quasar | 1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58

Analysis

max time kernel
590s
max time network
608s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (104) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral30/memory/5100-1-0x0000000000340000-0x00000000003AC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 28 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 29 IoCs

Processes:

pid	process
2240	Client.exe
3292	Client.exe
3916	Client.exe
4624	Client.exe
1364	Client.exe
2280	Client.exe
4536	Client.exe
3484	Client.exe
4368	Client.exe
3632	Client.exe
4948	Client.exe
1056	Client.exe
1820	Client.exe
1860	Client.exe
2696	Client.exe
3700	Client.exe
768	Client.exe
4472	Client.exe
3664	Client.exe
2148	Client.exe
4392	Client.exe
4880	Client.exe
2732	Client.exe
1820	Client.exe
1676	Client.exe
636	Client.exe
1424	Client.exe
3552	Client.exe
1096	Client.exe

Looks up external IP address via web service 26 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
11	ip-api.com
37	ip-api.com
64	ip-api.com
2	ip-api.com
9	api.ipify.org
19	ip-api.com
34	ip-api.com
53	ip-api.com
39	ip-api.com
43	ip-api.com
47	ip-api.com
17	ip-api.com
41	ip-api.com
55	ip-api.com
24	ip-api.com
29	ip-api.com
15	ip-api.com
45	ip-api.com
59	ip-api.com
13	ip-api.com
22	ip-api.com
27	ip-api.com
31	ip-api.com
51	ip-api.com
57	ip-api.com
61	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 28 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4468	2240	WerFault.exe	Client.exe
2372	3292	WerFault.exe	Client.exe
3940	3916	WerFault.exe	Client.exe
3644	4624	WerFault.exe	Client.exe
748	1364	WerFault.exe	Client.exe
5116	2280	WerFault.exe	Client.exe
4892	4536	WerFault.exe	Client.exe
4020	3484	WerFault.exe	Client.exe
4784	4368	WerFault.exe	Client.exe
3628	3632	WerFault.exe	Client.exe
408	4948	WerFault.exe	Client.exe
3764	1056	WerFault.exe	Client.exe
1692	1820	WerFault.exe	Client.exe
688	1860	WerFault.exe	Client.exe
4400	2696	WerFault.exe	Client.exe
1572	3700	WerFault.exe	Client.exe
4280	768	WerFault.exe	Client.exe
4176	4472	WerFault.exe	Client.exe
3224	3664	WerFault.exe	Client.exe
3376	2148	WerFault.exe	Client.exe
1228	4392	WerFault.exe	Client.exe
4896	4880	WerFault.exe	Client.exe
3604	2732	WerFault.exe	Client.exe
1500	1820	WerFault.exe	Client.exe
348	1676	WerFault.exe	Client.exe
1204	636	WerFault.exe	Client.exe
3860	1424	WerFault.exe	Client.exe
3248	3552	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2136	schtasks.exe
4540	schtasks.exe
636	schtasks.exe
4844	schtasks.exe
4668	SCHTASKS.exe
1780	schtasks.exe
2416	schtasks.exe
944	schtasks.exe
3388	schtasks.exe
1584	schtasks.exe
2152	schtasks.exe
1608	schtasks.exe
1376	schtasks.exe
4944	schtasks.exe
5032	schtasks.exe
1980	schtasks.exe
644	schtasks.exe
3016	schtasks.exe
2596	schtasks.exe
2888	schtasks.exe
860	schtasks.exe
3156	schtasks.exe
3916	schtasks.exe
3644	schtasks.exe
3756	schtasks.exe
3520	schtasks.exe
672	schtasks.exe
3660	schtasks.exe
1908	schtasks.exe
4924	schtasks.exe

Runs ping.exe 1 TTPs 28 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2148	PING.EXE
3892	PING.EXE
1356	PING.EXE
2244	PING.EXE
2148	PING.EXE
4876	PING.EXE
4228	PING.EXE
3056	PING.EXE
4088	PING.EXE
5028	PING.EXE
1204	PING.EXE
2956	PING.EXE
1200	PING.EXE
3308	PING.EXE
4280	PING.EXE
2436	PING.EXE
4100	PING.EXE
1364	PING.EXE
2784	PING.EXE
1608	PING.EXE
3612	PING.EXE
4296	PING.EXE
1212	PING.EXE
948	PING.EXE
2572	PING.EXE
4408	PING.EXE
4880	PING.EXE
4020	PING.EXE

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

Uni - Copy (104) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	5100	Uni - Copy (104) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	2240	Client.exe
Token: SeDebugPrivilege	3292	Client.exe
Token: SeDebugPrivilege	3916	Client.exe
Token: SeDebugPrivilege	4624	Client.exe
Token: SeDebugPrivilege	1364	Client.exe
Token: SeDebugPrivilege	2280	Client.exe
Token: SeDebugPrivilege	4536	Client.exe
Token: SeDebugPrivilege	3484	Client.exe
Token: SeDebugPrivilege	4368	Client.exe
Token: SeDebugPrivilege	3632	Client.exe
Token: SeDebugPrivilege	4948	Client.exe
Token: SeDebugPrivilege	1056	Client.exe
Token: SeDebugPrivilege	1820	Client.exe
Token: SeDebugPrivilege	1860	Client.exe
Token: SeDebugPrivilege	2696	Client.exe
Token: SeDebugPrivilege	3700	Client.exe
Token: SeDebugPrivilege	768	Client.exe
Token: SeDebugPrivilege	4472	Client.exe
Token: SeDebugPrivilege	3664	Client.exe
Token: SeDebugPrivilege	2148	Client.exe
Token: SeDebugPrivilege	4392	Client.exe
Token: SeDebugPrivilege	4880	Client.exe
Token: SeDebugPrivilege	2732	Client.exe
Token: SeDebugPrivilege	1820	Client.exe
Token: SeDebugPrivilege	1676	Client.exe
Token: SeDebugPrivilege	636	Client.exe
Token: SeDebugPrivilege	1424	Client.exe
Token: SeDebugPrivilege	3552	Client.exe
Token: SeDebugPrivilege	1096	Client.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

pid	process
2240	Client.exe
3292	Client.exe
3916	Client.exe
4624	Client.exe
1364	Client.exe
2280	Client.exe
4536	Client.exe
3484	Client.exe
4368	Client.exe
3632	Client.exe
4948	Client.exe
1056	Client.exe
1820	Client.exe
1860	Client.exe
2696	Client.exe
3700	Client.exe
768	Client.exe
4472	Client.exe
3664	Client.exe
2148	Client.exe
4392	Client.exe
4880	Client.exe
2732	Client.exe
1820	Client.exe
1676	Client.exe
636	Client.exe
1424	Client.exe
3552	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (104) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 5100 wrote to memory of 2136	5100	Uni - Copy (104) - Copy - Copy - Copy.exe	schtasks.exe
PID 5100 wrote to memory of 2136	5100	Uni - Copy (104) - Copy - Copy - Copy.exe	schtasks.exe
PID 5100 wrote to memory of 2136	5100	Uni - Copy (104) - Copy - Copy - Copy.exe	schtasks.exe
PID 5100 wrote to memory of 2240	5100	Uni - Copy (104) - Copy - Copy - Copy.exe	Client.exe
PID 5100 wrote to memory of 2240	5100	Uni - Copy (104) - Copy - Copy - Copy.exe	Client.exe
PID 5100 wrote to memory of 2240	5100	Uni - Copy (104) - Copy - Copy - Copy.exe	Client.exe
PID 5100 wrote to memory of 4668	5100	Uni - Copy (104) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 5100 wrote to memory of 4668	5100	Uni - Copy (104) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 5100 wrote to memory of 4668	5100	Uni - Copy (104) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 2240 wrote to memory of 4540	2240	Client.exe	schtasks.exe
PID 2240 wrote to memory of 4540	2240	Client.exe	schtasks.exe
PID 2240 wrote to memory of 4540	2240	Client.exe	schtasks.exe
PID 2240 wrote to memory of 4864	2240	Client.exe	cmd.exe
PID 2240 wrote to memory of 4864	2240	Client.exe	cmd.exe
PID 2240 wrote to memory of 4864	2240	Client.exe	cmd.exe
PID 4864 wrote to memory of 4388	4864	cmd.exe	chcp.com
PID 4864 wrote to memory of 4388	4864	cmd.exe	chcp.com
PID 4864 wrote to memory of 4388	4864	cmd.exe	chcp.com
PID 4864 wrote to memory of 4408	4864	cmd.exe	PING.EXE
PID 4864 wrote to memory of 4408	4864	cmd.exe	PING.EXE
PID 4864 wrote to memory of 4408	4864	cmd.exe	PING.EXE
PID 4864 wrote to memory of 3292	4864	cmd.exe	Client.exe
PID 4864 wrote to memory of 3292	4864	cmd.exe	Client.exe
PID 4864 wrote to memory of 3292	4864	cmd.exe	Client.exe
PID 3292 wrote to memory of 3520	3292	Client.exe	schtasks.exe
PID 3292 wrote to memory of 3520	3292	Client.exe	schtasks.exe
PID 3292 wrote to memory of 3520	3292	Client.exe	schtasks.exe
PID 3292 wrote to memory of 1672	3292	Client.exe	cmd.exe
PID 3292 wrote to memory of 1672	3292	Client.exe	cmd.exe
PID 3292 wrote to memory of 1672	3292	Client.exe	cmd.exe
PID 1672 wrote to memory of 5108	1672	cmd.exe	chcp.com
PID 1672 wrote to memory of 5108	1672	cmd.exe	chcp.com
PID 1672 wrote to memory of 5108	1672	cmd.exe	chcp.com
PID 1672 wrote to memory of 1608	1672	cmd.exe	PING.EXE
PID 1672 wrote to memory of 1608	1672	cmd.exe	PING.EXE
PID 1672 wrote to memory of 1608	1672	cmd.exe	PING.EXE
PID 1672 wrote to memory of 3916	1672	cmd.exe	Client.exe
PID 1672 wrote to memory of 3916	1672	cmd.exe	Client.exe
PID 1672 wrote to memory of 3916	1672	cmd.exe	Client.exe
PID 3916 wrote to memory of 672	3916	Client.exe	schtasks.exe
PID 3916 wrote to memory of 672	3916	Client.exe	schtasks.exe
PID 3916 wrote to memory of 672	3916	Client.exe	schtasks.exe
PID 3916 wrote to memory of 4908	3916	Client.exe	cmd.exe
PID 3916 wrote to memory of 4908	3916	Client.exe	cmd.exe
PID 3916 wrote to memory of 4908	3916	Client.exe	cmd.exe
PID 4908 wrote to memory of 768	4908	cmd.exe	chcp.com
PID 4908 wrote to memory of 768	4908	cmd.exe	chcp.com
PID 4908 wrote to memory of 768	4908	cmd.exe	chcp.com
PID 4908 wrote to memory of 4280	4908	cmd.exe	PING.EXE
PID 4908 wrote to memory of 4280	4908	cmd.exe	PING.EXE
PID 4908 wrote to memory of 4280	4908	cmd.exe	PING.EXE
PID 4908 wrote to memory of 4624	4908	cmd.exe	Client.exe
PID 4908 wrote to memory of 4624	4908	cmd.exe	Client.exe
PID 4908 wrote to memory of 4624	4908	cmd.exe	Client.exe
PID 4624 wrote to memory of 3156	4624	Client.exe	schtasks.exe
PID 4624 wrote to memory of 3156	4624	Client.exe	schtasks.exe
PID 4624 wrote to memory of 3156	4624	Client.exe	schtasks.exe
PID 4624 wrote to memory of 2956	4624	Client.exe	cmd.exe
PID 4624 wrote to memory of 2956	4624	Client.exe	cmd.exe
PID 4624 wrote to memory of 2956	4624	Client.exe	cmd.exe
PID 2956 wrote to memory of 232	2956	cmd.exe	chcp.com
PID 2956 wrote to memory of 232	2956	cmd.exe	chcp.com
PID 2956 wrote to memory of 232	2956	cmd.exe	chcp.com
PID 2956 wrote to memory of 2436	2956	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2136

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWFetlcT41sM.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4388

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:4408

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LN0LvCtX4IA3.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:5108

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1608

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuhpzmxfyL2i.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:768

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4280

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gheDqt1NjCFm.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:232

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2436

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1364

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0VOKUlFP0r9l.bat" "
11⤵
PID:1016

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:3920

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4088

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UufFMVkuQzz1.bat" "
13⤵
PID:3908

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4752

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:3892

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4536

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CtkazYl3NWZO.bat" "
15⤵
PID:4384

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:1412

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4100

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3484

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4ULjrU2fTV63.bat" "
17⤵
PID:3588

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:3848

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1212

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4368

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OI6qVMGhkA01.bat" "
19⤵
PID:1904

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:3504

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2148

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Oe5uAgEhWQn3.bat" "
21⤵
PID:1600

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:2724

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:3612

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4948

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\viBVArvVg6YB.bat" "
23⤵
PID:3540

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:1656

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:4880

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1056

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGqrwL1fr16B.bat" "
25⤵
PID:2692

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:2136

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:5028

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\94bzaDFh8g09.bat" "
27⤵
PID:3228

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:4580

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:2956

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1860

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYjmfJURsR0i.bat" "
29⤵
PID:2424

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:3824

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:2148

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2696

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xphbxUmlQWcy.bat" "
31⤵
PID:3956

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:1356

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:1204

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3700

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juLCGTHzJkZo.bat" "
33⤵
PID:408

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:3040

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:1200

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:768

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JpZfhBYswe0t.bat" "
35⤵
PID:2540

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:4440

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:4876

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4472

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQBoZ7qU2dXY.bat" "
37⤵
PID:1404

C:\Windows\SysWOW64\chcp.com
chcp 65001
38⤵
PID:4256

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:3308

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3664

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kLPHzo7OeXyd.bat" "
39⤵
PID:4016

C:\Windows\SysWOW64\chcp.com
chcp 65001
40⤵
PID:1584

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:948

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uYdaPn4wnjvJ.bat" "
41⤵
PID:4408

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:212

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:1356

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4392

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
43⤵
- Creates scheduled task(s)
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Kw6lUnP8h34f.bat" "
43⤵
PID:1872

C:\Windows\SysWOW64\chcp.com
chcp 65001
44⤵
PID:3964

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:2572

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4880

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEqkXhLsgkK9.bat" "
45⤵
PID:2212

C:\Windows\SysWOW64\chcp.com
chcp 65001
46⤵
PID:3552

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:4296

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2732

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OpRtPdcUljqo.bat" "
47⤵
PID:220

C:\Windows\SysWOW64\chcp.com
chcp 65001
48⤵
PID:1408

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:4020

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
49⤵
- Creates scheduled task(s)
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SWifGfnehADg.bat" "
49⤵
PID:968

C:\Windows\SysWOW64\chcp.com
chcp 65001
50⤵
PID:2420

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:1364

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1676

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\81eB8VBhwju9.bat" "
51⤵
PID:748

C:\Windows\SysWOW64\chcp.com
chcp 65001
52⤵
PID:2280

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:2784

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:636

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jQ2TKP4gGaE8.bat" "
53⤵
PID:1292

C:\Windows\SysWOW64\chcp.com
chcp 65001
54⤵
PID:3616

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:3056

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1424

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
55⤵
- Creates scheduled task(s)
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pvy0CFSjW9vb.bat" "
55⤵
PID:3892

C:\Windows\SysWOW64\chcp.com
chcp 65001
56⤵
PID:4868

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:4228

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
56⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3552

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
57⤵
- Creates scheduled task(s)
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dDkZIAuNa2Ek.bat" "
57⤵
PID:4328

C:\Windows\SysWOW64\chcp.com
chcp 65001
58⤵
PID:3156

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
58⤵
- Runs ping.exe
PID:2244

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 2224
57⤵
- Program crash
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1092
55⤵
- Program crash
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 2232
53⤵
- Program crash
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 2160
51⤵
- Program crash
PID:348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1720
49⤵
- Program crash
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1688
47⤵
- Program crash
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 2144
45⤵
- Program crash
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 2228
43⤵
- Program crash
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 1096
41⤵
- Program crash
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 1088
39⤵
- Program crash
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1096
37⤵
- Program crash
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 2224
35⤵
- Program crash
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 2236
33⤵
- Program crash
PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 2248
31⤵
- Program crash
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1092
29⤵
- Program crash
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 2232
27⤵
- Program crash
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 1092
25⤵
- Program crash
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 2172
23⤵
- Program crash
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1624
21⤵
- Program crash
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1604
19⤵
- Program crash
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1096
17⤵
- Program crash
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1092
15⤵
- Program crash
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 2248
13⤵
- Program crash
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 1092
11⤵
- Program crash
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1084
9⤵
- Program crash
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 2172
7⤵
- Program crash
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 1092
5⤵
- Program crash
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 1668
3⤵
- Program crash
PID:4468

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (104) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (104) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2240 -ip 2240
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3292 -ip 3292
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3916 -ip 3916
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4624 -ip 4624
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1364 -ip 1364
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2280 -ip 2280
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4536 -ip 4536
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3484 -ip 3484
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4368 -ip 4368
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3632 -ip 3632
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4948 -ip 4948
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1056 -ip 1056
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1820 -ip 1820
1⤵
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1860 -ip 1860
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2696 -ip 2696
1⤵
PID:212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3700 -ip 3700
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 768 -ip 768
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4472 -ip 4472
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3664 -ip 3664
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2148 -ip 2148
1⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4392 -ip 4392
1⤵
PID:1656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4880 -ip 4880
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2732 -ip 2732
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1820 -ip 1820
1⤵
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1676 -ip 1676
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 636 -ip 636
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1424 -ip 1424
1⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3552 -ip 3552
1⤵
PID:2396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0VOKUlFP0r9l.bat
Filesize
207B

MD5
f5f7636961f73ba3387c9565565bed40

SHA1
4d42b834c5ee6a7bc7b8bd5a4e45930bee5a2b21

SHA256
1fad6411f57626e2a45a1a7dbb36261c78783f9640ef2c7812fd05124dcd282b

SHA512
4d0b4d1874a49b3c4e2e1847d3870b529257392a55127bcff760fc41c04e046351c97530e2c0882a3b02275ae53647a5e2e6d1c8605fb6e9d602682e2605c80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ULjrU2fTV63.bat
Filesize
207B

MD5
2149ffec1b2c4bbf37ee6e944eeb346c

SHA1
3b43949b7c85bfa094df274cd20128ca6d6363db

SHA256
e247be4933344eff7943306fd0bdbe71c2344aedef363643540a1a6bf494dbf4

SHA512
c876b782222ba51aa8fee11e88d14bc25e6c1b417df39ff2b6b2f0819d7158a29fa20f6151e9305e7f7761ede463bf18b72a5db4827f5b47faac54fc3cdf8907

Download Submit
C:\Users\Admin\AppData\Local\Temp\94bzaDFh8g09.bat
Filesize
207B

MD5
9cfa71c181dd38aef769466fb857293a

SHA1
f0453da8342ce01152484a7d53bd2e203ea8e6d2

SHA256
55f81a1ba7c4549e3e35cc03d0c813d3c3d523b4905e4e456d50fe7e8e2cd025

SHA512
0ea05b93192d6d09ba1548d7b3d711f4c08d8209320f256f1ccee13b08e5f46baa0e9ef5ef20448f2275d6ab7fad708948805f6696bacf9b2a772d9a66421670

Download Submit
C:\Users\Admin\AppData\Local\Temp\BQBoZ7qU2dXY.bat
Filesize
207B

MD5
d9ca50781f5b853a5da9f27933eccc73

SHA1
8d2656469aa5526cb02eb1313ab339b69886a08f

SHA256
bb8dfd1ad0ff8b65af05302eac32740208180434be728581c664d52ac736860f

SHA512
cf13d6631895cb45d780f3c1020171717e7d8468873258ce642d967139fcde8187446c55a8e6a781b9f959e5bd7e60a17c93d77768b80f8d65d2c474b6386ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\JpZfhBYswe0t.bat
Filesize
207B

MD5
e8c5e2186b8a152fd5a5e6baac0ce3c8

SHA1
b1c7a2a0eea2f59689f96e1f5c474e5fd84a699e

SHA256
e1976068677d950f7f377ad47f11273ca2f9e0864cc7996e1d28decc6d2afd9e

SHA512
2a7295beda4865ca5b1652a7d30106d61553c4113c76809ad0b56534eb387566ae9d9ceccb52d05511910eb2c1788706c857a851a1b16448a02d988c629c0735

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kw6lUnP8h34f.bat
Filesize
207B

MD5
9b0fe10ccbe6001f5f45c4c34c093704

SHA1
5cfea04af2d58a3442b806a8597af0d4f074a6bf

SHA256
d4e79f5a18c5ce5addedffd63b60d567288451663915c25ea586216c2f5bd0aa

SHA512
f0a98dbc6136c00389fb29792fa90620c421721873f9027d077f193a6a1a86af0dbeb4b48d10c4278dc5990a3ed7eeec70e69e9deef48f97acaa8b376a9ab4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LN0LvCtX4IA3.bat
Filesize
207B

MD5
85125879f2ec8c8c99158ef1613c0e3f

SHA1
80a522197df2c4fb18b9366bca97fd3fb9323d4b

SHA256
871ca6c716926085e3c08e34165234e7c85bad4124dc4062c495690a761b5d27

SHA512
f21d4a7dc1b787d32ca81f73adfc56c4a66a450a048192d1251701f10a0ed6ee308d4853bd2f9789e82277196e1f234e6db9f002488070457fd2df080d1219cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OI6qVMGhkA01.bat
Filesize
207B

MD5
737cce646781fef14dcce90bf2787a6d

SHA1
0bdbabc9ed5deebccecdfa45fd028faca4f741f4

SHA256
c51e33d65b88e749a69a9d9135af8e582f58f9e88f28adbb6bd82f8259607964

SHA512
60de1cdca3cd67477d8a132710af6bee6d7a52a8b6fc44105029b252845bfcf5c48520a183999425fe5531c4935aa580f5fc3f2471292142e491be18609596dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oe5uAgEhWQn3.bat
Filesize
207B

MD5
d8513e0eb0ca11d1513b665e33e72eec

SHA1
753bbc77f10483a16dd9f9bb3818497e817e5bc3

SHA256
4a3c6337bedf827560d9e960098e00e499f7397219b486566ea61b60e5a5ab12

SHA512
a89626a32852c0d54a3e03a97054e5e749bb9c789f9401e78124d2d011773428568a4e5301af68555fd930de4cccffe2b9b3f154b536a7979298fdc4c27dbbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuhpzmxfyL2i.bat
Filesize
207B

MD5
e6a5e34467e04a27002a8e82056a3669

SHA1
e3f8e5f69656e5b576849903d41bf192fce07178

SHA256
9fed1a70e7d9b9a0c0ea11fbce588967e68ac58ca65d0d62a813a406f2b9e888

SHA512
12ae2e8fd84a3f86d1a00398215196f7eebf1661bb8b7d97f805f1219ddb084963b42ce67e4c5ab899a693b6dc3b73437e44b57842a152a9f69ae593c0a8683e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UufFMVkuQzz1.bat
Filesize
207B

MD5
edcca7925b88f31dcd0c8623d06e8090

SHA1
1c71a7177091cfb5ebe60f744b9cf6892d9aacd9

SHA256
4874435d2fc0b684707df9ab38c2abaef73688977b6f3bcb043f72767fa36d35

SHA512
4418672685d5d6be6b5c593c751f3236ff20d6ebd991a40a1adc10d10a65075ac3129ee67663f470fc72b48461f46da3bc87149e0f90f9913bae8ff0014a7022

Download Submit
C:\Users\Admin\AppData\Local\Temp\gheDqt1NjCFm.bat
Filesize
207B

MD5
9f262322a65c9f237e4479ada0593ddc

SHA1
b4c47376d621664ca47aaf099429d4f78098e938

SHA256
b42b5daefbd2e6ae5c37a190d1158ce2499ce06fe73ae994c69387d558240b31

SHA512
f0175f8b8334b595b8ae58e0a6c70778cd7bb05f8cb0fc5c7ba02ebbf1f6af100867e48f6012474eceadc3fcde70e0ad4b5ac58f6b2d9bb6014403f944f8a937

Download Submit
C:\Users\Admin\AppData\Local\Temp\juLCGTHzJkZo.bat
Filesize
207B

MD5
c70e3db85b009666735a332af94f1861

SHA1
1017081ccce80ba733e3ac43865327327a3588d7

SHA256
47a2e0844fa2348fb20790bcdcedee0bd7afd12e942012eb31e517a79017a043

SHA512
63f222708b66476f8ff8526f24bb2e7aabfe194de7c6fef80bfd939f13fb9a035d20b156fa8f626810ba4b5ae0b7380bc718764da046c7a36b6a3fdd13d97f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kLPHzo7OeXyd.bat
Filesize
207B

MD5
d8001ae1e106b84281207db447bae264

SHA1
4d9f2a6591a9ee3d7de1c976b1867c9c47197569

SHA256
77f9a607b4b16bc67b4600e4ba307828f5ad432ad7279215d41c0b2f43988fd8

SHA512
2bd2282b93b573942c4b7d9fdb28b73b48340d1658c6d388ed635fbff8d85682543599d794fd6ca607f954dcb80ce43da0fe0b1c699cd6f5975547974337e917

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYjmfJURsR0i.bat
Filesize
207B

MD5
a62215a4af22461af14a702a016b438a

SHA1
f2b9e5548dd5e34ef279c1427f69496b4fecd727

SHA256
1081dfd9f51baa69bd0962a02670c1e23f34e97fe21d3f162c20cb0def2d1caa

SHA512
6106088c97a979b23cf993af4aee6d108d31ff0f4cf24da1425f2ed31b26f70ddd14a67d12ecd5c17411b1f238fa37d929411f73c0b92ed88419b17f6618f8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pGqrwL1fr16B.bat
Filesize
207B

MD5
c5e462901097160e5d2333e3d97d146c

SHA1
60b1a9dff62e261af1bad22775b9840f5445443e

SHA256
820806730a2ac8fa7fbe47363ea67cd7d5d4ae84946f072766c7d7dd23ab7f87

SHA512
945906bf09b4b96f0473aaeab20a1d0aa1a16093832f39f883ba7a29a59b5fd68a86638e69fd4376d4f7f460730d4927fc53ea0cdc2e376f1b8da25bf74f8552

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYdaPn4wnjvJ.bat
Filesize
207B

MD5
00c6ad73c6cad65aab65bb3da964ab91

SHA1
36610448485ea8b848424178ab2aceb44dc91569

SHA256
95b089a4eaee57402217f25fc567e7d1d4b68f848fe2fc13536d9747aeded0a9

SHA512
31bfc8a2afd4d9f09d64474c4ced03a4b12a9251d9e63d832e38c11b098923a8afd14ca0a99608c8b35cbfc9ec1560f45b0caca6249df283673bce66138e3bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\viBVArvVg6YB.bat
Filesize
207B

MD5
c42d62084139ddbc7c0921c6dd8d51f5

SHA1
1902a0439bcc2666126533864afd6a1a4901aa7e

SHA256
7706242c8d477abf3a17188b517ad1441947a0716ebafa8ce49bf7ca31c76aca

SHA512
f6fb1d50b652a12bb186150fae44bd909f79c35f283cc5db20477c8e0fdddff822a94f15e297c266c54b8779e738276a13dbe13e879f2212a076185d4761bc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\xphbxUmlQWcy.bat
Filesize
207B

MD5
b93da8f7a877a0ada0265e76353be1be

SHA1
25a10635684cbf9b52012717a918727ca6200ccf

SHA256
7ffb6ed1a80135e5d5c43880f35216073249fb2bb03d7416123262d9735c6dfe

SHA512
1a22c0dd555ecd885812d76caa8299c40716ac2235d5b0e64f02ff2fc0d470e6e6f7cf89efeb70578f1215b188c311d28ae97ce4bd91401ca4b8261d4dab38b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zWFetlcT41sM.bat
Filesize
207B

MD5
4a0a0dca7440e32508f7073bc9bf30f3

SHA1
d70af4ff46ca538eba9f29a1002c78e4a14c8d7e

SHA256
c0033f9298c77b8699421ad9009199936c8b9260c0c6804303f74dfe4799e8fd

SHA512
34b7d8a1f4346d38ab45c10dfe49bf618e6c3eb2d5bfa75a7663fa24dbaa86b85bd13da6eec2ff1da094e7e0c3dadb215b98e28a3ea8bd22745f1fab1cafc312

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
c8484891fe77be6d6e15c2ef6ca16db4

SHA1
19b8526887fa79c0e305b6e55d53d1a4f8aebf73

SHA256
b55c87141f047f26454b995c549f73e0ee35aebf70b19a9597ffb9035ad7e070

SHA512
4b3d709976cf3a427b7deffe710e956fb93b8ee1fdd95d9158f091db983a36fb55d8f884770dbbfc9335aee5612c2f46649c45d7ac7ecd8ae1100bc93ce073ca

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
16cc5f4611804972aaa7d95b2d8d1599

SHA1
72d0f4da0dba2bd658d24d331cb6cd49627fa8f8

SHA256
fbbbd86a41dfa34858eb3fbe1fcd3e6f1ffd834112145da774cd6e59fa3eea9c

SHA512
0e0080ae6b8b694ee7c0921074672c211b4db727461c9ee58d1b66f200aef002c9a1101fbe5740bce2908b9f70b8a9f130a77b165eef5ec4c3bd9417ad81bfbb

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
aa2e1f83ac87597b9668aa7ed230e783

SHA1
c0060f11bd38418a2d04775add2674e10bc05485

SHA256
1f4e2bc9a42eae1889ac6a5413c5515b71813c2e1dae97b8c9eb89915b57fd93

SHA512
5478a1a574ceb9a1bb183c89bd6c2a0d3edea87ae7fcf5f01a7bc18015fc335e1bed36a5b2a00c71b0688ad33613c446ff2b8edfae028f6f8658e429b0976d74

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
2fb4c0b47a0cda04fec4f2a57941d6d8

SHA1
8786f954afb9b6ea2b563bb16e184adebb0dc01e

SHA256
d74c709955a7424e44fcb3cb4cafdeeda6e938b1a6f418d4dde6bd079c4192a9

SHA512
25eb9d12f58d35232c8663b506495e030656b184e1c5e46979617dd93f35fe336f8d08ed62939a63771d8b4498ef9512468b4904f14f921e5824205b758f4621

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
e2eeacd27d5e3099bbf3b8ef2eef6c8f

SHA1
e24229e12ced1d7b47df7ecfeacd76e6129ddc0f

SHA256
a00326c25eb9b11d52909b5cb1efccd94323db70dbb6aa7f893dd8a61ddd0f65

SHA512
0445a5bbac88c4f45790b9f522f650868decbb693a6293a311b8aa781e2ca975bf74a264d95b61a1da7d1186e8da61d9f8a76f204a00b0a1a7d62855164792bb

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
23dd4e4c97f0eb00f229d299ea8b3802

SHA1
9ec94b9b42a4716582dbd8e70d050848181deb8f

SHA256
1ce49d815c9ae391e78d2e7221229d8afa4f13b8c811ca3d42690537f1d1fd3d

SHA512
6c12a8f114ace61b5e7e9bc9a318cbdc340741d6c6cc4cc366dafb3a84776600948b862393cfa71157c3157d2eb8d53459c92380b0e39005dcae2db8e50cb3ae

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
602888e48e429e971a235651604e6e99

SHA1
78944e2193f13191799014434286d30e70abe8ac

SHA256
03c421405fb6a79e38fe13af9d48caf220b88d4c6c0ab41eb2f8eec7f6e4692c

SHA512
e2854e9ef4dd7f639885e5ec0fe47b40cc25135323a404a69c01604ca4ce32cdd10b1ba6b9efec530602a194727c752915bad2e9c90ac150bd1c73c242e02f74

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
2faa6fd5e5a8bf299c3b8640991ffc67

SHA1
5c33ab3d2132dbccc17a8e827e33ed8f4360f987

SHA256
fa5074f3df2d47dffb101cdfa633951691e3382aea24cdd2d73601a225ecf8c0

SHA512
2ab8de1535a4be7275e77a9a2f025c99ea0ac80f2c2549a1c36409f3a127591e094a1d762fa7d36a47e83c5ff30521e737d020894b5999cbae42011e402ce02a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
45cd9c80cf0cd041077203aa25d80475

SHA1
2dfb03eec23ff0a61465ae9e50b8c77c8e453e63

SHA256
b35fcf25bb78f6fd3d2fdae7df34b6c9e9c8e4ac0b1d90d7877c15f746de19ac

SHA512
8bdedb5af1e8248360c7a3813e337a75edf7087505c7133d3249e8c306f4fddeb00dfc2956ad0d734da7929526aedb0bf2e3ccc7a68a225adc377e9976884b8f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
0afdc508b9791bc1d187477af81184ab

SHA1
de24cf6c6c8de831c18d885ee00b0b6652393935

SHA256
c7ec6b0bfb3a337680c5b20ecf55b3b688c5253342b53e4e8df9ba485a6f7cb7

SHA512
3314431bbe5dab80f4a2ffae9708db1db8000c9e1434bf32e35a40cf375dcb3f49ec61377b73c1c7af09bb8adf68ec49f7e8466267f054214670f15160f34a35

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
6d89c17f40578db57c5df2c0a11e1f79

SHA1
c1e60ab0ce9c1875fca119897811a99880b97943

SHA256
e10ccb32381e6c99870b5d14a9d5542f50880a1126202130cc93bbffc62cd6a2

SHA512
aeff78c0333446596b9eeecc7927196bfaa6fd31d94fb1656944223392b3cb6b9c11e4d760868d4667571466a5d6142086a42ca8257938422628fd2d3604e712

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
1780605460b0251930d2885609ad3587

SHA1
a47a1fd870e41e1b3670643288aba71e91c39e55

SHA256
b90da8948b306be890663f0dac8b5fecb3da9dc87c7c530275f90e604a624ea7

SHA512
745d75a7c5d815cde522e7a07ca8dcf7328559f19d1d8da7b1fcc88d274599e809e87d961bb99e216b7bf49f3e8fdf1e2eab3974191e230374a77d3d6e290b2a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
714bd245f9347dac4920ee2335dbfd7e

SHA1
45312b95fb260ce4cc0c9fbba1a16e08d06576bd

SHA256
c5b06265c58d8696dcea688aa5e33da50302b92d2cdcdadac86c0cea16435bb0

SHA512
02a065f51eb1d638111a162fdcc33bb4c117d3c0071d35a44ab6125535466d66f54f70aeded9dd4e42e37e2161f2ac1efbe6fd4bca6e141b5796859eb896accf

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/2240-15-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/2240-24-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/2240-17-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/2240-19-0x0000000006A70000-0x0000000006A7A000-memory.dmp

Filesize
40KB

Download
memory/5100-16-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/5100-4-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/5100-3-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/5100-5-0x0000000004F70000-0x0000000004FD6000-memory.dmp

Filesize
408KB

Download
memory/5100-2-0x0000000005390000-0x0000000005934000-memory.dmp

Filesize
5.6MB

Download
memory/5100-0-0x00000000751CE000-0x00000000751CF000-memory.dmp

Filesize
4KB

Download
memory/5100-6-0x0000000005D00000-0x0000000005D12000-memory.dmp

Filesize
72KB

Download
memory/5100-7-0x00000000751CE000-0x00000000751CF000-memory.dmp

Filesize
4KB

Download
memory/5100-1-0x0000000000340000-0x00000000003AC000-memory.dmp

Filesize
432KB

Download
memory/5100-8-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download