quasar | 1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58

Analysis

max time kernel
591s
max time network
608s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (103) - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral28/memory/1948-1-0x0000000000AE0000-0x0000000000B4C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 27 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 28 IoCs

Processes:

pid	process
4252	Client.exe
4332	Client.exe
4128	Client.exe
2408	Client.exe
4132	Client.exe
1948	Client.exe
832	Client.exe
808	Client.exe
4012	Client.exe
3124	Client.exe
1852	Client.exe
740	Client.exe
4416	Client.exe
116	Client.exe
1008	Client.exe
4864	Client.exe
4128	Client.exe
396	Client.exe
692	Client.exe
2024	Client.exe
2280	Client.exe
4416	Client.exe
1896	Client.exe
456	Client.exe
4740	Client.exe
3228	Client.exe
2784	Client.exe
2376	Client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe

Looks up external IP address via web service 27 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
11	api.ipify.org
47	ip-api.com
43	ip-api.com
74	ip-api.com
79	ip-api.com
89	ip-api.com
3	ip-api.com
34	ip-api.com
82	ip-api.com
59	ip-api.com
77	ip-api.com
40	ip-api.com
64	ip-api.com
13	ip-api.com
36	ip-api.com
49	ip-api.com
38	ip-api.com
57	ip-api.com
61	ip-api.com
16	ip-api.com
20	ip-api.com
86	ip-api.com
28	ip-api.com
53	ip-api.com
84	ip-api.com
18	ip-api.com
45	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 27 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4536	4252	WerFault.exe	Client.exe
3100	4332	WerFault.exe	Client.exe
3680	4128	WerFault.exe	Client.exe
5020	2408	WerFault.exe	Client.exe
3164	4132	WerFault.exe	Client.exe
4172	1948	WerFault.exe	Client.exe
4080	832	WerFault.exe	Client.exe
740	808	WerFault.exe	Client.exe
1120	4012	WerFault.exe	Client.exe
2852	3124	WerFault.exe	Client.exe
5112	1852	WerFault.exe	Client.exe
2496	740	WerFault.exe	Client.exe
1796	4416	WerFault.exe	Client.exe
2132	116	WerFault.exe	Client.exe
2964	1008	WerFault.exe	Client.exe
536	4864	WerFault.exe	Client.exe
2944	4128	WerFault.exe	Client.exe
4904	396	WerFault.exe	Client.exe
1472	692	WerFault.exe	Client.exe
3176	2024	WerFault.exe	Client.exe
3928	2280	WerFault.exe	Client.exe
1724	4416	WerFault.exe	Client.exe
2612	1896	WerFault.exe	Client.exe
3496	456	WerFault.exe	Client.exe
3284	4740	WerFault.exe	Client.exe
2852	3228	WerFault.exe	Client.exe
3856	2784	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 29 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4324	schtasks.exe
944	schtasks.exe
3656	schtasks.exe
3088	schtasks.exe
3144	schtasks.exe
4000	schtasks.exe
3584	schtasks.exe
5112	schtasks.exe
3932	schtasks.exe
2316	schtasks.exe
3960	schtasks.exe
3600	schtasks.exe
3876	schtasks.exe
4548	schtasks.exe
4784	SCHTASKS.exe
3452	schtasks.exe
4636	schtasks.exe
3404	schtasks.exe
2916	schtasks.exe
2516	schtasks.exe
3080	schtasks.exe
2672	schtasks.exe
3828	schtasks.exe
4664	schtasks.exe
4080	schtasks.exe
4856	schtasks.exe
2884	schtasks.exe
1804	schtasks.exe
3504	schtasks.exe

Runs ping.exe 1 TTPs 27 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3988	PING.EXE
4924	PING.EXE
916	PING.EXE
560	PING.EXE
3916	PING.EXE
4340	PING.EXE
4416	PING.EXE
4956	PING.EXE
944	PING.EXE
1640	PING.EXE
764	PING.EXE
1592	PING.EXE
4776	PING.EXE
2852	PING.EXE
4828	PING.EXE
2276	PING.EXE
2516	PING.EXE
5032	PING.EXE
1400	PING.EXE
2872	PING.EXE
868	PING.EXE
2004	PING.EXE
4176	PING.EXE
3164	PING.EXE
1608	PING.EXE
2728	PING.EXE
3148	PING.EXE

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

Uni - Copy (103) - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	1948	Uni - Copy (103) - Copy - Copy.exe
Token: SeDebugPrivilege	4252	Client.exe
Token: SeDebugPrivilege	4332	Client.exe
Token: SeDebugPrivilege	4128	Client.exe
Token: SeDebugPrivilege	2408	Client.exe
Token: SeDebugPrivilege	4132	Client.exe
Token: SeDebugPrivilege	1948	Client.exe
Token: SeDebugPrivilege	832	Client.exe
Token: SeDebugPrivilege	808	Client.exe
Token: SeDebugPrivilege	4012	Client.exe
Token: SeDebugPrivilege	3124	Client.exe
Token: SeDebugPrivilege	1852	Client.exe
Token: SeDebugPrivilege	740	Client.exe
Token: SeDebugPrivilege	4416	Client.exe
Token: SeDebugPrivilege	116	Client.exe
Token: SeDebugPrivilege	1008	Client.exe
Token: SeDebugPrivilege	4864	Client.exe
Token: SeDebugPrivilege	4128	Client.exe
Token: SeDebugPrivilege	396	Client.exe
Token: SeDebugPrivilege	692	Client.exe
Token: SeDebugPrivilege	2024	Client.exe
Token: SeDebugPrivilege	2280	Client.exe
Token: SeDebugPrivilege	4416	Client.exe
Token: SeDebugPrivilege	1896	Client.exe
Token: SeDebugPrivilege	456	Client.exe
Token: SeDebugPrivilege	4740	Client.exe
Token: SeDebugPrivilege	3228	Client.exe
Token: SeDebugPrivilege	2784	Client.exe
Token: SeDebugPrivilege	2376	Client.exe

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

pid	process
4252	Client.exe
4332	Client.exe
4128	Client.exe
2408	Client.exe
4132	Client.exe
1948	Client.exe
832	Client.exe
808	Client.exe
4012	Client.exe
3124	Client.exe
1852	Client.exe
740	Client.exe
4416	Client.exe
116	Client.exe
1008	Client.exe
4864	Client.exe
4128	Client.exe
396	Client.exe
692	Client.exe
2024	Client.exe
2280	Client.exe
4416	Client.exe
1896	Client.exe
456	Client.exe
4740	Client.exe
3228	Client.exe
2784	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (103) - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 1948 wrote to memory of 4324	1948	Uni - Copy (103) - Copy - Copy.exe	schtasks.exe
PID 1948 wrote to memory of 4324	1948	Uni - Copy (103) - Copy - Copy.exe	schtasks.exe
PID 1948 wrote to memory of 4324	1948	Uni - Copy (103) - Copy - Copy.exe	schtasks.exe
PID 1948 wrote to memory of 4252	1948	Uni - Copy (103) - Copy - Copy.exe	Client.exe
PID 1948 wrote to memory of 4252	1948	Uni - Copy (103) - Copy - Copy.exe	Client.exe
PID 1948 wrote to memory of 4252	1948	Uni - Copy (103) - Copy - Copy.exe	Client.exe
PID 1948 wrote to memory of 4784	1948	Uni - Copy (103) - Copy - Copy.exe	SCHTASKS.exe
PID 1948 wrote to memory of 4784	1948	Uni - Copy (103) - Copy - Copy.exe	SCHTASKS.exe
PID 1948 wrote to memory of 4784	1948	Uni - Copy (103) - Copy - Copy.exe	SCHTASKS.exe
PID 4252 wrote to memory of 3404	4252	Client.exe	schtasks.exe
PID 4252 wrote to memory of 3404	4252	Client.exe	schtasks.exe
PID 4252 wrote to memory of 3404	4252	Client.exe	schtasks.exe
PID 4252 wrote to memory of 2356	4252	Client.exe	cmd.exe
PID 4252 wrote to memory of 2356	4252	Client.exe	cmd.exe
PID 4252 wrote to memory of 2356	4252	Client.exe	cmd.exe
PID 2356 wrote to memory of 3588	2356	cmd.exe	chcp.com
PID 2356 wrote to memory of 3588	2356	cmd.exe	chcp.com
PID 2356 wrote to memory of 3588	2356	cmd.exe	chcp.com
PID 2356 wrote to memory of 944	2356	cmd.exe	PING.EXE
PID 2356 wrote to memory of 944	2356	cmd.exe	PING.EXE
PID 2356 wrote to memory of 944	2356	cmd.exe	PING.EXE
PID 2356 wrote to memory of 4332	2356	cmd.exe	Client.exe
PID 2356 wrote to memory of 4332	2356	cmd.exe	Client.exe
PID 2356 wrote to memory of 4332	2356	cmd.exe	Client.exe
PID 4332 wrote to memory of 2916	4332	Client.exe	schtasks.exe
PID 4332 wrote to memory of 2916	4332	Client.exe	schtasks.exe
PID 4332 wrote to memory of 2916	4332	Client.exe	schtasks.exe
PID 4332 wrote to memory of 4224	4332	Client.exe	cmd.exe
PID 4332 wrote to memory of 4224	4332	Client.exe	cmd.exe
PID 4332 wrote to memory of 4224	4332	Client.exe	cmd.exe
PID 4224 wrote to memory of 4324	4224	cmd.exe	chcp.com
PID 4224 wrote to memory of 4324	4224	cmd.exe	chcp.com
PID 4224 wrote to memory of 4324	4224	cmd.exe	chcp.com
PID 4224 wrote to memory of 3164	4224	cmd.exe	PING.EXE
PID 4224 wrote to memory of 3164	4224	cmd.exe	PING.EXE
PID 4224 wrote to memory of 3164	4224	cmd.exe	PING.EXE
PID 4224 wrote to memory of 4128	4224	cmd.exe	Client.exe
PID 4224 wrote to memory of 4128	4224	cmd.exe	Client.exe
PID 4224 wrote to memory of 4128	4224	cmd.exe	Client.exe
PID 4128 wrote to memory of 2672	4128	Client.exe	schtasks.exe
PID 4128 wrote to memory of 2672	4128	Client.exe	schtasks.exe
PID 4128 wrote to memory of 2672	4128	Client.exe	schtasks.exe
PID 4128 wrote to memory of 2368	4128	Client.exe	cmd.exe
PID 4128 wrote to memory of 2368	4128	Client.exe	cmd.exe
PID 4128 wrote to memory of 2368	4128	Client.exe	cmd.exe
PID 2368 wrote to memory of 4440	2368	cmd.exe	chcp.com
PID 2368 wrote to memory of 4440	2368	cmd.exe	chcp.com
PID 2368 wrote to memory of 4440	2368	cmd.exe	chcp.com
PID 2368 wrote to memory of 1640	2368	cmd.exe	PING.EXE
PID 2368 wrote to memory of 1640	2368	cmd.exe	PING.EXE
PID 2368 wrote to memory of 1640	2368	cmd.exe	PING.EXE
PID 2368 wrote to memory of 2408	2368	cmd.exe	Client.exe
PID 2368 wrote to memory of 2408	2368	cmd.exe	Client.exe
PID 2368 wrote to memory of 2408	2368	cmd.exe	Client.exe
PID 2408 wrote to memory of 944	2408	Client.exe	schtasks.exe
PID 2408 wrote to memory of 944	2408	Client.exe	schtasks.exe
PID 2408 wrote to memory of 944	2408	Client.exe	schtasks.exe
PID 2408 wrote to memory of 2192	2408	Client.exe	cmd.exe
PID 2408 wrote to memory of 2192	2408	Client.exe	cmd.exe
PID 2408 wrote to memory of 2192	2408	Client.exe	cmd.exe
PID 2192 wrote to memory of 1880	2192	cmd.exe	chcp.com
PID 2192 wrote to memory of 1880	2192	cmd.exe	chcp.com
PID 2192 wrote to memory of 1880	2192	cmd.exe	chcp.com
PID 2192 wrote to memory of 2852	2192	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4324

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cRWhMUPHm7O6.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:3588

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:944

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zpvIPTEZbFTn.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4324

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:3164

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pfZkZDW9Q72g.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4440

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1640

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J4pfRx1eqFtx.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:1880

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2852

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4132

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nl6QJzComgFo.bat" "
11⤵
PID:3736

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:1908

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4340

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\idb3p3lbTEpM.bat" "
13⤵
PID:4636

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:2732

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2004

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:832

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqpNF2iAbQm2.bat" "
15⤵
PID:372

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:692

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3988

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:808

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c4ZvNnzsbqPj.bat" "
17⤵
PID:4624

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:2864

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:5032

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4012

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2S16ToK4VAZ5.bat" "
19⤵
PID:2780

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:3400

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4924

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3124

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pXfhmnqHOOVv.bat" "
21⤵
PID:2408

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:2400

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:2728

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1852

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OStACV7B0Iw0.bat" "
23⤵
PID:4864

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:4036

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:916

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:740

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:4856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGeHqMLDHxqy.bat" "
25⤵
PID:4576

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:4528

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4176

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4416

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hRxU9Sky0cc2.bat" "
27⤵
PID:3120

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:4924

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:560

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:116

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yyo78BgpfiU7.bat" "
29⤵
PID:2448

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:3960

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:4828

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7t3aZtxjIbvC.bat" "
31⤵
PID:2972

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:2612

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:2276

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eJ7EEOcXEYTM.bat" "
33⤵
PID:4476

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:3972

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:1400

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4128

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TtveIakqojI7.bat" "
35⤵
PID:4500

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:3548

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:4416

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:396

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9OrBAQ8t4Iza.bat" "
37⤵
PID:4336

C:\Windows\SysWOW64\chcp.com
chcp 65001
38⤵
PID:3128

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:764

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:692

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6UQsaJCtM364.bat" "
39⤵
PID:4160

C:\Windows\SysWOW64\chcp.com
chcp 65001
40⤵
PID:2112

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:3148

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pwQdMhPVhXpr.bat" "
41⤵
PID:740

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:4864

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:2872

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
43⤵
- Creates scheduled task(s)
PID:3080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PvObgb1AlKvV.bat" "
43⤵
PID:3576

C:\Windows\SysWOW64\chcp.com
chcp 65001
44⤵
PID:4892

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:1592

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4416

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gAFOf4IMv8Hz.bat" "
45⤵
PID:2488

C:\Windows\SysWOW64\chcp.com
chcp 65001
46⤵
PID:2784

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:868

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1896

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dHo65wLMDtOT.bat" "
47⤵
PID:5112

C:\Windows\SysWOW64\chcp.com
chcp 65001
48⤵
PID:4324

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:3916

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:456

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
49⤵
- Creates scheduled task(s)
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IHrrgypb4DtA.bat" "
49⤵
PID:3992

C:\Windows\SysWOW64\chcp.com
chcp 65001
50⤵
PID:2156

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:4776

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4740

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymnOYoEfKmad.bat" "
51⤵
PID:400

C:\Windows\SysWOW64\chcp.com
chcp 65001
52⤵
PID:4008

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:1608

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3228

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:4000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zuAplRRy8LO1.bat" "
53⤵
PID:3488

C:\Windows\SysWOW64\chcp.com
chcp 65001
54⤵
PID:3156

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:2516

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2784

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
55⤵
- Creates scheduled task(s)
PID:3088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rVmydNjaELvg.bat" "
55⤵
PID:4904

C:\Windows\SysWOW64\chcp.com
chcp 65001
56⤵
PID:1520

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:4956

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 2248
55⤵
- Program crash
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 2232
53⤵
- Program crash
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1732
51⤵
- Program crash
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1640
49⤵
- Program crash
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 1660
47⤵
- Program crash
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 2224
45⤵
- Program crash
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 2248
43⤵
- Program crash
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1656
41⤵
- Program crash
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 1732
39⤵
- Program crash
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 2212
37⤵
- Program crash
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1712
35⤵
- Program crash
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1096
33⤵
- Program crash
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 1708
31⤵
- Program crash
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 2236
29⤵
- Program crash
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 2248
27⤵
- Program crash
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 1672
25⤵
- Program crash
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1688
23⤵
- Program crash
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 2248
21⤵
- Program crash
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1092
19⤵
- Program crash
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 2220
17⤵
- Program crash
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 2224
15⤵
- Program crash
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 2224
13⤵
- Program crash
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 2248
11⤵
- Program crash
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 2244
9⤵
- Program crash
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 1624
7⤵
- Program crash
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1084
5⤵
- Program crash
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 1652
3⤵
- Program crash
PID:4536

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (103) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4276,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4056 /prefetch:8
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4252 -ip 4252
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4332 -ip 4332
1⤵
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4128 -ip 4128
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2408 -ip 2408
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4132 -ip 4132
1⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1948 -ip 1948
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 832 -ip 832
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 808 -ip 808
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4012 -ip 4012
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3124 -ip 3124
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1852 -ip 1852
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 740 -ip 740
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4416 -ip 4416
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 116 -ip 116
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1008 -ip 1008
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4864 -ip 4864
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4128 -ip 4128
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 396 -ip 396
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 692 -ip 692
1⤵
PID:2812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3996,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4444 /prefetch:8
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2024 -ip 2024
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2280 -ip 2280
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4416 -ip 4416
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1896 -ip 1896
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 456 -ip 456
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4740 -ip 4740
1⤵
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3228 -ip 3228
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2784 -ip 2784
1⤵
PID:4932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2S16ToK4VAZ5.bat
Filesize
207B

MD5
1d8d6f35569fdd49d1621fa2cd6725d6

SHA1
88de4bf3ae37d597859053d35b7a771e5c04efe2

SHA256
23a857956d412040e098c192909b6d990d8923928a173edb2fca9450ea4ffcaa

SHA512
ef443a643e511146f8e3070c5ffb1c1269244f358be7dc9e019f602c8c827958784662abd4c11fc67263566f17bc72d4b123237d3ee6ed6d15bcc03111ddc3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6UQsaJCtM364.bat
Filesize
207B

MD5
3f4f6b07fab9a12744e50d5225183195

SHA1
ed3be2f788c37fd49d52a49a99772b7d2f568af9

SHA256
ffd9ed359ba749193ebc0fda7ac8eda839da7f3ba9e00ad67d357e58099c00cc

SHA512
2774864e29484cedb6ce588b270026691741af016a4350f6fa6f591f72f3a2ff22a2a089ec03c4c0f7b2dca5a2fe09c3061c8f4a6889b8955dfed177b982feff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7t3aZtxjIbvC.bat
Filesize
207B

MD5
962dc1a962f9f02fd54a6c7f26ff11ce

SHA1
3e082806f592ee7c2b9815726b30d74491493d6b

SHA256
8f73dd8158c2b771821305ca651524c73c3d8bb161ef606a54ab1b1e45d2b4e2

SHA512
8a7b780e007e661de81da0235b3b742e0479ac56d9faa9ed4d485a4ea60f798ca5f6da1bf70ab8452a82b4f813f52dfff85dbe8cb2b3a92990095bbabe4c2829

Download Submit
C:\Users\Admin\AppData\Local\Temp\9OrBAQ8t4Iza.bat
Filesize
207B

MD5
eb9e83a6fa063c1f8d12107b7d29c003

SHA1
e7d26de54c746de3e1f7e011cb2dbdbb2ed9fa9b

SHA256
f9a2589871b858464df160b55e17ac0e7712df3c7a8cf91c213e09fc29b309a9

SHA512
4d0ce24bcf20e0361548d5c5f0e4b38ddc1a3769ece76c032f74382aa4227ce35c0a6a98464aa6c249dc26b7c1f2ca39fd36501a8bbd4bb92462b1e718c4393b

Download Submit
C:\Users\Admin\AppData\Local\Temp\J4pfRx1eqFtx.bat
Filesize
207B

MD5
b3fa5dd56e287274e8204d6307842139

SHA1
be4642473cfa58234f8053d271b72261440c1b09

SHA256
4547e59ec93e272dfe199b8bfea4b9f40daff85af195fd203883f65892b6ecad

SHA512
5685dc227233902229836946a3d1b4528cae5ed2f8ded788a0639767cb97640e8a2f9844366ffe740b3140c9c79468cbc0e27c65d6d6c7c5419535ca86eb00b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nl6QJzComgFo.bat
Filesize
207B

MD5
fca918401b9f049ba5b5d4539bbb417f

SHA1
2cdeb9d54acc29a51a98f4bc859673c5ec786879

SHA256
684e02e766fa1f723388f802c7f5a15df9258467c5abcab7a483457f681220ad

SHA512
29acf29a6cccda64ce38f2d6dab7697d765cc14306c46e54e2f79f1a12f7def33d7fc192c12a684e1619872334adab6e93840c5b05e6a66279e65138a1b829e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OStACV7B0Iw0.bat
Filesize
207B

MD5
a968198b10748a203e7969c38e05ea6c

SHA1
87a90b371f6a9be3924fcef3b257c2f155a9e476

SHA256
494f4bf03380da93d22ea861431da410338866e44af30a502b7879b272b48e1a

SHA512
c79e392128476f990b11a9f524391e14f6123800689d2383c971af10ccc48e806aca092d8632f411b3e92affc0fe03ef7706440b323ac4912ca781ecc90ca5be

Download Submit
C:\Users\Admin\AppData\Local\Temp\PvObgb1AlKvV.bat
Filesize
207B

MD5
06c35436c03e176de76407836b571ad3

SHA1
9c1a9cb18a7dfb5c833eb8a283112cec1b7e717d

SHA256
7f91b9ce8acba3a9f20204cb0806d915b3b9aadcd2ff7855f55ce8dee4fb5c4a

SHA512
82e557c852e8b1a635f37fc33bde541068734eee498ab4c61cf5368b0318dcb0d6f8d4a62fcc5d2caa8fa05b9628357ca1d49e58ed69f6c8f65ce9d94270253a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yyo78BgpfiU7.bat
Filesize
207B

MD5
8b4e08f9f9fc82bb2373353a0b0d59aa

SHA1
3922b573c613ad3f3b0021f779527bc6f840406d

SHA256
2dc9efbc8850bd908af368f218f2a2694fce76bee92a0a0bf391bb3b62211a14

SHA512
d39a753e2d1aeb42d0b1bc6d0805f6894ac9549743754cf97c666ea4cd0ece32f7733d8347d869276268edb01bc28ed911e5ca580f311a98b1efd3fca2696f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4ZvNnzsbqPj.bat
Filesize
207B

MD5
48d12fd1ae07d7269a73393b682ea758

SHA1
ed939e758f5e0d0e9ad70bfc386c0dcbcfa5f5d6

SHA256
639c94070837f04c49349465920265234f44d652d5eb45cfed076c3845c0e28d

SHA512
cf24fba9f49a2aee9d37ba3b5cb55e621d20ed689b3b448c7f2bc759ba3a65fe57491def969911ccb23622135a153b7e46c8442aebe73e89165f169109d775c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cRWhMUPHm7O6.bat
Filesize
207B

MD5
d95118b857bd1e1a69c0dbe09ea42302

SHA1
40c864f693a0fe10b26dd2fe2197cfcdba0fcaad

SHA256
f97c3865887f989548253898f25e2010fb7df600625b951965d7c94eda0a2d1a

SHA512
20f1b3615038caea8ece8e3400c2fa314c4667ff4677d69945e8a007688e9b9d27ba076155b304e8d0143efd6dcce8f98421508cb13c3042eebd7e7197a2665f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eJ7EEOcXEYTM.bat
Filesize
207B

MD5
24cdc1ea54c3a068b90f906c0696e10f

SHA1
320a7fe0dab4bf1cacad74cd7a7a5f6df02d6282

SHA256
47c6b64b3ca84388ad932962569b1b3224e46e9bb944b617be7f7eba632f5264

SHA512
b111bc218695f7e7d7f2768ae74e713c3fc52343f01e643b61c0920daf295e74c59de38a6ad0bbbc68c2259f3f3a1bb6e114aa1cec7e64fe95bb171ecdddd9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\hRxU9Sky0cc2.bat
Filesize
207B

MD5
6bbd6e156cb6cc3a00d028f47cbf5c34

SHA1
6302ff77e88c28136a3cf14c6c113b6e19b02f90

SHA256
32ba7d463beac44baa7a5291a07c64089ba5c5df08d1bad02c89834b3e66ab78

SHA512
76f624c8c7a08b2864364ec7ac713d7c3b2123c6c802e1c826fbfa5a32102bf66bfd203ccf83e5644d5b39e66a5e4bd26b8bb37c81ecbcf35b01e87e97a41528

Download Submit
C:\Users\Admin\AppData\Local\Temp\iGeHqMLDHxqy.bat
Filesize
207B

MD5
99d5af4285175f83b77b722d544d9b5d

SHA1
8769c4de09e3f453fcf5f30da51e0ca75079fa1b

SHA256
827f930de140e62111559acac68d85664094def94f7e8c4477c985c183e8f8f9

SHA512
66654605890be86ce351e31c219e185bc79aaf34df6c9bc0b9f6b61f0a39c16e65a0e1f36a2a523236ac3efd0c4a972de88d811299f4e3879b3f1cd1e6361523

Download Submit
C:\Users\Admin\AppData\Local\Temp\idb3p3lbTEpM.bat
Filesize
207B

MD5
c01cea741fba5ec596b5ff417d97190a

SHA1
2a10b9e8e6467127f6cd7d3e553ca6243b9d9676

SHA256
155179710b067b1d7dfda6ff6f2e91a573df0d2a2821530b2f95df8f90a0da72

SHA512
d1b4d4638ed7dad8373efee8194d97ecd562ff8afa7ca4f789b6cb613335fe7abdaa88f70a03d56b5d6aef2f31ed3ea8361e930fcf3c23877acf20bdabb54820

Download Submit
C:\Users\Admin\AppData\Local\Temp\pXfhmnqHOOVv.bat
Filesize
207B

MD5
a4e5c723180ea3f28a13f4d17723181f

SHA1
52c4c8e624ea8099bcad3c3ba174206e3cbe9ded

SHA256
66faca97f1bfc10298985acc1163acd50f789152a2d3dbed0ee4af4d3c53873a

SHA512
8ec33f237ea592ef81234e1e10bfca56aac414d6a8b72ccf893ce8aa78036ccecf6cb08ba3a96a5480c2669345f31933ae466a4eadc8aaf0b6ecccbe9cf1e813

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfZkZDW9Q72g.bat
Filesize
207B

MD5
d0e4eeefee9aa53a9ab6c37a1dd21154

SHA1
5379a90f14442c1f73bb8f3362259c5d608b6ad2

SHA256
b4a03d45b4f4712534cc9265a788297a88ec9d94bf2c50f45f5698a533256284

SHA512
5c7d7e29eade02dada7645b1ad852d3acf31187e957068e50038b82d1bded8a7d7e2a00768015c18257c8b4c4faac1b6e2f0c02361fbd39bf7888fb2202840c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwQdMhPVhXpr.bat
Filesize
207B

MD5
a379c1c1602cd339a5f09e4d935b5406

SHA1
273c9d5abbfab5c883a2ea9faeaa64e5b5e26b90

SHA256
c400260513b7a239b43d698af99eafb8034e2b122188570b89706bc2c68d2ae2

SHA512
5004db845f4a453f60305f7b3e33f3304df94986e42b079f1f55c02c28e118167bdfaf5f2873b11922bf2a50244298429323bdbb0ab8bcf707792c9040198b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqpNF2iAbQm2.bat
Filesize
207B

MD5
b869a3d0b6981f1d1514658a5ad4cd9b

SHA1
93bcc26f4fe819b4f6f479f5a903065eeb5d60f8

SHA256
12c53092c7fb58eb51335f4eef32c9521ce75213c56573096eae19944168cb85

SHA512
b06bef2804f94542094564327decc5afcaed1c3b1f354eb5e5f7ba107f25dcdbee8d7af0e3e5d296494cd495b8bcec9acb6484acd63314ebd4e6f4222edd4c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpvIPTEZbFTn.bat
Filesize
207B

MD5
6b5408acaf3e731b9ad49e9d243414da

SHA1
45422f048f4bd34f5ce6ff29cfe24d0bb9d5cfcb

SHA256
58973ae9e9c5c2af818e3aaa6b04ccaa0cb1297871e2f4d8b15c1da1ebc00043

SHA512
a67b36247088ea34119048f79c33abf843956c082142112794f7c3b77d3c58f36d8f3f1736322368cbc7af9ab9a45bc5665aac0b679c1c4f972dd6d91bbd2562

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
0ab82601d182bd111d39a4fbfb051fd2

SHA1
c07ab6c602cf4d81633626be0fcb83c6ad6859c0

SHA256
d9965c381124c307679b34a8e17595576ebb2709401b40174546b9f49795bfc2

SHA512
23eae67cece3fc20843a02d8abceb190b5e4acbb35812d3d2b87d6c71d236fb68f2691e282f79346548a1d33d535866849b3f7599135c4c0cec01308b3fe76b9

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
d6fd0e3146f4a0de2af7f9005be2f2e5

SHA1
b491edd0efdffbdfdab56fa4c980b431f4563b04

SHA256
96fec9a8fe919dc0b472b1e38d4922e84edabf9ec8b41bb4c3828f128fdc177c

SHA512
69968bdb37d42e274a1e06e2a487e927c8da057880861103d37592f64248dad2888b62e4d9f0c5f8ebc16477a58cef6b04bcae0ff91de68d51a57fe79d9f0694

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
430f6a6e9f4bae46a75b8f7f28ee8e29

SHA1
5f75b1a95eba84d26351ebba563ac96b54eea967

SHA256
91428ece2e914cda2c52d1f77f529921e9371b975f85edca044317060b80d6f6

SHA512
451622e010176590f1e716427d0f837d4e6aa7e135f1fff036a4d90f257c338c923e2e11705e53206275399ed6c3350ca8213e6894565394e27551ea1426d517

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
819f1026afe56ecb196b4a806f4339e7

SHA1
95f5f570a4881e7e4a356b24d521e2a03b28dc8d

SHA256
b2dd3910515099b3a84cc1ee0354accdfea89399a7e05eda2cc8ad5f17f5ade3

SHA512
0846d30fac0ebc3f5c587ca94da80223367fa595562319dfc36bd28aae6db5e13689b7c13089801fc250ad16ad5ab7c5c96e39d06d5aa14a4348384059f3187e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
2493a7bfde6526a68b9366e476a10149

SHA1
5cd0bd5981099ab6a6778ce468bf25b9e4687164

SHA256
4594426989bd35efafbf237d4203f8fdd187a035e329d5619a71986a488ac52d

SHA512
f083eba036b3c4eb83bd9ba7cfa712e3264880653400ef5c2d3ba82af456c4dc51557ec51b8d91e91d0a731ced9e2c15a20f895449d6374c62a542cdca0345ee

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
8984a14320fb5ce25909461c71420f9a

SHA1
d0913d6d8d48c109c6977796e99f50f96aebb830

SHA256
bdcc74a2ee8d0dd9b01f9d27a4fbb0467a07d75684ddfb8dec077ba2a7d29a51

SHA512
a6f6506f3e417d5fd1161280d249a7b98eb88184db0dc5be26be3f618880b05af3e2d2a832fd5f8f4e19c0501d0e293d0f9d9506550adb1ef716dfc3ea1fd08c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
c88d6ba5563d5a68651978f332af39f1

SHA1
e484e2567b4029028f18623e0ea9143db70ad4e9

SHA256
18d17d375ab8ec8b0e7edc709b94f8fe99630e8561edd5dc6ef6d33bf670ba05

SHA512
5c34c0391c41e2a7712578358273f84fc10b4456bbe3c7e16efe05d6b184fec6a541aa6ba49c4eaace633a05a68a1b326473c911fd9c3cd0c079eb35505d3994

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
7e26abc758469dc21cbc5bbb29636a5f

SHA1
67a0840e698404f21d9b18d7abfbb6825789adfa

SHA256
449b59bb7258954d89ae85b856c26ae6911f3aae6edd389078dd44035b09f532

SHA512
df5ed2fbceb618b0bbfca1400214c44d6cac0f788af91c130d8706d2cbd45ebbdb9baee9800971b9971b2b7940d83c072b9ce7d2aa6c7224bc05233fe7eb7fd5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
9322cdec542295ed36d7f619aab30d69

SHA1
58108cdc24af65d5f1827fda88d12057fe490b15

SHA256
17f4b929d13688934d96f80d0e59e62c177c17d574aabb6f2a541dfdac443c14

SHA512
2f2e7510b21b23894b636ec7828c5f7b5af48ff67f507ced68d0b3660e9964a36db088adb557eeb2658b8a9b6bb2efd667da57cb434b234684b38c6ca12903ee

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
add94d62a61c16efcb697a34557befcd

SHA1
d80bbe2c548504dd5c42b4f875c361aff5af7e28

SHA256
c4707e1c06f2a759bf5faaac78aca9949acaef0c21908c6a02210e48994a7cb4

SHA512
72326cfd1a0c9c2234c74d992ece35ae0e4e54d56cc312cd811b0b301caf984fa6dee4faed1671cfcf1ecbc26f8c8a4fa77ef4cca1a0d1221fc49d9db857b00f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1948-2-0x0000000005B40000-0x00000000060E4000-memory.dmp

Filesize
5.6MB

Download
memory/1948-4-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/1948-5-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/1948-6-0x0000000006360000-0x0000000006372000-memory.dmp

Filesize
72KB

Download
memory/1948-8-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/1948-7-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

Filesize
4KB

Download
memory/1948-1-0x0000000000AE0000-0x0000000000B4C000-memory.dmp

Filesize
432KB

Download
memory/1948-3-0x00000000056A0000-0x0000000005732000-memory.dmp

Filesize
584KB

Download
memory/1948-16-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/1948-0-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

Filesize
4KB

Download
memory/4252-24-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/4252-15-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/4252-17-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/4252-19-0x0000000006400000-0x000000000640A000-memory.dmp

Filesize
40KB

Download