Malware Analysis Report

2024-08-06 11:23

Sample ID 240616-exsscstbjp
Target svchost.exe
SHA256 59ea77def3bfcd5b9720dbd4f67ab6cd1063f675c2f98232a2d390364f20fff9
Tags
seroxen | v3.1.5 | quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59ea77def3bfcd5b9720dbd4f67ab6cd1063f675c2f98232a2d390364f20fff9

Threat Level: Known bad

The file svchost.exe was found to be: Known bad.

Malicious Activity Summary

seroxen | v3.1.5 | quasar spyware trojan

Quasar RAT

Quasar family

Quasar payload

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Program crash

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-16 04:19

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 04:19

Reported

2024-06-16 04:37

Platform

win10v2004-20240508-en

Max time kernel

1041s

Max time network

1049s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2984 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2984 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2984 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 2984 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 2984 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 2984 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 2984 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 2984 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 5016 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 5016 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 5016 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 5016 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3328 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3328 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3328 wrote to memory of 648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3328 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3328 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3328 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3328 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3328 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3328 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 1328 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 1328 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 1328 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 1328 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3588 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3588 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3588 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3588 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3588 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3588 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3588 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3588 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3488 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 3488 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 3488 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 3488 wrote to memory of 976 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3488 wrote to memory of 976 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3488 wrote to memory of 976 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 976 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 976 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 976 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 976 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 976 wrote to memory of 3496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 976 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 976 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 976 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
PID 3024 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 3024 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 3024 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\schtasks.exe
PID 3024 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3692 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3692 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3692 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3692 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77svchost.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\svchost.exe'" /sc onlogon /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uad3ZQ3qhLmG.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5016 -ip 5016

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1920

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSCTNcUDDQlr.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1328 -ip 1328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 2108

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mceMrvClL4mK.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3488 -ip 3488

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1604

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nJsXgvr2BH4X.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3024 -ip 3024

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1660

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LXspIcTfxyDP.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1240 -ip 1240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 1628

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YlvsULaXbyrz.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3288 -ip 3288

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 2224

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y9O3aMvjVI0L.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4748 -ip 4748

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lE1etLRwOWxC.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1808 -ip 1808

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 1712

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TE7zWOR5L2XZ.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4152 -ip 4152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucZAbPmGFMgw.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3932 -ip 3932

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1724

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TXnd263AsG70.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3524 -ip 3524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 1692

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcREL6ZNlU4r.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3316 -ip 3316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WPNcCDd6WLHv.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1620 -ip 1620

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wnpnIEyHQfQH.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2488 -ip 2488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oORw9AGtWfxw.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 864 -ip 864

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 1668

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w6WRnwaNxt1i.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4116 -ip 4116

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 2236

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xEts0ZohlTp6.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2256 -ip 2256

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1704

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iFnxRMy9En6N.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3324 -ip 3324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1672

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uygBssTwBpr3.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3812 -ip 3812

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 2224

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pr6uWpaWIvbD.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4764 -ip 4764

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKNOlA83RfpC.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5012 -ip 5012

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1652

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ISi4Nmr8Ov8s.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3632 -ip 3632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkVcThJlSoS2.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2996 -ip 2996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LKI2XtR420Hn.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3492 -ip 3492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 2224

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xNGaEM6knPlB.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4952 -ip 4952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 2176

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOAff9HCGk2S.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1976 -ip 1976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 1708

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4GeHBDqzxIbz.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3940 -ip 3940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ue7SHEBBrclM.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 2232

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgoHUlVxqljX.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3632 -ip 3632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 2224

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tt3bujSVyxgD.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1548 -ip 1548

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X2Flu7p9IKCV.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 892 -ip 892

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 1708

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1RVgmrLeiS2l.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 536 -ip 536

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 2236

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Oo9748WW6yVD.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2488 -ip 2488

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GPlGw4n8Cy1s.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4496 -ip 4496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hnDR158J6IBE.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2396 -ip 2396

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 1688

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUUDs7JT1iY6.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1372 -ip 1372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RzQkkxhXHHFZ.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4056 -ip 4056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1516

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VghVczshDhbQ.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 464 -ip 464

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PDMsNTyrOcAQ.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1096

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qbp3TTJ3IwJm.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4316 -ip 4316

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 1092

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HRCdgpribDcY.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2088 -ip 2088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mLcMKnzIiJMj.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2456 -ip 2456

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 2224

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vnc76BCu3m4W.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4644 -ip 4644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1668

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoVCWyMMW7Ln.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1744 -ip 1744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 2232

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y77VPdyJ6oMr.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3820 -ip 3820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 1080

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SDrS2mrztlmR.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 64 -ip 64

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 2248

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoTbui9bylJ6.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 2232

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oDjWmTe7Ot9M.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1092 -ip 1092

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 1672

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\anUModFVtsvS.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 2172

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VPtESJhRUf91.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 2248

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 freegeoip.net udp

Files

memory/2984-0-0x000000007484E000-0x000000007484F000-memory.dmp

memory/2984-1-0x0000000000E60000-0x0000000000ECC000-memory.dmp

memory/2984-2-0x00000000065B0000-0x0000000006B54000-memory.dmp

memory/2984-3-0x00000000060A0000-0x0000000006132000-memory.dmp

memory/2984-4-0x0000000006140000-0x00000000061A6000-memory.dmp

memory/2984-5-0x0000000006560000-0x0000000006572000-memory.dmp

memory/2984-6-0x000000007484E000-0x000000007484F000-memory.dmp

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe

MD5 2ec276b90d08cd1839674b810a14d1a3
SHA1 81a073c818361afe557ce29d2784ef90308cadc3
SHA256 59ea77def3bfcd5b9720dbd4f67ab6cd1063f675c2f98232a2d390364f20fff9
SHA512 4d6dfb4670e842310a03a22d109a9fb36a3c5b36173d9666166c772113fe2dab3eaff4c936868a3eff5be8ae61c219e7fb31cc0c7d26888311091ac14874b7ae

memory/5016-13-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/5016-14-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/5016-16-0x0000000006A40000-0x0000000006A4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Uad3ZQ3qhLmG.bat

MD5 ad6b53b5ac87fcec144129b1e248f749
SHA1 0262281c617f4fa7e65d8705f84ece2e336aa354
SHA256 1447b5f50fe7c75a6313c65476d2789d3ce019ceb6ba79fef2bd4db0040e6275
SHA512 0ab9daa4c769c41136d93e4bbd176c4d70a3ff6f4239d95df3f39f635d1a399b44da15126fb04d2684b42f5b0533053b42116ac7abc67fe8e5e6c1416805d95f

memory/5016-21-0x0000000074840000-0x0000000074FF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 83fb440615c28363f4bee0d995e083aa
SHA1 b31c7cc48de5aeb6c0ee91b0fe725e91f2fce017
SHA256 0f65d3cd911c05bd9905224d063177ac6d49e94e29c0ed4e8e164f448ea89b62
SHA512 9ee400958ff8c3e781a860140ce09893b771d748fe421b1516bdab47205a78845ac7a61b1fc932b154796fc66040242a71d3fa86daa39f422df669db92a08566

C:\Users\Admin\AppData\Local\Temp\tSCTNcUDDQlr.bat

MD5 1110bd148963c6ed291750abb9380d82
SHA1 548759e3a0ae47bd4e1724afd397f21f1009feb4
SHA256 c39f9cfc17614ea76ccb45aacffde737aea84f879275c19f270a7f148ceb8b14
SHA512 9ae4dc649e22fa3290733a40719db1bedab3aeda20d889609851f980355ef86adba40b4b0277c70cd717feb0cb316aefbab9552bf0814ef72a67ca7be220c760

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 af3ea449c3e15190d8f11281a49ccfb3
SHA1 eae316f8083f803a522aaebd734a3afd1c21787d
SHA256 eaa4f3646fe7ebe9bda9dec54d5857ff8a8dd86384a4ea1471d656296fdd9ebc
SHA512 91b657e98f56f6e9a3cdd1dbb95e5325d0662bb693c2f6e70c39b1d03417c16d301d10fd9a3665e492df17d7ba640c9161d14defd9260f13be8c0755c068afb9

C:\Users\Admin\AppData\Local\Temp\mceMrvClL4mK.bat

MD5 72fc9e433992ce885ce538dd897a86a9
SHA1 24120502c3167f88fd3a4273bb9baac26d10fb61
SHA256 4c22e92913c7d28cb34fe19dabba8e774f570825c5944a25e3d98d797b019d92
SHA512 3ecca3e6b3a858b5288f8d6655cd3c51c524518c6cbb744fd78189dc50b17dfa014856c82bc974a1b96665fa27efb61afe4d37e46654a119a5c2dc5d2af758b5

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 5a379c2f3ce55bcc3c2fda27c6f53658
SHA1 e47bf6618262648a3a296ef3c58e80de80647821
SHA256 97b567d978d8900f9452de9815b1d6a853fc30ed794ebb8aa11f12b41960cabb
SHA512 321a0cd84d65e6a6d0bc9da62e73bd3d62115de89caf81e0c2896b04cd88f2155794ebb59118d9f3f7a229abef39a286b7f02d7442f68003f32d4f46a143da56

C:\Users\Admin\AppData\Local\Temp\nJsXgvr2BH4X.bat

MD5 b769a71696c2425f6f64e2b13088885c
SHA1 9ed881b4beb976a55cf6f2bf1c360e14b2a12272
SHA256 815a29f7fec8530fe3f6cf78f3981edc36ce815dcc4ada9dbf9fb179cedd3f9c
SHA512 1eef26fa17eb030f53c48019ea25e3dcdd2fc58c692f514f3485a258deb7898922283fa4f406aca631c0f21085752ec15fa4348e8bf667e53a33a0e678031748

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 027c0cafe00058263fce613b73367c4a
SHA1 a6c312576b5501d7adb2e7f5d924e9be27127450
SHA256 c6c8d907be5db50a0087de7e3f4a192680295128eeec04551d2c80dd29aa2423
SHA512 a110b3af88d73c6d495e4068165ce6d5d3b2dcb0ad3584861d35ab6cbaab21ee8b8ec219e7e4a439dbd9e6044f66f7682e2d70ff5cfb50725b590619a305206f

C:\Users\Admin\AppData\Local\Temp\LXspIcTfxyDP.bat

MD5 0df9223a8d0d2ec615a40da6acb10ed1
SHA1 692fa9b8600f044b0d8cbf13b68dd9b2a9eb683b
SHA256 5dc3878b88531ac265462399d7147a9faf197ad206dc8f263b3128c97fa2d9a5
SHA512 117516945512b35a5a2f8386a4ace44a74e406affaf3890e388e93934a7ce9f1dbf824a7233756e4d4f033b85dbe4cdcf1d4c8cdfb07ea593cc9ba505117ee8c

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\YlvsULaXbyrz.bat

MD5 b59409c96201938291c66991a387d0c4
SHA1 417516519c4cdae24309c871d7464819ef5d259f
SHA256 64f167e8123cd9696b81aad1a31a91fb44e0424a22ca99d9140e4cf9ef0615fb
SHA512 6dd1133e0872897ef3ee6dea0e706d3843f0fbc93416cfb7c1cfb48b4fb158861577c8ad681eaf6fa4a4db06dddc78c560b64ef0f3cae58825fb59d1dd440d31

C:\Users\Admin\AppData\Local\Temp\y9O3aMvjVI0L.bat

MD5 05adc213f1e1e28962d479b1c0cd3610
SHA1 7ef849690ee62f4b0e07676383f9a7c5f3f1cd27
SHA256 6a1189438a0136821aaf4ea603ae3c078e258a1276d87c7890eb934495f18ae9
SHA512 30984c561517b8f5417194bba9bd6c0a849fa87af1d63d430cf3e3ac0b9628eaac315220288f05f2c3a862e353003187cb15ae363a301e79eb8b901a81e3ae68

C:\Users\Admin\AppData\Local\Temp\lE1etLRwOWxC.bat

MD5 b1762ef5fb21450c22ab7dc1c0b98660
SHA1 88a094a3b47a34d3627c41b8789c489f36b9d8f0
SHA256 fe7012498b9584d46ea75e4182ec9d617e0624229b2ea27d243630245176e3cf
SHA512 017c6538d3352e5012927a37287cf4695eed1894939d3da535026e4e1baa94823c920819495647fca1fb1722a9ec7e39b53e9697444960b999ddc7de5ca47264

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 4616ad88a0d7e7bc4511bd1ca841d919
SHA1 6c515cb6367fc5c1ec3f7a31d07b8b661919bb9c
SHA256 dbe2eaaa3015781a246e125fda193db5cc771dba63f32dd395eae3cad276afe4
SHA512 1746d349a9945d16433cb4e4c229e14236a91f94513f7443bf6ab005aa1a65f55cfb12b91043a67e8bcd4f477e8c76ab0c38a3a8180735799476ee6de85dc166

C:\Users\Admin\AppData\Local\Temp\TE7zWOR5L2XZ.bat

MD5 10221760a0c0980230609f37b3cc3ee9
SHA1 c2ab0d8df4ff033da7813d1416dba44710302399
SHA256 9e356610b07a46c4771ab805e8c10a60cade6bd91ea09e980a474c7b52a0c3a1
SHA512 d345b34e0ab6d448178322f87619b0a80bed8c4894c336fdf791156f96a5ac92519cd8f9de62a44e5d98895ba6237c53d509bb2aef1d0bfdcde81f8226d2672b

C:\Users\Admin\AppData\Local\Temp\ucZAbPmGFMgw.bat

MD5 373ace3e55eac7d80c5e53d662ad8e7c
SHA1 7cd84a6e5a6e08c986cc3ae288a2da38d27b4c8e
SHA256 00c3722341d87a7db43a6d8d50a759f4227865a106e8abc17d5786ef3421b459
SHA512 ae272b636fb0f4d6a2e88a312ec0b262571ae381703d282b57befbf565864ad5b78d45205a0b38742bc62a65e81d125c072844a810b234458d284e752a579153

C:\Users\Admin\AppData\Local\Temp\TXnd263AsG70.bat

MD5 55367e300c7208fe4d8e78896113bb24
SHA1 d16c6ba53a2ca22387ccf1c5c5dfd3b061d9dde4
SHA256 c45c47a90aa2754e88e571c735de3aa817641e7d750f807f5caed28e9632c809
SHA512 d164b9e140c8286a6a08ae4d348d2695629e98d73f21cb6b516fbd829cc2ff4bb419c54c21efec39b204c2a8a68218250a0feb3a4fdbcfaf9ada6ce33c02247a

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 edbacdef88d684544e5c0e55a6c01bdc
SHA1 da8d616bbbaa80eccf9ce0995d2682178e9769fa
SHA256 7cf1a2dfe82d561a2ca0c5af05a4cd4c73ca0979a9b420ae78ace13f43f830a7
SHA512 3e1ed4687eb395f7b2a712e91604cb29ff3d965e98d5ba328882c8eddc693ab95d6d4f0473d0e865dcb7ae1867e6df6728f9e3d772af4aa3ce0c362dccb55a8f

C:\Users\Admin\AppData\Local\Temp\GcREL6ZNlU4r.bat

MD5 1407815942aae1004b08ab82c431957a
SHA1 0d36c59d856efd352a5582b25d7b6c306e7a0b6f
SHA256 ae42810534d58f5a29b1fba301df844ae7066b1f730ba5a15c2d75b69bfddaa7
SHA512 41e74eb6f9a4426504a4c5448ce1ef42b3df3e259c9796af4dce817596acb0b1365a61614b23a112fe07359871bd9ca0025d2458b3ae8d6000854c0a7a9b1709

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 ab473c4e58c270601d908c5123f4dfb2
SHA1 f2c888cc16858394766176354391e8363f80b020
SHA256 6a32aa300133cac65207e11e8e07245024c6f2c04e2f4dff0a2c44b4e239ff11
SHA512 0ff77efe7a3e3f71a9d9a10a98d0cdc0c55c186968365abcfd8a96558ffc4a065e5e36b27e7a2dbd55582cb691c9c71bfc59b94392daa9f03c485d194fcc3b24

C:\Users\Admin\AppData\Local\Temp\WPNcCDd6WLHv.bat

MD5 0f1441dbd0f3aa64ffe2846282ccdaab
SHA1 eb56ccaa558c93bb60d4a27f8e5850540a316ac8
SHA256 131a565dc5d25ec93cb2560fd845be2537eb566062a23ac886990f32666b13ff
SHA512 b75624e4ba97d6edb6dc5e08e00887eca3044311ba2bf122d929e2f26848fa9fd1639e3fc078d2766739a482ded15a6df5fe76ac1a49978e4a9e2f5698688396

C:\Users\Admin\AppData\Local\Temp\wnpnIEyHQfQH.bat

MD5 54aea99504d5b4a0b42de03d3094e60e
SHA1 1c671fb6c982e1bf5883296e69a946ca22a0132a
SHA256 0d96fc557f95dc68d1b1b7e7bdc3b043c1616cccd52e95c7459bd0961f0a0df9
SHA512 ea3a19036509d475b364a193b33e570ca4a32c20a99abad470e32ffff2708bc76fb3eec1be12999a50a50c679a5cd883455465d8c8115562951d527e4d920d8d

C:\Users\Admin\AppData\Local\Temp\oORw9AGtWfxw.bat

MD5 8c8402c3fd70cb84edc69c28413f4827
SHA1 112cbf7f55bb3348a4c2d7194b710bc704fab4c3
SHA256 c6f61510293ae52803038b91d6b4207f53bddef290c7fa48278bec066fcecea1
SHA512 421d28dff0d1941529f2cd5acf59a68eec08989256f43d8e2c6dbf7cbbd05e5d275c1b545dc04b796f32cf3cd35dd9b4f0a63aaa496afe97e89661fb1a8eacca

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 499fb2edc5d001004862ff14599a547e
SHA1 1833b60b19f8da9c0dbf7a4fe4044fdc530f0382
SHA256 d4e6e1c537a7f8ee6e7fec8019bd7d81f9925b6b4b5fdd25f17119b4a84943e9
SHA512 43cd13eebdbc4ee90d86f32c24875261ce6079c041f61b7a89db750e88c56ea08506625cdec4b9fbf2ed953109b61ef333c8ee47a7311a3d316655fa0d662482

C:\Users\Admin\AppData\Local\Temp\w6WRnwaNxt1i.bat

MD5 c89a65c49abf6eb9d510a934972040ed
SHA1 50ed07b6d172f9a3ae8219cdedf79bfae1c0909f
SHA256 c407677d2c17087071f0d7936c49942741d72cad6f9f55ef2e757bf9db6026c5
SHA512 8a52ef8c184f4d05a620af3d0702d80176372972155216eee73310730cbe745c720182aca9e10a9c182bae7791ddf73040f2ab71bafb42aea5c6e6c558d54001

C:\Users\Admin\AppData\Local\Temp\xEts0ZohlTp6.bat

MD5 d6d28a8bf9c853d4a98d460025f4cff2
SHA1 b88cb8d45660fcacf7cabd49c531eac409bff06a
SHA256 fcaeb02fad004bb99c8aa7325191a53c0e22694ef0d21ca6cbedc3c84a4acc1f
SHA512 b5ce8c3c8c0846a00d5bd921914b2b12cf05c3b40861d915444c77e171dca92f614fc4106f200e80a50047ec9b46ce04f1e9f5b59f82346636be0f238c924531

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 f51b972a47a512571c0889fc6bb99bf8
SHA1 515326220aecdc81747fd1a81de5e0a27b341bd1
SHA256 cdc7c10d3e3e9c2b6e0e498f3062ec6dab2938de9e90e282f24a8bbd228a4845
SHA512 e0a37b23ab6883f598f50e5b3d2ca5908e41fa23cfb60a69a356f94abec9f11502f478fd3006111c8823545e07e739a0fca745af49e3c4411079b6e9b13b1501

C:\Users\Admin\AppData\Local\Temp\iFnxRMy9En6N.bat

MD5 6f000a79aa409d6eb3b50bf27c013604
SHA1 e68428fd61901873abaaf983239decb028014ea7
SHA256 1d65062f0f99ab90de7f86402b6836058ffe912eff9eb795797afd30cd940641
SHA512 4caef4da982b751e95b276fae44e90d49c1bca6657e2e120bd9b9f67beed96cfefdc8f3ac62d256ea5d4273379b4789bd49eebc3ad7aa26f6f9c9642137f14c8

C:\Users\Admin\AppData\Local\Temp\uygBssTwBpr3.bat

MD5 9087d1390bff18c9615cf07e1c55081f
SHA1 0f590183946384636a936ed295d7f19368095fde
SHA256 da81734ab87dfa33e1ae13fea43c5d07ce617949987d589db13b331a05d5bcd2
SHA512 2dece3ba96329a2dc29811ae2521f03f7a3538a325ba924c38e1d0c4813371c5f4db99db719a40b9099518c01d61fee7331d6eb65d01b3def83007f685f8cd50

C:\Users\Admin\AppData\Local\Temp\Pr6uWpaWIvbD.bat

MD5 a514cbd7aee873ab121846a8d2586005
SHA1 0444a1fc0b1c77ca6f605537f39edf11066c2193
SHA256 bd00e9ca3e94dc4d3519f36f03bc65674cb7fa784e7181d66648e70c4d7496cf
SHA512 90110875c1f338f942de947902e9768bc7297880a6a3c75dd5642d988b3c45706da1934ac3055608c8363241c7bcafa427a7d9cee880f0edc6ff536b24bdda4e

C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024

MD5 26c3ced3d23d83191d7bc354a3a864d5
SHA1 afcccb518fe88abcf63c3cebdb4781fe37c1ddff
SHA256 5d036915f7fad4cfacd44a11d463fc234b89e5893905a75f89522b903fee4f8b
SHA512 ba453824b22fa3f25187826da43aeeff50c8ca7398bc1facad4a93f3228d73342768dbb4bfd5ecf3aa70ae982d3294cc77e7c4859f70b02499b40400007c08be

C:\Users\Admin\AppData\Local\Temp\wKNOlA83RfpC.bat

MD5 287548028af5548c96817a8417015c72
SHA1 e7303027f7108abcd9ffac1ee75f34fd3f9e5b3b
SHA256 27539320ab40f04a32795e9cc6137620ab93583f398a34f1ff61833d7cd87c56
SHA512 24906db76c7b67e565f97df5d27e678221387a0e577d171d819335c028bb98a7cebebd3684f79cea1293de3d5c00f8624b640414e34a58397e5bb2caf48f1dd1