quasar | 59ea77def3bfcd5b9720dbd4f67ab6cd1063f675c2f98232a2d390364f20fff9

Analysis

max time kernel
1041s
max time network
1049s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.exe
Size

409KB
MD5

2ec276b90d08cd1839674b810a14d1a3
SHA1

81a073c818361afe557ce29d2784ef90308cadc3
SHA256

59ea77def3bfcd5b9720dbd4f67ab6cd1063f675c2f98232a2d390364f20fff9
SHA512

4d6dfb4670e842310a03a22d109a9fb36a3c5b36173d9666166c772113fe2dab3eaff4c936868a3eff5be8ae61c219e7fb31cc0c7d26888311091ac14874b7ae
SSDEEP

12288:UpsD64e1Mv3/m7bQoXFU7voBN/K/hn24i:ksG4kMazX0ofK6

Score

10^/10

quasar seroxen | v3.1.5 |spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen | v3.1.5 |

runderscore00-25501.portmap.host:25501

Mutex

$Sxr-jy6vh8CtEJL5ceZuIb

Attributes

encryption_key
4KS4bVha9aVJ69uULflW
install_name
$sxr-powershell.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
Powershell
subdirectory
$sxr-seroxen2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2984-1-0x0000000000E60000-0x0000000000ECC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe	family_quasar

Checks computer location settings 2 TTPs 50 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe

Executes dropped EXE 50 IoCs

Processes:

pid	process
5016	$sxr-powershell.exe
1328	$sxr-powershell.exe
3488	$sxr-powershell.exe
3024	$sxr-powershell.exe
1240	$sxr-powershell.exe
3288	$sxr-powershell.exe
4748	$sxr-powershell.exe
1808	$sxr-powershell.exe
4152	$sxr-powershell.exe
3932	$sxr-powershell.exe
3524	$sxr-powershell.exe
3316	$sxr-powershell.exe
1620	$sxr-powershell.exe
2488	$sxr-powershell.exe
864	$sxr-powershell.exe
4116	$sxr-powershell.exe
2256	$sxr-powershell.exe
3324	$sxr-powershell.exe
3812	$sxr-powershell.exe
4764	$sxr-powershell.exe
5012	$sxr-powershell.exe
3632	$sxr-powershell.exe
2996	$sxr-powershell.exe
3492	$sxr-powershell.exe
4952	$sxr-powershell.exe
1976	$sxr-powershell.exe
3940	$sxr-powershell.exe
4988	$sxr-powershell.exe
3632	$sxr-powershell.exe
1548	$sxr-powershell.exe
892	$sxr-powershell.exe
536	$sxr-powershell.exe
2488	$sxr-powershell.exe
4496	$sxr-powershell.exe
2396	$sxr-powershell.exe
1372	$sxr-powershell.exe
4056	$sxr-powershell.exe
464	$sxr-powershell.exe
2064	$sxr-powershell.exe
4316	$sxr-powershell.exe
2088	$sxr-powershell.exe
2456	$sxr-powershell.exe
4644	$sxr-powershell.exe
1744	$sxr-powershell.exe
3820	$sxr-powershell.exe
64	$sxr-powershell.exe
4940	$sxr-powershell.exe
1092	$sxr-powershell.exe
4120	$sxr-powershell.exe
1144	$sxr-powershell.exe

Looks up external IP address via web service 45 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
11	api.ipify.org
24	ip-api.com
34	ip-api.com
44	ip-api.com
47	ip-api.com
84	ip-api.com
94	ip-api.com
16	ip-api.com
32	ip-api.com
52	ip-api.com
62	ip-api.com
80	ip-api.com
18	ip-api.com
20	ip-api.com
76	ip-api.com
98	ip-api.com
66	ip-api.com
68	ip-api.com
78	ip-api.com
92	ip-api.com
100	ip-api.com
3	ip-api.com
39	ip-api.com
102	ip-api.com
104	ip-api.com
107	ip-api.com
26	ip-api.com
30	ip-api.com
42	ip-api.com
69	ip-api.com
74	ip-api.com
82	ip-api.com
96	ip-api.com
36	ip-api.com
50	ip-api.com
57	ip-api.com
64	ip-api.com
72	ip-api.com
88	ip-api.com
90	ip-api.com
22	ip-api.com
28	ip-api.com
54	ip-api.com
60	ip-api.com
86	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 50 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1432	5016	WerFault.exe	$sxr-powershell.exe
4808	1328	WerFault.exe	$sxr-powershell.exe
3064	3488	WerFault.exe	$sxr-powershell.exe
5048	3024	WerFault.exe	$sxr-powershell.exe
452	1240	WerFault.exe	$sxr-powershell.exe
5072	3288	WerFault.exe	$sxr-powershell.exe
3032	4748	WerFault.exe	$sxr-powershell.exe
3164	1808	WerFault.exe	$sxr-powershell.exe
5024	4152	WerFault.exe	$sxr-powershell.exe
1368	3932	WerFault.exe	$sxr-powershell.exe
3608	3524	WerFault.exe	$sxr-powershell.exe
4428	3316	WerFault.exe	$sxr-powershell.exe
2616	1620	WerFault.exe	$sxr-powershell.exe
3692	2488	WerFault.exe	$sxr-powershell.exe
1416	864	WerFault.exe	$sxr-powershell.exe
1680	4116	WerFault.exe	$sxr-powershell.exe
4124	2256	WerFault.exe	$sxr-powershell.exe
2248	3324	WerFault.exe	$sxr-powershell.exe
4600	3812	WerFault.exe	$sxr-powershell.exe
1068	4764	WerFault.exe	$sxr-powershell.exe
4680	5012	WerFault.exe	$sxr-powershell.exe
2388	3632	WerFault.exe	$sxr-powershell.exe
3668	2996	WerFault.exe	$sxr-powershell.exe
636	3492	WerFault.exe	$sxr-powershell.exe
1980	4952	WerFault.exe	$sxr-powershell.exe
2540	1976	WerFault.exe	$sxr-powershell.exe
528	3940	WerFault.exe	$sxr-powershell.exe
412	4988	WerFault.exe	$sxr-powershell.exe
3252	3632	WerFault.exe	$sxr-powershell.exe
4112	1548	WerFault.exe	$sxr-powershell.exe
3624	892	WerFault.exe	$sxr-powershell.exe
3500	536	WerFault.exe	$sxr-powershell.exe
4804	2488	WerFault.exe	$sxr-powershell.exe
644	4496	WerFault.exe	$sxr-powershell.exe
3616	2396	WerFault.exe	$sxr-powershell.exe
912	1372	WerFault.exe	$sxr-powershell.exe
432	4056	WerFault.exe	$sxr-powershell.exe
1388	464	WerFault.exe	$sxr-powershell.exe
4836	2064	WerFault.exe	$sxr-powershell.exe
540	4316	WerFault.exe	$sxr-powershell.exe
2516	2088	WerFault.exe	$sxr-powershell.exe
5012	2456	WerFault.exe	$sxr-powershell.exe
1304	4644	WerFault.exe	$sxr-powershell.exe
4112	1744	WerFault.exe	$sxr-powershell.exe
4448	3820	WerFault.exe	$sxr-powershell.exe
4620	64	WerFault.exe	$sxr-powershell.exe
4024	4940	WerFault.exe	$sxr-powershell.exe
4588	1092	WerFault.exe	$sxr-powershell.exe
4028	4120	WerFault.exe	$sxr-powershell.exe
3288	1144	WerFault.exe	$sxr-powershell.exe

Creates scheduled task(s) 1 TTPs 52 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5048	schtasks.exe
3952	schtasks.exe
5020	schtasks.exe
4444	schtasks.exe
960	schtasks.exe
1680	schtasks.exe
4332	schtasks.exe
3756	schtasks.exe
612	schtasks.exe
3076	schtasks.exe
2512	schtasks.exe
1392	schtasks.exe
3496	schtasks.exe
2428	SCHTASKS.exe
1740	schtasks.exe
2080	schtasks.exe
4276	schtasks.exe
776	schtasks.exe
884	schtasks.exe
336	schtasks.exe
4420	schtasks.exe
4804	schtasks.exe
4960	schtasks.exe
4812	schtasks.exe
1736	schtasks.exe
4520	schtasks.exe
3260	schtasks.exe
4448	schtasks.exe
4616	schtasks.exe
4536	schtasks.exe
2504	schtasks.exe
1532	schtasks.exe
960	schtasks.exe
4124	schtasks.exe
856	schtasks.exe
396	schtasks.exe
4420	schtasks.exe
3940	schtasks.exe
1760	schtasks.exe
1388	schtasks.exe
3900	schtasks.exe
2092	schtasks.exe
180	schtasks.exe
4112	schtasks.exe
232	schtasks.exe
2428	schtasks.exe
1928	schtasks.exe
3992	schtasks.exe
2080	schtasks.exe
4804	schtasks.exe
3744	schtasks.exe
5032	schtasks.exe

Runs ping.exe 1 TTPs 50 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4152	PING.EXE
4088	PING.EXE
4488	PING.EXE
2516	PING.EXE
4220	PING.EXE
4288	PING.EXE
1696	PING.EXE
768	PING.EXE
5112	PING.EXE
3316	PING.EXE
512	PING.EXE
4156	PING.EXE
2528	PING.EXE
4084	PING.EXE
3668	PING.EXE
2016	PING.EXE
3496	PING.EXE
4916	PING.EXE
988	PING.EXE
2516	PING.EXE
1872	PING.EXE
440	PING.EXE
4404	PING.EXE
316	PING.EXE
1628	PING.EXE
1064	PING.EXE
2948	PING.EXE
3684	PING.EXE
1532	PING.EXE
1884	PING.EXE
1052	PING.EXE
4784	PING.EXE
2324	PING.EXE
2336	PING.EXE
2440	PING.EXE
3068	PING.EXE
1368	PING.EXE
4028	PING.EXE
4948	PING.EXE
4292	PING.EXE
1272	PING.EXE
2020	PING.EXE
3536	PING.EXE
1524	PING.EXE
1504	PING.EXE
2512	PING.EXE
3916	PING.EXE
884	PING.EXE
2560	PING.EXE
3328	PING.EXE

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

svchost.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe

description	pid	process
Token: SeDebugPrivilege	2984	svchost.exe
Token: SeDebugPrivilege	5016	$sxr-powershell.exe
Token: SeDebugPrivilege	1328	$sxr-powershell.exe
Token: SeDebugPrivilege	3488	$sxr-powershell.exe
Token: SeDebugPrivilege	3024	$sxr-powershell.exe
Token: SeDebugPrivilege	1240	$sxr-powershell.exe
Token: SeDebugPrivilege	3288	$sxr-powershell.exe
Token: SeDebugPrivilege	4748	$sxr-powershell.exe
Token: SeDebugPrivilege	1808	$sxr-powershell.exe
Token: SeDebugPrivilege	4152	$sxr-powershell.exe
Token: SeDebugPrivilege	3932	$sxr-powershell.exe
Token: SeDebugPrivilege	3524	$sxr-powershell.exe
Token: SeDebugPrivilege	3316	$sxr-powershell.exe
Token: SeDebugPrivilege	1620	$sxr-powershell.exe
Token: SeDebugPrivilege	2488	$sxr-powershell.exe
Token: SeDebugPrivilege	864	$sxr-powershell.exe
Token: SeDebugPrivilege	4116	$sxr-powershell.exe
Token: SeDebugPrivilege	2256	$sxr-powershell.exe
Token: SeDebugPrivilege	3324	$sxr-powershell.exe
Token: SeDebugPrivilege	3812	$sxr-powershell.exe
Token: SeDebugPrivilege	4764	$sxr-powershell.exe
Token: SeDebugPrivilege	5012	$sxr-powershell.exe
Token: SeDebugPrivilege	3632	$sxr-powershell.exe
Token: SeDebugPrivilege	2996	$sxr-powershell.exe
Token: SeDebugPrivilege	3492	$sxr-powershell.exe
Token: SeDebugPrivilege	4952	$sxr-powershell.exe
Token: SeDebugPrivilege	1976	$sxr-powershell.exe
Token: SeDebugPrivilege	3940	$sxr-powershell.exe
Token: SeDebugPrivilege	4988	$sxr-powershell.exe
Token: SeDebugPrivilege	3632	$sxr-powershell.exe
Token: SeDebugPrivilege	1548	$sxr-powershell.exe
Token: SeDebugPrivilege	892	$sxr-powershell.exe
Token: SeDebugPrivilege	536	$sxr-powershell.exe
Token: SeDebugPrivilege	2488	$sxr-powershell.exe
Token: SeDebugPrivilege	4496	$sxr-powershell.exe
Token: SeDebugPrivilege	2396	$sxr-powershell.exe
Token: SeDebugPrivilege	1372	$sxr-powershell.exe
Token: SeDebugPrivilege	4056	$sxr-powershell.exe
Token: SeDebugPrivilege	464	$sxr-powershell.exe
Token: SeDebugPrivilege	2064	$sxr-powershell.exe
Token: SeDebugPrivilege	4316	$sxr-powershell.exe
Token: SeDebugPrivilege	2088	$sxr-powershell.exe
Token: SeDebugPrivilege	2456	$sxr-powershell.exe
Token: SeDebugPrivilege	4644	$sxr-powershell.exe
Token: SeDebugPrivilege	1744	$sxr-powershell.exe
Token: SeDebugPrivilege	3820	$sxr-powershell.exe
Token: SeDebugPrivilege	64	$sxr-powershell.exe
Token: SeDebugPrivilege	4940	$sxr-powershell.exe
Token: SeDebugPrivilege	1092	$sxr-powershell.exe
Token: SeDebugPrivilege	4120	$sxr-powershell.exe
Token: SeDebugPrivilege	1144	$sxr-powershell.exe

Suspicious use of SetWindowsHookEx 50 IoCs

Processes:

pid	process
5016	$sxr-powershell.exe
1328	$sxr-powershell.exe
3488	$sxr-powershell.exe
3024	$sxr-powershell.exe
1240	$sxr-powershell.exe
3288	$sxr-powershell.exe
4748	$sxr-powershell.exe
1808	$sxr-powershell.exe
4152	$sxr-powershell.exe
3932	$sxr-powershell.exe
3524	$sxr-powershell.exe
3316	$sxr-powershell.exe
1620	$sxr-powershell.exe
2488	$sxr-powershell.exe
864	$sxr-powershell.exe
4116	$sxr-powershell.exe
2256	$sxr-powershell.exe
3324	$sxr-powershell.exe
3812	$sxr-powershell.exe
4764	$sxr-powershell.exe
5012	$sxr-powershell.exe
3632	$sxr-powershell.exe
2996	$sxr-powershell.exe
3492	$sxr-powershell.exe
4952	$sxr-powershell.exe
1976	$sxr-powershell.exe
3940	$sxr-powershell.exe
4988	$sxr-powershell.exe
3632	$sxr-powershell.exe
1548	$sxr-powershell.exe
892	$sxr-powershell.exe
536	$sxr-powershell.exe
2488	$sxr-powershell.exe
4496	$sxr-powershell.exe
2396	$sxr-powershell.exe
1372	$sxr-powershell.exe
4056	$sxr-powershell.exe
464	$sxr-powershell.exe
2064	$sxr-powershell.exe
4316	$sxr-powershell.exe
2088	$sxr-powershell.exe
2456	$sxr-powershell.exe
4644	$sxr-powershell.exe
1744	$sxr-powershell.exe
3820	$sxr-powershell.exe
64	$sxr-powershell.exe
4940	$sxr-powershell.exe
1092	$sxr-powershell.exe
4120	$sxr-powershell.exe
1144	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost.exe$sxr-powershell.execmd.exe$sxr-powershell.execmd.exe$sxr-powershell.execmd.exe$sxr-powershell.execmd.exe

description	pid	process	target process
PID 2984 wrote to memory of 1680	2984	svchost.exe	schtasks.exe
PID 2984 wrote to memory of 1680	2984	svchost.exe	schtasks.exe
PID 2984 wrote to memory of 1680	2984	svchost.exe	schtasks.exe
PID 2984 wrote to memory of 5016	2984	svchost.exe	$sxr-powershell.exe
PID 2984 wrote to memory of 5016	2984	svchost.exe	$sxr-powershell.exe
PID 2984 wrote to memory of 5016	2984	svchost.exe	$sxr-powershell.exe
PID 2984 wrote to memory of 2428	2984	svchost.exe	SCHTASKS.exe
PID 2984 wrote to memory of 2428	2984	svchost.exe	SCHTASKS.exe
PID 2984 wrote to memory of 2428	2984	svchost.exe	SCHTASKS.exe
PID 5016 wrote to memory of 1740	5016	$sxr-powershell.exe	schtasks.exe
PID 5016 wrote to memory of 1740	5016	$sxr-powershell.exe	schtasks.exe
PID 5016 wrote to memory of 1740	5016	$sxr-powershell.exe	schtasks.exe
PID 5016 wrote to memory of 3328	5016	$sxr-powershell.exe	cmd.exe
PID 5016 wrote to memory of 3328	5016	$sxr-powershell.exe	cmd.exe
PID 5016 wrote to memory of 3328	5016	$sxr-powershell.exe	cmd.exe
PID 3328 wrote to memory of 648	3328	cmd.exe	chcp.com
PID 3328 wrote to memory of 648	3328	cmd.exe	chcp.com
PID 3328 wrote to memory of 648	3328	cmd.exe	chcp.com
PID 3328 wrote to memory of 1884	3328	cmd.exe	PING.EXE
PID 3328 wrote to memory of 1884	3328	cmd.exe	PING.EXE
PID 3328 wrote to memory of 1884	3328	cmd.exe	PING.EXE
PID 3328 wrote to memory of 1328	3328	cmd.exe	$sxr-powershell.exe
PID 3328 wrote to memory of 1328	3328	cmd.exe	$sxr-powershell.exe
PID 3328 wrote to memory of 1328	3328	cmd.exe	$sxr-powershell.exe
PID 1328 wrote to memory of 396	1328	$sxr-powershell.exe	schtasks.exe
PID 1328 wrote to memory of 396	1328	$sxr-powershell.exe	schtasks.exe
PID 1328 wrote to memory of 396	1328	$sxr-powershell.exe	schtasks.exe
PID 1328 wrote to memory of 3588	1328	$sxr-powershell.exe	cmd.exe
PID 1328 wrote to memory of 3588	1328	$sxr-powershell.exe	cmd.exe
PID 1328 wrote to memory of 3588	1328	$sxr-powershell.exe	cmd.exe
PID 3588 wrote to memory of 1104	3588	cmd.exe	chcp.com
PID 3588 wrote to memory of 1104	3588	cmd.exe	chcp.com
PID 3588 wrote to memory of 1104	3588	cmd.exe	chcp.com
PID 3588 wrote to memory of 2324	3588	cmd.exe	PING.EXE
PID 3588 wrote to memory of 2324	3588	cmd.exe	PING.EXE
PID 3588 wrote to memory of 2324	3588	cmd.exe	PING.EXE
PID 3588 wrote to memory of 3488	3588	cmd.exe	$sxr-powershell.exe
PID 3588 wrote to memory of 3488	3588	cmd.exe	$sxr-powershell.exe
PID 3588 wrote to memory of 3488	3588	cmd.exe	$sxr-powershell.exe
PID 3488 wrote to memory of 4420	3488	$sxr-powershell.exe	schtasks.exe
PID 3488 wrote to memory of 4420	3488	$sxr-powershell.exe	schtasks.exe
PID 3488 wrote to memory of 4420	3488	$sxr-powershell.exe	schtasks.exe
PID 3488 wrote to memory of 976	3488	$sxr-powershell.exe	cmd.exe
PID 3488 wrote to memory of 976	3488	$sxr-powershell.exe	cmd.exe
PID 3488 wrote to memory of 976	3488	$sxr-powershell.exe	cmd.exe
PID 976 wrote to memory of 1804	976	cmd.exe	chcp.com
PID 976 wrote to memory of 1804	976	cmd.exe	chcp.com
PID 976 wrote to memory of 1804	976	cmd.exe	chcp.com
PID 976 wrote to memory of 3496	976	cmd.exe	PING.EXE
PID 976 wrote to memory of 3496	976	cmd.exe	PING.EXE
PID 976 wrote to memory of 3496	976	cmd.exe	PING.EXE
PID 976 wrote to memory of 3024	976	cmd.exe	$sxr-powershell.exe
PID 976 wrote to memory of 3024	976	cmd.exe	$sxr-powershell.exe
PID 976 wrote to memory of 3024	976	cmd.exe	$sxr-powershell.exe
PID 3024 wrote to memory of 4804	3024	$sxr-powershell.exe	schtasks.exe
PID 3024 wrote to memory of 4804	3024	$sxr-powershell.exe	schtasks.exe
PID 3024 wrote to memory of 4804	3024	$sxr-powershell.exe	schtasks.exe
PID 3024 wrote to memory of 3692	3024	$sxr-powershell.exe	cmd.exe
PID 3024 wrote to memory of 3692	3024	$sxr-powershell.exe	cmd.exe
PID 3024 wrote to memory of 3692	3024	$sxr-powershell.exe	cmd.exe
PID 3692 wrote to memory of 2544	3692	cmd.exe	chcp.com
PID 3692 wrote to memory of 2544	3692	cmd.exe	chcp.com
PID 3692 wrote to memory of 2544	3692	cmd.exe	chcp.com
PID 3692 wrote to memory of 4088	3692	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1680

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uad3ZQ3qhLmG.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3328

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:648

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1884

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSCTNcUDDQlr.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:1104

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2324

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mceMrvClL4mK.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:1804

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:3496

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nJsXgvr2BH4X.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:2544

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4088

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1240

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LXspIcTfxyDP.bat" "
11⤵
PID:4988

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:2844

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:2512

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3288

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YlvsULaXbyrz.bat" "
13⤵
PID:2976

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:3260

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:1272

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4748

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y9O3aMvjVI0L.bat" "
15⤵
PID:536

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:2460

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:1052

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lE1etLRwOWxC.bat" "
17⤵
PID:4444

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:4944

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4156

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4152

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TE7zWOR5L2XZ.bat" "
19⤵
PID:4640

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2844

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:5112

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3932

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucZAbPmGFMgw.bat" "
21⤵
PID:3992

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:848

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4028

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3524

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:3260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TXnd263AsG70.bat" "
23⤵
PID:1948

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:2788

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3328

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3316

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcREL6ZNlU4r.bat" "
25⤵
PID:4544

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:4728

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4220

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1620

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WPNcCDd6WLHv.bat" "
27⤵
PID:4256

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:3344

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:2336

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2488

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wnpnIEyHQfQH.bat" "
29⤵
PID:3876

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:1760

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:4288

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:864

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oORw9AGtWfxw.bat" "
31⤵
PID:3276

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:4644

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:2528

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4116

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w6WRnwaNxt1i.bat" "
33⤵
PID:4888

C:\Windows\SysWOW64\chcp.com
chcp 65001
34⤵
PID:4292

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:2948

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2256

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEts0ZohlTp6.bat" "
35⤵
PID:900

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:1884

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:2440

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3324

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
37⤵
- Creates scheduled task(s)
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iFnxRMy9En6N.bat" "
37⤵
PID:5016

C:\Windows\SysWOW64\chcp.com
chcp 65001
38⤵
PID:1912

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:3068

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3812

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uygBssTwBpr3.bat" "
39⤵
PID:3344

C:\Windows\SysWOW64\chcp.com
chcp 65001
40⤵
PID:1980

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:2020

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4764

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pr6uWpaWIvbD.bat" "
41⤵
PID:4612

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:856

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:2516

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5012

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
43⤵
- Creates scheduled task(s)
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKNOlA83RfpC.bat" "
43⤵
PID:4348

C:\Windows\SysWOW64\chcp.com
chcp 65001
44⤵
PID:4004

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:884

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISi4Nmr8Ov8s.bat" "
45⤵
PID:3004

C:\Windows\SysWOW64\chcp.com
chcp 65001
46⤵
PID:4552

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:1368

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkVcThJlSoS2.bat" "
47⤵
PID:1764

C:\Windows\SysWOW64\chcp.com
chcp 65001
48⤵
PID:1276

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:3916

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3492

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
49⤵
- Creates scheduled task(s)
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKI2XtR420Hn.bat" "
49⤵
PID:1388

C:\Windows\SysWOW64\chcp.com
chcp 65001
50⤵
PID:1600

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:3316

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4952

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xNGaEM6knPlB.bat" "
51⤵
PID:4420

C:\Windows\SysWOW64\chcp.com
chcp 65001
52⤵
PID:3476

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:4948

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1976

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOAff9HCGk2S.bat" "
53⤵
PID:1756

C:\Windows\SysWOW64\chcp.com
chcp 65001
54⤵
PID:3424

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:1696

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3940

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
55⤵
- Creates scheduled task(s)
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4GeHBDqzxIbz.bat" "
55⤵
PID:3484

C:\Windows\SysWOW64\chcp.com
chcp 65001
56⤵
PID:2568

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:4916

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
56⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
57⤵
- Creates scheduled task(s)
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ue7SHEBBrclM.bat" "
57⤵
PID:1516

C:\Windows\SysWOW64\chcp.com
chcp 65001
58⤵
PID:2388

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
58⤵
- Runs ping.exe
PID:4488

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
58⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
59⤵
- Creates scheduled task(s)
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgoHUlVxqljX.bat" "
59⤵
PID:1112

C:\Windows\SysWOW64\chcp.com
chcp 65001
60⤵
PID:4464

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
60⤵
- Runs ping.exe
PID:988

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
60⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
61⤵
- Creates scheduled task(s)
PID:4124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tt3bujSVyxgD.bat" "
61⤵
PID:4256

C:\Windows\SysWOW64\chcp.com
chcp 65001
62⤵
PID:1036

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
62⤵
- Runs ping.exe
PID:1872

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
62⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:892

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
63⤵
- Creates scheduled task(s)
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X2Flu7p9IKCV.bat" "
63⤵
PID:3964

C:\Windows\SysWOW64\chcp.com
chcp 65001
64⤵
PID:1004

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
64⤵
- Runs ping.exe
PID:768

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
64⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:536

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
65⤵
- Creates scheduled task(s)
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1RVgmrLeiS2l.bat" "
65⤵
PID:1560

C:\Windows\SysWOW64\chcp.com
chcp 65001
66⤵
PID:2340

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
66⤵
- Runs ping.exe
PID:3536

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
66⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2488

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
67⤵
- Creates scheduled task(s)
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Oo9748WW6yVD.bat" "
67⤵
PID:3712

C:\Windows\SysWOW64\chcp.com
chcp 65001
68⤵
PID:3520

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
68⤵
- Runs ping.exe
PID:1524

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
68⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4496

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
69⤵
- Creates scheduled task(s)
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GPlGw4n8Cy1s.bat" "
69⤵
PID:3976

C:\Windows\SysWOW64\chcp.com
chcp 65001
70⤵
PID:2600

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
70⤵
- Runs ping.exe
PID:4084

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
70⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2396

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
71⤵
- Creates scheduled task(s)
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hnDR158J6IBE.bat" "
71⤵
PID:624

C:\Windows\SysWOW64\chcp.com
chcp 65001
72⤵
PID:2892

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
72⤵
- Runs ping.exe
PID:1504

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
72⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
73⤵
- Creates scheduled task(s)
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUUDs7JT1iY6.bat" "
73⤵
PID:1984

C:\Windows\SysWOW64\chcp.com
chcp 65001
74⤵
PID:4044

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
74⤵
- Runs ping.exe
PID:3668

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
74⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4056

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
75⤵
- Creates scheduled task(s)
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RzQkkxhXHHFZ.bat" "
75⤵
PID:2320

C:\Windows\SysWOW64\chcp.com
chcp 65001
76⤵
PID:4428

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
76⤵
- Runs ping.exe
PID:440

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
76⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:464

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
77⤵
- Creates scheduled task(s)
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VghVczshDhbQ.bat" "
77⤵
PID:3584

C:\Windows\SysWOW64\chcp.com
chcp 65001
78⤵
PID:1912

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
78⤵
- Runs ping.exe
PID:4404

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
78⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
79⤵
- Creates scheduled task(s)
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PDMsNTyrOcAQ.bat" "
79⤵
PID:5092

C:\Windows\SysWOW64\chcp.com
chcp 65001
80⤵
PID:3724

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
80⤵
- Runs ping.exe
PID:3684

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
80⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4316

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
81⤵
- Creates scheduled task(s)
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qbp3TTJ3IwJm.bat" "
81⤵
PID:2540

C:\Windows\SysWOW64\chcp.com
chcp 65001
82⤵
PID:2488

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
82⤵
- Runs ping.exe
PID:4784

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
82⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2088

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
83⤵
- Creates scheduled task(s)
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HRCdgpribDcY.bat" "
83⤵
PID:5052

C:\Windows\SysWOW64\chcp.com
chcp 65001
84⤵
PID:4172

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
84⤵
- Runs ping.exe
PID:512

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
84⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2456

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
85⤵
- Creates scheduled task(s)
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mLcMKnzIiJMj.bat" "
85⤵
PID:2768

C:\Windows\SysWOW64\chcp.com
chcp 65001
86⤵
PID:2904

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
86⤵
- Runs ping.exe
PID:1532

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
86⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4644

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
87⤵
- Creates scheduled task(s)
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vnc76BCu3m4W.bat" "
87⤵
PID:4936

C:\Windows\SysWOW64\chcp.com
chcp 65001
88⤵
PID:2948

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
88⤵
- Runs ping.exe
PID:2016

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
88⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
89⤵
- Creates scheduled task(s)
PID:180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoVCWyMMW7Ln.bat" "
89⤵
PID:5064

C:\Windows\SysWOW64\chcp.com
chcp 65001
90⤵
PID:704

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
90⤵
- Runs ping.exe
PID:316

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
90⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3820

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
91⤵
- Creates scheduled task(s)
PID:776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y77VPdyJ6oMr.bat" "
91⤵
PID:3032

C:\Windows\SysWOW64\chcp.com
chcp 65001
92⤵
PID:3208

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
92⤵
- Runs ping.exe
PID:1628

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
92⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:64

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
93⤵
- Creates scheduled task(s)
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SDrS2mrztlmR.bat" "
93⤵
PID:4544

C:\Windows\SysWOW64\chcp.com
chcp 65001
94⤵
PID:1112

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
94⤵
- Runs ping.exe
PID:4152

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
94⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4940

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
95⤵
- Creates scheduled task(s)
PID:2504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoTbui9bylJ6.bat" "
95⤵
PID:3520

C:\Windows\SysWOW64\chcp.com
chcp 65001
96⤵
PID:2488

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
96⤵
- Runs ping.exe
PID:1064

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
96⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1092

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
97⤵
- Creates scheduled task(s)
PID:2080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oDjWmTe7Ot9M.bat" "
97⤵
PID:4156

C:\Windows\SysWOW64\chcp.com
chcp 65001
98⤵
PID:2844

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
98⤵
- Runs ping.exe
PID:2516

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
98⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4120

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
99⤵
- Creates scheduled task(s)
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anUModFVtsvS.bat" "
99⤵
PID:3236

C:\Windows\SysWOW64\chcp.com
chcp 65001
100⤵
PID:3912

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
100⤵
- Runs ping.exe
PID:4292

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
100⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1144

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
101⤵
- Creates scheduled task(s)
PID:2512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VPtESJhRUf91.bat" "
101⤵
PID:1260

C:\Windows\SysWOW64\chcp.com
chcp 65001
102⤵
PID:3632

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
102⤵
- Runs ping.exe
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 2248
101⤵
- Program crash
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 2172
99⤵
- Program crash
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1672
97⤵
- Program crash
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 2232
95⤵
- Program crash
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 2248
93⤵
- Program crash
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1080
91⤵
- Program crash
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 2232
89⤵
- Program crash
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1668
87⤵
- Program crash
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 2224
85⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1092
83⤵
- Program crash
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 1092
81⤵
- Program crash
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1096
79⤵
- Program crash
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1092
77⤵
- Program crash
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1516
75⤵
- Program crash
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 2248
73⤵
- Program crash
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1688
71⤵
- Program crash
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1092
69⤵
- Program crash
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1092
67⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 2236
65⤵
- Program crash
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 1708
63⤵
- Program crash
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 2248
61⤵
- Program crash
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 2224
59⤵
- Program crash
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 2232
57⤵
- Program crash
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 1092
55⤵
- Program crash
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 1708
53⤵
- Program crash
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2176
51⤵
- Program crash
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 2224
49⤵
- Program crash
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1092
47⤵
- Program crash
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1092
45⤵
- Program crash
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1652
43⤵
- Program crash
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1092
41⤵
- Program crash
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 2224
39⤵
- Program crash
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1672
37⤵
- Program crash
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1704
35⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 2236
33⤵
- Program crash
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 1668
31⤵
- Program crash
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1092
29⤵
- Program crash
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 2248
27⤵
- Program crash
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 1092
25⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1692
23⤵
- Program crash
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1724
21⤵
- Program crash
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 2248
19⤵
- Program crash
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 1712
17⤵
- Program crash
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 1092
15⤵
- Program crash
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 2224
13⤵
- Program crash
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 1628
11⤵
- Program crash
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1660
9⤵
- Program crash
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1604
7⤵
- Program crash
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 2108
5⤵
- Program crash
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1920
3⤵
- Program crash
PID:1432

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77svchost.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\svchost.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5016 -ip 5016
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1328 -ip 1328
1⤵
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3488 -ip 3488
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3024 -ip 3024
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1240 -ip 1240
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3288 -ip 3288
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4748 -ip 4748
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1808 -ip 1808
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4152 -ip 4152
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3932 -ip 3932
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3524 -ip 3524
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3316 -ip 3316
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1620 -ip 1620
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2488 -ip 2488
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 864 -ip 864
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4116 -ip 4116
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2256 -ip 2256
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3324 -ip 3324
1⤵
PID:348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3812 -ip 3812
1⤵
PID:180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4764 -ip 4764
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5012 -ip 5012
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3632 -ip 3632
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2996 -ip 2996
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3492 -ip 3492
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4952 -ip 4952
1⤵
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1976 -ip 1976
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3940 -ip 3940
1⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4988 -ip 4988
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3632 -ip 3632
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1548 -ip 1548
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 892 -ip 892
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 536 -ip 536
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2488 -ip 2488
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4496 -ip 4496
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2396 -ip 2396
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1372 -ip 1372
1⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4056 -ip 4056
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 464 -ip 464
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2064 -ip 2064
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4316 -ip 4316
1⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2088 -ip 2088
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2456 -ip 2456
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4644 -ip 4644
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1744 -ip 1744
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3820 -ip 3820
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 64 -ip 64
1⤵
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4940 -ip 4940
1⤵
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1092 -ip 1092
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4120 -ip 4120
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1144 -ip 1144
1⤵
PID:3692

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GcREL6ZNlU4r.bat
Filesize
223B

MD5
1407815942aae1004b08ab82c431957a

SHA1
0d36c59d856efd352a5582b25d7b6c306e7a0b6f

SHA256
ae42810534d58f5a29b1fba301df844ae7066b1f730ba5a15c2d75b69bfddaa7

SHA512
41e74eb6f9a4426504a4c5448ce1ef42b3df3e259c9796af4dce817596acb0b1365a61614b23a112fe07359871bd9ca0025d2458b3ae8d6000854c0a7a9b1709

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXspIcTfxyDP.bat
Filesize
223B

MD5
0df9223a8d0d2ec615a40da6acb10ed1

SHA1
692fa9b8600f044b0d8cbf13b68dd9b2a9eb683b

SHA256
5dc3878b88531ac265462399d7147a9faf197ad206dc8f263b3128c97fa2d9a5

SHA512
117516945512b35a5a2f8386a4ace44a74e406affaf3890e388e93934a7ce9f1dbf824a7233756e4d4f033b85dbe4cdcf1d4c8cdfb07ea593cc9ba505117ee8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pr6uWpaWIvbD.bat
Filesize
223B

MD5
a514cbd7aee873ab121846a8d2586005

SHA1
0444a1fc0b1c77ca6f605537f39edf11066c2193

SHA256
bd00e9ca3e94dc4d3519f36f03bc65674cb7fa784e7181d66648e70c4d7496cf

SHA512
90110875c1f338f942de947902e9768bc7297880a6a3c75dd5642d988b3c45706da1934ac3055608c8363241c7bcafa427a7d9cee880f0edc6ff536b24bdda4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TE7zWOR5L2XZ.bat
Filesize
223B

MD5
10221760a0c0980230609f37b3cc3ee9

SHA1
c2ab0d8df4ff033da7813d1416dba44710302399

SHA256
9e356610b07a46c4771ab805e8c10a60cade6bd91ea09e980a474c7b52a0c3a1

SHA512
d345b34e0ab6d448178322f87619b0a80bed8c4894c336fdf791156f96a5ac92519cd8f9de62a44e5d98895ba6237c53d509bb2aef1d0bfdcde81f8226d2672b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TXnd263AsG70.bat
Filesize
223B

MD5
55367e300c7208fe4d8e78896113bb24

SHA1
d16c6ba53a2ca22387ccf1c5c5dfd3b061d9dde4

SHA256
c45c47a90aa2754e88e571c735de3aa817641e7d750f807f5caed28e9632c809

SHA512
d164b9e140c8286a6a08ae4d348d2695629e98d73f21cb6b516fbd829cc2ff4bb419c54c21efec39b204c2a8a68218250a0feb3a4fdbcfaf9ada6ce33c02247a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uad3ZQ3qhLmG.bat
Filesize
223B

MD5
ad6b53b5ac87fcec144129b1e248f749

SHA1
0262281c617f4fa7e65d8705f84ece2e336aa354

SHA256
1447b5f50fe7c75a6313c65476d2789d3ce019ceb6ba79fef2bd4db0040e6275

SHA512
0ab9daa4c769c41136d93e4bbd176c4d70a3ff6f4239d95df3f39f635d1a399b44da15126fb04d2684b42f5b0533053b42116ac7abc67fe8e5e6c1416805d95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPNcCDd6WLHv.bat
Filesize
223B

MD5
0f1441dbd0f3aa64ffe2846282ccdaab

SHA1
eb56ccaa558c93bb60d4a27f8e5850540a316ac8

SHA256
131a565dc5d25ec93cb2560fd845be2537eb566062a23ac886990f32666b13ff

SHA512
b75624e4ba97d6edb6dc5e08e00887eca3044311ba2bf122d929e2f26848fa9fd1639e3fc078d2766739a482ded15a6df5fe76ac1a49978e4a9e2f5698688396

Download Submit
C:\Users\Admin\AppData\Local\Temp\YlvsULaXbyrz.bat
Filesize
223B

MD5
b59409c96201938291c66991a387d0c4

SHA1
417516519c4cdae24309c871d7464819ef5d259f

SHA256
64f167e8123cd9696b81aad1a31a91fb44e0424a22ca99d9140e4cf9ef0615fb

SHA512
6dd1133e0872897ef3ee6dea0e706d3843f0fbc93416cfb7c1cfb48b4fb158861577c8ad681eaf6fa4a4db06dddc78c560b64ef0f3cae58825fb59d1dd440d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\iFnxRMy9En6N.bat
Filesize
223B

MD5
6f000a79aa409d6eb3b50bf27c013604

SHA1
e68428fd61901873abaaf983239decb028014ea7

SHA256
1d65062f0f99ab90de7f86402b6836058ffe912eff9eb795797afd30cd940641

SHA512
4caef4da982b751e95b276fae44e90d49c1bca6657e2e120bd9b9f67beed96cfefdc8f3ac62d256ea5d4273379b4789bd49eebc3ad7aa26f6f9c9642137f14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lE1etLRwOWxC.bat
Filesize
223B

MD5
b1762ef5fb21450c22ab7dc1c0b98660

SHA1
88a094a3b47a34d3627c41b8789c489f36b9d8f0

SHA256
fe7012498b9584d46ea75e4182ec9d617e0624229b2ea27d243630245176e3cf

SHA512
017c6538d3352e5012927a37287cf4695eed1894939d3da535026e4e1baa94823c920819495647fca1fb1722a9ec7e39b53e9697444960b999ddc7de5ca47264

Download Submit
C:\Users\Admin\AppData\Local\Temp\mceMrvClL4mK.bat
Filesize
223B

MD5
72fc9e433992ce885ce538dd897a86a9

SHA1
24120502c3167f88fd3a4273bb9baac26d10fb61

SHA256
4c22e92913c7d28cb34fe19dabba8e774f570825c5944a25e3d98d797b019d92

SHA512
3ecca3e6b3a858b5288f8d6655cd3c51c524518c6cbb744fd78189dc50b17dfa014856c82bc974a1b96665fa27efb61afe4d37e46654a119a5c2dc5d2af758b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJsXgvr2BH4X.bat
Filesize
223B

MD5
b769a71696c2425f6f64e2b13088885c

SHA1
9ed881b4beb976a55cf6f2bf1c360e14b2a12272

SHA256
815a29f7fec8530fe3f6cf78f3981edc36ce815dcc4ada9dbf9fb179cedd3f9c

SHA512
1eef26fa17eb030f53c48019ea25e3dcdd2fc58c692f514f3485a258deb7898922283fa4f406aca631c0f21085752ec15fa4348e8bf667e53a33a0e678031748

Download Submit
C:\Users\Admin\AppData\Local\Temp\oORw9AGtWfxw.bat
Filesize
223B

MD5
8c8402c3fd70cb84edc69c28413f4827

SHA1
112cbf7f55bb3348a4c2d7194b710bc704fab4c3

SHA256
c6f61510293ae52803038b91d6b4207f53bddef290c7fa48278bec066fcecea1

SHA512
421d28dff0d1941529f2cd5acf59a68eec08989256f43d8e2c6dbf7cbbd05e5d275c1b545dc04b796f32cf3cd35dd9b4f0a63aaa496afe97e89661fb1a8eacca

Download Submit
C:\Users\Admin\AppData\Local\Temp\tSCTNcUDDQlr.bat
Filesize
223B

MD5
1110bd148963c6ed291750abb9380d82

SHA1
548759e3a0ae47bd4e1724afd397f21f1009feb4

SHA256
c39f9cfc17614ea76ccb45aacffde737aea84f879275c19f270a7f148ceb8b14

SHA512
9ae4dc649e22fa3290733a40719db1bedab3aeda20d889609851f980355ef86adba40b4b0277c70cd717feb0cb316aefbab9552bf0814ef72a67ca7be220c760

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucZAbPmGFMgw.bat
Filesize
223B

MD5
373ace3e55eac7d80c5e53d662ad8e7c

SHA1
7cd84a6e5a6e08c986cc3ae288a2da38d27b4c8e

SHA256
00c3722341d87a7db43a6d8d50a759f4227865a106e8abc17d5786ef3421b459

SHA512
ae272b636fb0f4d6a2e88a312ec0b262571ae381703d282b57befbf565864ad5b78d45205a0b38742bc62a65e81d125c072844a810b234458d284e752a579153

Download Submit
C:\Users\Admin\AppData\Local\Temp\uygBssTwBpr3.bat
Filesize
223B

MD5
9087d1390bff18c9615cf07e1c55081f

SHA1
0f590183946384636a936ed295d7f19368095fde

SHA256
da81734ab87dfa33e1ae13fea43c5d07ce617949987d589db13b331a05d5bcd2

SHA512
2dece3ba96329a2dc29811ae2521f03f7a3538a325ba924c38e1d0c4813371c5f4db99db719a40b9099518c01d61fee7331d6eb65d01b3def83007f685f8cd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\w6WRnwaNxt1i.bat
Filesize
223B

MD5
c89a65c49abf6eb9d510a934972040ed

SHA1
50ed07b6d172f9a3ae8219cdedf79bfae1c0909f

SHA256
c407677d2c17087071f0d7936c49942741d72cad6f9f55ef2e757bf9db6026c5

SHA512
8a52ef8c184f4d05a620af3d0702d80176372972155216eee73310730cbe745c720182aca9e10a9c182bae7791ddf73040f2ab71bafb42aea5c6e6c558d54001

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKNOlA83RfpC.bat
Filesize
223B

MD5
287548028af5548c96817a8417015c72

SHA1
e7303027f7108abcd9ffac1ee75f34fd3f9e5b3b

SHA256
27539320ab40f04a32795e9cc6137620ab93583f398a34f1ff61833d7cd87c56

SHA512
24906db76c7b67e565f97df5d27e678221387a0e577d171d819335c028bb98a7cebebd3684f79cea1293de3d5c00f8624b640414e34a58397e5bb2caf48f1dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wnpnIEyHQfQH.bat
Filesize
223B

MD5
54aea99504d5b4a0b42de03d3094e60e

SHA1
1c671fb6c982e1bf5883296e69a946ca22a0132a

SHA256
0d96fc557f95dc68d1b1b7e7bdc3b043c1616cccd52e95c7459bd0961f0a0df9

SHA512
ea3a19036509d475b364a193b33e570ca4a32c20a99abad470e32ffff2708bc76fb3eec1be12999a50a50c679a5cd883455465d8c8115562951d527e4d920d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEts0ZohlTp6.bat
Filesize
223B

MD5
d6d28a8bf9c853d4a98d460025f4cff2

SHA1
b88cb8d45660fcacf7cabd49c531eac409bff06a

SHA256
fcaeb02fad004bb99c8aa7325191a53c0e22694ef0d21ca6cbedc3c84a4acc1f

SHA512
b5ce8c3c8c0846a00d5bd921914b2b12cf05c3b40861d915444c77e171dca92f614fc4106f200e80a50047ec9b46ce04f1e9f5b59f82346636be0f238c924531

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9O3aMvjVI0L.bat
Filesize
223B

MD5
05adc213f1e1e28962d479b1c0cd3610

SHA1
7ef849690ee62f4b0e07676383f9a7c5f3f1cd27

SHA256
6a1189438a0136821aaf4ea603ae3c078e258a1276d87c7890eb934495f18ae9

SHA512
30984c561517b8f5417194bba9bd6c0a849fa87af1d63d430cf3e3ac0b9628eaac315220288f05f2c3a862e353003187cb15ae363a301e79eb8b901a81e3ae68

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
Filesize
224B

MD5
ab473c4e58c270601d908c5123f4dfb2

SHA1
f2c888cc16858394766176354391e8363f80b020

SHA256
6a32aa300133cac65207e11e8e07245024c6f2c04e2f4dff0a2c44b4e239ff11

SHA512
0ff77efe7a3e3f71a9d9a10a98d0cdc0c55c186968365abcfd8a96558ffc4a065e5e36b27e7a2dbd55582cb691c9c71bfc59b94392daa9f03c485d194fcc3b24

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
Filesize
224B

MD5
499fb2edc5d001004862ff14599a547e

SHA1
1833b60b19f8da9c0dbf7a4fe4044fdc530f0382

SHA256
d4e6e1c537a7f8ee6e7fec8019bd7d81f9925b6b4b5fdd25f17119b4a84943e9

SHA512
43cd13eebdbc4ee90d86f32c24875261ce6079c041f61b7a89db750e88c56ea08506625cdec4b9fbf2ed953109b61ef333c8ee47a7311a3d316655fa0d662482

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
Filesize
224B

MD5
f51b972a47a512571c0889fc6bb99bf8

SHA1
515326220aecdc81747fd1a81de5e0a27b341bd1

SHA256
cdc7c10d3e3e9c2b6e0e498f3062ec6dab2938de9e90e282f24a8bbd228a4845

SHA512
e0a37b23ab6883f598f50e5b3d2ca5908e41fa23cfb60a69a356f94abec9f11502f478fd3006111c8823545e07e739a0fca745af49e3c4411079b6e9b13b1501

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
Filesize
224B

MD5
26c3ced3d23d83191d7bc354a3a864d5

SHA1
afcccb518fe88abcf63c3cebdb4781fe37c1ddff

SHA256
5d036915f7fad4cfacd44a11d463fc234b89e5893905a75f89522b903fee4f8b

SHA512
ba453824b22fa3f25187826da43aeeff50c8ca7398bc1facad4a93f3228d73342768dbb4bfd5ecf3aa70ae982d3294cc77e7c4859f70b02499b40400007c08be

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
Filesize
224B

MD5
83fb440615c28363f4bee0d995e083aa

SHA1
b31c7cc48de5aeb6c0ee91b0fe725e91f2fce017

SHA256
0f65d3cd911c05bd9905224d063177ac6d49e94e29c0ed4e8e164f448ea89b62

SHA512
9ee400958ff8c3e781a860140ce09893b771d748fe421b1516bdab47205a78845ac7a61b1fc932b154796fc66040242a71d3fa86daa39f422df669db92a08566

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
Filesize
224B

MD5
af3ea449c3e15190d8f11281a49ccfb3

SHA1
eae316f8083f803a522aaebd734a3afd1c21787d

SHA256
eaa4f3646fe7ebe9bda9dec54d5857ff8a8dd86384a4ea1471d656296fdd9ebc

SHA512
91b657e98f56f6e9a3cdd1dbb95e5325d0662bb693c2f6e70c39b1d03417c16d301d10fd9a3665e492df17d7ba640c9161d14defd9260f13be8c0755c068afb9

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
Filesize
224B

MD5
5a379c2f3ce55bcc3c2fda27c6f53658

SHA1
e47bf6618262648a3a296ef3c58e80de80647821

SHA256
97b567d978d8900f9452de9815b1d6a853fc30ed794ebb8aa11f12b41960cabb

SHA512
321a0cd84d65e6a6d0bc9da62e73bd3d62115de89caf81e0c2896b04cd88f2155794ebb59118d9f3f7a229abef39a286b7f02d7442f68003f32d4f46a143da56

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
Filesize
224B

MD5
027c0cafe00058263fce613b73367c4a

SHA1
a6c312576b5501d7adb2e7f5d924e9be27127450

SHA256
c6c8d907be5db50a0087de7e3f4a192680295128eeec04551d2c80dd29aa2423

SHA512
a110b3af88d73c6d495e4068165ce6d5d3b2dcb0ad3584861d35ab6cbaab21ee8b8ec219e7e4a439dbd9e6044f66f7682e2d70ff5cfb50725b590619a305206f

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
Filesize
224B

MD5
4616ad88a0d7e7bc4511bd1ca841d919

SHA1
6c515cb6367fc5c1ec3f7a31d07b8b661919bb9c

SHA256
dbe2eaaa3015781a246e125fda193db5cc771dba63f32dd395eae3cad276afe4

SHA512
1746d349a9945d16433cb4e4c229e14236a91f94513f7443bf6ab005aa1a65f55cfb12b91043a67e8bcd4f477e8c76ab0c38a3a8180735799476ee6de85dc166

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
Filesize
224B

MD5
edbacdef88d684544e5c0e55a6c01bdc

SHA1
da8d616bbbaa80eccf9ce0995d2682178e9769fa

SHA256
7cf1a2dfe82d561a2ca0c5af05a4cd4c73ca0979a9b420ae78ace13f43f830a7

SHA512
3e1ed4687eb395f7b2a712e91604cb29ff3d965e98d5ba328882c8eddc693ab95d6d4f0473d0e865dcb7ae1867e6df6728f9e3d772af4aa3ce0c362dccb55a8f

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
Filesize
409KB

MD5
2ec276b90d08cd1839674b810a14d1a3

SHA1
81a073c818361afe557ce29d2784ef90308cadc3

SHA256
59ea77def3bfcd5b9720dbd4f67ab6cd1063f675c2f98232a2d390364f20fff9

SHA512
4d6dfb4670e842310a03a22d109a9fb36a3c5b36173d9666166c772113fe2dab3eaff4c936868a3eff5be8ae61c219e7fb31cc0c7d26888311091ac14874b7ae

Download Submit
memory/2984-2-0x00000000065B0000-0x0000000006B54000-memory.dmp

Filesize
5.6MB

Download
memory/2984-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/2984-4-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/2984-6-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/2984-5-0x0000000006560000-0x0000000006572000-memory.dmp

Filesize
72KB

Download
memory/2984-3-0x00000000060A0000-0x0000000006132000-memory.dmp

Filesize
584KB

Download
memory/2984-1-0x0000000000E60000-0x0000000000ECC000-memory.dmp

Filesize
432KB

Download
memory/5016-13-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/5016-21-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/5016-16-0x0000000006A40000-0x0000000006A4A000-memory.dmp

Filesize
40KB

Download
memory/5016-14-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download