac710cbb5a12d579ce837cc2d97fc163c2860db407a7f101da44298162f4176ae28354b77ea43b21c85d9361

Download Submit
C:\Users\Admin\AppData\Local\Temp\FuajvEjA45oj.bat
Filesize
207B

MD5
e8b71fdc56517d0a4a0572d08266e0b9

SHA1
62db5a861809a2f21dbc14f61ecac7626cd87617

SHA256
cb617f6882274c94d033365d91b7271da30124ab3de5e6271165a47b378f1e5a

SHA512
776eec5d27c097ca910533e24e40ff35c7f1630b813e595cf73275c8bad501b85d1e7f36e0424611410bfc28b2aa31245f78f36989b67929cdd3dbe46ff14db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGwFkqPWipdc.bat
Filesize
207B

MD5
704ddd7d49f06002e660ed31846889f2

SHA1
c7ed6f2f00feb110ca00e62fd2c1276d42077f4c

SHA256
01e8c5e8ff396d5fb940a98528fa04e172de27427d55613ef75d1658a8f997f7

SHA512
baa8479ad181003685f4db06f364c3ed1a424447a2605107e3235b68dc4eb225d0b9a77746af1a2cd2d34885f8e68c364670dbdf7bba028141d2bc96ad484805

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOJgxTdqXOR0.bat
Filesize
207B

MD5
7fc0db3700638518f67f1e37072e64d4

SHA1
e3dfc35b0b28f92c6c02ea73ee296c2c70850c03

SHA256
384bb756eeb5ae6aa5c78bdc94e425d2d478388d3d6e19c97500b9b00306d40e

SHA512
26f9f41cc94a67fa60961e6d15f59b4cbdec83d41d276404dc7502e9dd1e90aaf2a87bc4471f0d82d5d6fee3d6d84eb4a69e721eee392ff52afdcf5db2f069ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\N3jJILt3q7GJ.bat
Filesize
207B

MD5
8ced6991987130bcc5e005988df9c36d

SHA1
77a8fd96436d0db258b6a253e3daace0cee1400c

SHA256
4b2e11f017536f00bfa4c3e37fc4a512795ab67ce41cfbad16f916bcc110616a

SHA512
c21e63e63ad95848d9070e6ae1312fdd412c6f68866557167dd888230f3e849208c0805eacdf45ee6c3892263da7094bd8a271919acdc5c24bd896828aadc904

Download Submit
C:\Users\Admin\AppData\Local\Temp\StmoAjIMEJdp.bat
Filesize
207B

MD5
8386fba5d1863b09a3d28f0b5de007bb

SHA1
4d9a6370c756028b7b1366e1f946cf36e71b79a1

SHA256
c23a04549540ee7035aa532fce49a0c78251833094a04f070d3fac9d30d05939

SHA512
a26622139cfb595e3624a0985de9bc952d2a6a36780b236cfdb4149f892b8693478decbd961d2e07878fc0de71c1247a5d790bfbddf7dfef7718fed41aed2cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\UaYzMSZOfaOg.bat
Filesize
207B

MD5
24020b2bd5d80efe96fb1a85b9b82ea6

SHA1
08935ed22ff53c77e810484e72caab987a83ae99

SHA256
19922d6fb9d05cbbe5c52766c30984317ecef0fa75482ed5f4fbe780f51a00a0

SHA512
9249632f24177f895b58fd74f510e57e5ee4f90b84d9f24300c72c8fedec4d295978888f97b40f909c3fa941d50822e4e145bf9b76bc24b555867b11021bb7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAfIU05lAXvg.bat
Filesize
207B

MD5
548e527414f3c3a9517299c52c34624b

SHA1
cf5cfd2ef918cc4749ce7486d8c6989ef3fc1549

SHA256
8439643419ee5ad61782ecd7bfa06b9ba64a4723222e56da4e7004e2e10ce527

SHA512
267c6a1bc1adf57646cf15984e163db3b8b29800ef88d6730748edc389eaf3c4cac96673db4117104f01a24832ad9880b35333e3ca7b4d90defb1fd27acd64dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\abrJoVcqfYha.bat
Filesize
207B

MD5
3ed9516d9f9c51e793ed655c706d046a

SHA1
ba08ba94e23f853f136730e85a3203a170042540

SHA256
1eceb32f2dc0ba97ba6485bb5cf0f0b6599602d2daf49123313b535efd9e8fd8

SHA512
4b52edf9553924602e0b42c33b10ccb68516a2d0052d18d9680797031e5e628f1e19ed9a1760b182f5b3b8ca740a42dca3dae6624e6d4958a5b2f44cc4688499

Download Submit
C:\Users\Admin\AppData\Local\Temp\ek3Uos0T0vDs.bat
Filesize
207B

MD5
df6d0f9a4e9cee3dbd127964498eb152

SHA1
38697fb82486007a00288171b56e9a1b1d3d0bc9

SHA256
3972bd4471d5e32a7bfb59a41e22037e95bb7331a762abb1500faa227fbf9142

SHA512
f86122b4bae772db19cc73f46fb63c3297db0b5351a96ca5555df4fe8621b7d596f9c0ad286e6f0ae8f05a05390ee23709106bb470f0c8a786c29b92b04f37eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nSanB5F4Pecw.bat
Filesize
207B

MD5
85dafa673e8b39e4450189d276b69afa

SHA1
711d8561142cdebf45da88e79418efd2ae70df94

SHA256
1d0d6563bca0825b0d2d9037a47b3fae63d360a9a851e5a33fb2730de44b65a0

SHA512
fecfaf79b5a1b2fb411ae043cd818a7307f9da401c11c117c2c10615b81e7a6850064c31eaa3d6b193e8b043d1f7aaa02ba45c11f750140e79a50a80a0417f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\prfKr6u0IhmM.bat
Filesize
207B

MD5
bcc100444b976443baaaa2c341da212b

SHA1
99ef1b3829a049f102c0ff0a94accf32a73c96b0

SHA256
02a5b43d89ec56d283e90eaa635c8556ec537d5a0f010d6ebf641390ee9313c1

SHA512
49851a92d08308e614790a1659db5803a4ee45df56445678359da381f7f6e71b0bc61d55dbc087c8c2eef0b187214510ed8ed2bcc44d6519d2c7866b41f59ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rAon6FRDnPi5.bat
Filesize
207B

MD5
07562201490da5ae243142b8150fed69

SHA1
08d27c1b0b56555e9c3f07220297a5210aae810e

SHA256
26b79cffd4362b0121eac044c2fd82ffd848e4924f79c5b4212c3d5930ff4906

SHA512
06653be30cbea173a0eaf65df5141c8d6aa97fc3b6b499b2133cb5e0fb9990009d79de4c4c4cdc087eb3b44f80269cb9e3e487326821dc06af92ab49fda10788

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQ6qn4xkS3zY.bat
Filesize
207B

MD5
77e231201980244c1f36a353c02e0403

SHA1
a2e8107c5a855839255c292a9ddec43380e1b195

SHA256
ec42dee687c614ae726cb2defdb9191330c300a41ead4bdd8b60e904d1975d34

SHA512
ae586b1d8520bbbe479972bd201eba1ec28dbea71fa85a7a1df1e74f68e886ddd47f245da0d88f60906ab11be2f657b42d80c785802d0fccd2bc8dc752164efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sXwHcyYIgZLH.bat
Filesize
207B

MD5
55a1f2a845f553e7879c833c7c71502e

SHA1
9088cf92ed70544ff9b2b2953f59fddefa2daa37

SHA256
ab5e01e018d994c90f6d876d71f18df562518bf4a974f471180dd734e4b7ae3f

SHA512
a1acf5f1b1d54124442eb55def6d5e969d6b6c631a6fdf5c2258f2238a56f4487b3207a0edbf4b8a4b0b5a1ebbd02ee868722b0d45cf395c67c714ace4aff754

Download Submit
C:\Users\Admin\AppData\Local\Temp\v6Nbf58uNUMQ.bat
Filesize
207B

MD5
160da2fb701650f8e575e396a0e9ee00

SHA1
aa27a00c5d39774d1175f7a05230784e756bf0d9

SHA256
ab05a2fbe1dde958f887ea85911f20c5431538d72aec4e322dd6a8b14a94fb2d

SHA512
a3231a30532068d4218303643e1a6f09dcbc593a4ef446b1cabfce4f9f030a6fa8e5bc69fc420157f9b45c2f8e772b2293c053a86d415f8a7ae24ccfb7a3529a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vJzx6coq7nDM.bat
Filesize
207B

MD5
f57f7951e46ccaab18b669aa30269c97

SHA1
8f899088764bb08d0545eb7c9fe442b4dd7b66ac

SHA256
b101c70dec31b328aa031a1f999441c32cb6eb82851502ad70406a21ca492cd2

SHA512
a266fdb6d50e2047c4cf7cfa81cdeb399cda2c342c63ffd0dabbd332472f06f6b8b6dad3463cadfc766d1d421e4ef0cc4e1c2ad8cccef3905dd5a081210e271a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vPWGn57EKeUC.bat
Filesize
207B

MD5
49d52241d744c132167d1324fa08a3e6

SHA1
86b63572710a1372ff3d36eeff2418b3024c2160

SHA256
8492020ff9bdc195955a56015e14cd05ccfa726b54044d8a62c088229f9009e2

SHA512
ec72ff4d5bb70440bcf7f9401815437176c82c4dbbae7fb8ab61c8925b3f605708c67236c0718fcb5dc94985c6e6232ab177b016afaffb863f6d10117d755686

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQszxYuJQVek.bat
Filesize
207B

MD5
0518794500442532e5f992cdc52686ed

SHA1
715704ee1e0c7120713fc5185b8da025a255357e

SHA256
58f2c2e42aac5bbc3eabc8bcef32283b3354f3b50567eb668231d9c7a29f5105

SHA512
051360913face8a508b5e5d330576b1c13c5b7a64ace6767fee649b7994b3cf98fbf0423588f2eb7c7439003c0b74ee3d16560aa3c82928a4db5e3e8916af1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYiQmSVre10T.bat
Filesize
207B

MD5
76aad9368e8e030ececf5bf1b2a12434

SHA1
7ecb64a9efff5efd572a436cad9a757937fa7ecf

SHA256
49198b70b13800109422dc5daec25133bb38073a977ba843051d711b4968261d

SHA512
162a120bb3993ebc20d30ad6b992e23f28ccb2aa7000678cf02fe43f9fd080fdb2f7cd42e2f034515c3392946b164a7317beb8a45a136ed171e4b8e60ce7511b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
c04bcbafbbbbfb2678ac38aa55b0e33b

SHA1
4f6223697dd2caeba343126b627db879ca401f94

SHA256
6074e248b3effa3deb9a9cc42c342838cc1301980a4b5934b20f2d3fb8b492ec

SHA512
49d7c32cd83fa06edf1c1464c62445ff359ddba1754cc77c9d08a9db6a94303ca728e1c69d31e73c58130d1156ce77dd42059b9c9a184c212b25ba249bbb58d0

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
53e13016480bb2e7c22b79e720534bde

SHA1
ab8008bfc7ac6962ded46ad91f644c00b323effb

SHA256
fc667bb2fb0f37d0c65e20daebfc476eee82ad965734a4cfd5cb6049651111bf

SHA512
6e3d92433104f77ddb6173c440a08bcef88e85ec0d389404198332f135f88b9b0117d14ccfc8b74df02ec95813f80911f1f9a44679b62eeef10ab5415cdc8bb9

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
44ae4c78fb1f5b57a479be2fb1b35c64

SHA1
1be63bb612281d7e6dc14d67fc6417013a405be7

SHA256
da86a448c604f018c1f53aedeef089dc60beeb665befeeaa87517702b2a635bd

SHA512
48ef7c4153178bf788736a041bcb99c234e3683c4f6670b829d9825e6acac9c62d9b24041fd6c8efc2157acf9918e4231472abda39e65c5aeb7675397c4694b1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
e416f3ce2c8591040d9a31fa70b2cf27

SHA1
6da6a362aa339d7f6e9ce5040e8c50cef563cf28

SHA256
dc475662f8c7cc42380aa7f5bef5621a31ec8f37da13b8db2bc73b0e875a8fe3

SHA512
54c40274db9cbaf9b195934da543db1ddc4c1dc6bd61565ea7eb7ba38d418030e836f65de80736561da7d1ce1f1136a4d1e85652f3ff666304a44ab8e9ebbf20

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
f91b340a5bb0d71bd8bbe38de9e414b9

SHA1
215487b1902d15f22fe55f5732220c976ca82162

SHA256
af3534d23538f586c7c0d6fde68d4bfe033a266f17845596683acd4ef1886214

SHA512
0afb0d5135ee5cdbc313ab3e4da083ae178ae8885c37922465933e1f531c4b3471acdd062bc474a6632c0c0e6c2bcab91ab6b9f838cb1bd7fcc99234de279b54

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
7190907c9c384fdfb23fae045bad6cb8

SHA1
946010cb8777ca23509f1c590232a4e7a22fb60c

SHA256
6ca5ba33fd19d9e6a409ea03f8c03433c1554acdebd37c24c42fead37e4a4f57

SHA512
96fd12d183a87c20a8f4b8ae3a2efcf040d9f1e09c3e75067a036bc2a7238ca75be26065598fa9ec899d9c7e8f412f063febc98228932dcddc901c88bb7ed510

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
b79b1fd2f8b9d529f9c16ac8faf930c1

SHA1
6698ffa25982e8746207c11f254f34fafc7dfadb

SHA256
55861a5d8d9b88f310f57cc347da1c15945669a8876a87870361a29e7eddd802

SHA512
0854e4a30d9d09038f334aecc0733a6d73684bf7908a72b825077880c1af40e32ee43108b9d02e6d2ece35ab2142fda95f33e1630aa77c48d22f8b2b80414304

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
acedbd8bc88752033d6fd39b476432df

SHA1
f2c66595c14d341ac39d850fbf60a766876415f7

SHA256
b49d455d78e3ec822c6af481cb28720fa238e0a92ae2141a21fe6e126a69caed

SHA512
3cc2f573924db79064451c72581641e8959dcf8206f5efe5355574bb0d7d06d031070a6a9d102bcfcf50e7dc6c8464cf337a714c89aa88046de72195a1fadf1b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
c62a9285436af7f9fd23a4007e083b45

SHA1
1d9193039de996d4cbb2b6c620ac9d7d98b53f44

SHA256
17ce649c493fda493adbf29217b34d4d1a7e08811014710c2c56257922ab71ee

SHA512
a103588ab2ada34579d43609c25209e3e84a0d0b8c0cd7bfac2748c8584a55720ce31b23e2d4db8f78530158a51c81bc5d2d72983c0d5ab3ea687a33ae8779ef

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
10df072dbd08159d7c49f7b479133da7

SHA1
8681b96aae99ccfa966a2fa6196a5dd9477869fd

SHA256
5dbc90a2fa40464a5915bc43c0c93633e7bbfd1f9ffb07813c8880b663327c4d

SHA512
3c7975176542b080e91e12e68ea14f87dd78da08365672095be1cf84ef0425998651ce06e82846ae31d84c18e0b6e2f9087ac4bbf0a8a63f0bee0cafa3ac5e86

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
8d6daabec45a06ee1562ab4c287e7fcc

SHA1
e4c12424d57846b54afbcbfea4ab3fbb6eb0eda8

SHA256
f18905b7ce624189ddc461413a395304870b41f45ff087542da2935f4e88d67d

SHA512
606fbb94d9462b15f3eb41ee9dc509e27fc28687a0a86bc4de20ecdf4240a71bca43fb3d6e0e3eec81d5b878323453c2880ee4ee5426876328c283b07e8d599a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
161f12ce685b12d39017ffa457bd1ff2

SHA1
f30aa1cbf3c97e1274346aa4694bb347a7e54424

SHA256
555913c0010dd99cc2c05370b50537f8dd04dc803e351701fd4739698f364b3a

SHA512
253b98618a9c1b559976ed98fae7b8f6700908d40493e1f07e755ea88eead47cf195133d9e691742da038ff3ddbfb5f39fa83a97f4f626a0fab477db92a9c6d5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
a18ea136f518d642b91243c55d7a8866

SHA1
89a95c17012678d70bfb72b5dd085ef617ba3714

SHA256
9aa7c9dc24958a8dff5df83963ec95adb0624a7f88748d634584e5e0d5da6894

SHA512
55094bc75309818475d7c70063c917ce8f8af1887635b6614deed31c9457c21f159878aeb6a712fecc8820681d1efe3b941b5a7fc8644a4c7ba83156fbd0a99d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
59ed232c23f9a253a917ccf8b1b6b4a6

SHA1
1119702e7bac9c17319ce6b604c8b3a0a89e3814

SHA256
b8126af8ade2f2fb0d5dcc7d8089930db319e22de38845428984cfb23da0f177

SHA512
cda2a8c40a8dcbbe4262d266ce5edfc787fe2ccabba8bf33fa829e331581bf0f6cd759c037040f4fdb7fb13fb88617ceeae8fe5c525a6d6e57f1b381100163a2

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1932-24-0x00000000753C0000-0x0000000075B70000-memory.dmp

Filesize
7.7MB

Download
memory/1932-15-0x00000000753C0000-0x0000000075B70000-memory.dmp

Filesize
7.7MB

Download
memory/1932-17-0x00000000753C0000-0x0000000075B70000-memory.dmp

Filesize
7.7MB

Download
memory/1932-19-0x0000000006EB0000-0x0000000006EBA000-memory.dmp

Filesize
40KB

Download
memory/4372-6-0x00000000063C0000-0x00000000063D2000-memory.dmp

Filesize
72KB

Download
memory/4372-4-0x00000000753C0000-0x0000000075B70000-memory.dmp

Filesize
7.7MB

Download
memory/4372-5-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/4372-3-0x00000000055C0000-0x0000000005652000-memory.dmp

Filesize
584KB

Download
memory/4372-16-0x00000000753C0000-0x0000000075B70000-memory.dmp

Filesize
7.7MB

Download
memory/4372-0-0x00000000753CE000-0x00000000753CF000-memory.dmp

Filesize
4KB

Download
memory/4372-7-0x00000000753CE000-0x00000000753CF000-memory.dmp

Filesize
4KB

Download
memory/4372-8-0x00000000753C0000-0x0000000075B70000-memory.dmp

Filesize
7.7MB

Download
memory/4372-2-0x0000000005B70000-0x0000000006114000-memory.dmp

Filesize
5.6MB

Download
memory/4372-1-0x0000000000B40000-0x0000000000BAC000-memory.dmp

Filesize
432KB

Download