quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
295s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (11) - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral10/memory/640-1-0x0000000000EE0000-0x0000000000F4C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 16 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2848	Client.exe
388	Client.exe
1788	Client.exe
408	Client.exe
4228	Client.exe
948	Client.exe
2724	Client.exe
2960	Client.exe
4880	Client.exe
548	Client.exe
1520	Client.exe
1064	Client.exe
4420	Client.exe
2844	Client.exe
528	Client.exe
4504	Client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ip-api.com
33	ip-api.com
37	ip-api.com
13	ip-api.com
18	ip-api.com
28	ip-api.com
31	ip-api.com
16	ip-api.com
23	ip-api.com
26	ip-api.com
8	api.ipify.org
20	ip-api.com
35	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1396	2848	WerFault.exe	Client.exe
3528	388	WerFault.exe	Client.exe
3128	1788	WerFault.exe	Client.exe
2620	408	WerFault.exe	Client.exe
640	4228	WerFault.exe	Client.exe
4996	948	WerFault.exe	Client.exe
3684	2724	WerFault.exe	Client.exe
4556	2960	WerFault.exe	Client.exe
452	4880	WerFault.exe	Client.exe
2588	548	WerFault.exe	Client.exe
4160	1520	WerFault.exe	Client.exe
3288	1064	WerFault.exe	Client.exe
1132	4420	WerFault.exe	Client.exe
4168	2844	WerFault.exe	Client.exe
2732	528	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3228	schtasks.exe
2372	SCHTASKS.exe
3508	schtasks.exe
4836	schtasks.exe
1476	schtasks.exe
2924	schtasks.exe
4452	schtasks.exe
1816	schtasks.exe
2864	schtasks.exe
3600	schtasks.exe
1740	schtasks.exe
3288	schtasks.exe
4348	schtasks.exe
5104	schtasks.exe
972	schtasks.exe
4324	schtasks.exe
2416	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2392	PING.EXE
3448	PING.EXE
3944	PING.EXE
2972	PING.EXE
4568	PING.EXE
3508	PING.EXE
1352	PING.EXE
3684	PING.EXE
2796	PING.EXE
4576	PING.EXE
2572	PING.EXE
640	PING.EXE
956	PING.EXE
1484	PING.EXE
3916	PING.EXE

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

Uni - Copy (11) - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	640	Uni - Copy (11) - Copy - Copy.exe
Token: SeDebugPrivilege	2848	Client.exe
Token: SeDebugPrivilege	388	Client.exe
Token: SeDebugPrivilege	1788	Client.exe
Token: SeDebugPrivilege	408	Client.exe
Token: SeDebugPrivilege	4228	Client.exe
Token: SeDebugPrivilege	948	Client.exe
Token: SeDebugPrivilege	2724	Client.exe
Token: SeDebugPrivilege	2960	Client.exe
Token: SeDebugPrivilege	4880	Client.exe
Token: SeDebugPrivilege	548	Client.exe
Token: SeDebugPrivilege	1520	Client.exe
Token: SeDebugPrivilege	1064	Client.exe
Token: SeDebugPrivilege	4420	Client.exe
Token: SeDebugPrivilege	2844	Client.exe
Token: SeDebugPrivilege	528	Client.exe
Token: SeDebugPrivilege	4504	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2848	Client.exe
388	Client.exe
1788	Client.exe
408	Client.exe
4228	Client.exe
948	Client.exe
2724	Client.exe
2960	Client.exe
4880	Client.exe
548	Client.exe
1520	Client.exe
1064	Client.exe
4420	Client.exe
2844	Client.exe
528	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (11) - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 640 wrote to memory of 3228	640	Uni - Copy (11) - Copy - Copy.exe	schtasks.exe
PID 640 wrote to memory of 3228	640	Uni - Copy (11) - Copy - Copy.exe	schtasks.exe
PID 640 wrote to memory of 3228	640	Uni - Copy (11) - Copy - Copy.exe	schtasks.exe
PID 640 wrote to memory of 2848	640	Uni - Copy (11) - Copy - Copy.exe	Client.exe
PID 640 wrote to memory of 2848	640	Uni - Copy (11) - Copy - Copy.exe	Client.exe
PID 640 wrote to memory of 2848	640	Uni - Copy (11) - Copy - Copy.exe	Client.exe
PID 640 wrote to memory of 2372	640	Uni - Copy (11) - Copy - Copy.exe	SCHTASKS.exe
PID 640 wrote to memory of 2372	640	Uni - Copy (11) - Copy - Copy.exe	SCHTASKS.exe
PID 640 wrote to memory of 2372	640	Uni - Copy (11) - Copy - Copy.exe	SCHTASKS.exe
PID 2848 wrote to memory of 3508	2848	Client.exe	schtasks.exe
PID 2848 wrote to memory of 3508	2848	Client.exe	schtasks.exe
PID 2848 wrote to memory of 3508	2848	Client.exe	schtasks.exe
PID 2848 wrote to memory of 852	2848	Client.exe	cmd.exe
PID 2848 wrote to memory of 852	2848	Client.exe	cmd.exe
PID 2848 wrote to memory of 852	2848	Client.exe	cmd.exe
PID 852 wrote to memory of 1240	852	cmd.exe	chcp.com
PID 852 wrote to memory of 1240	852	cmd.exe	chcp.com
PID 852 wrote to memory of 1240	852	cmd.exe	chcp.com
PID 852 wrote to memory of 2796	852	cmd.exe	PING.EXE
PID 852 wrote to memory of 2796	852	cmd.exe	PING.EXE
PID 852 wrote to memory of 2796	852	cmd.exe	PING.EXE
PID 852 wrote to memory of 388	852	cmd.exe	Client.exe
PID 852 wrote to memory of 388	852	cmd.exe	Client.exe
PID 852 wrote to memory of 388	852	cmd.exe	Client.exe
PID 388 wrote to memory of 1816	388	Client.exe	schtasks.exe
PID 388 wrote to memory of 1816	388	Client.exe	schtasks.exe
PID 388 wrote to memory of 1816	388	Client.exe	schtasks.exe
PID 388 wrote to memory of 4924	388	Client.exe	cmd.exe
PID 388 wrote to memory of 4924	388	Client.exe	cmd.exe
PID 388 wrote to memory of 4924	388	Client.exe	cmd.exe
PID 4924 wrote to memory of 2524	4924	cmd.exe	chcp.com
PID 4924 wrote to memory of 2524	4924	cmd.exe	chcp.com
PID 4924 wrote to memory of 2524	4924	cmd.exe	chcp.com
PID 4924 wrote to memory of 4568	4924	cmd.exe	PING.EXE
PID 4924 wrote to memory of 4568	4924	cmd.exe	PING.EXE
PID 4924 wrote to memory of 4568	4924	cmd.exe	PING.EXE
PID 4924 wrote to memory of 1788	4924	cmd.exe	Client.exe
PID 4924 wrote to memory of 1788	4924	cmd.exe	Client.exe
PID 4924 wrote to memory of 1788	4924	cmd.exe	Client.exe
PID 1788 wrote to memory of 2864	1788	Client.exe	schtasks.exe
PID 1788 wrote to memory of 2864	1788	Client.exe	schtasks.exe
PID 1788 wrote to memory of 2864	1788	Client.exe	schtasks.exe
PID 1788 wrote to memory of 2288	1788	Client.exe	cmd.exe
PID 1788 wrote to memory of 2288	1788	Client.exe	cmd.exe
PID 1788 wrote to memory of 2288	1788	Client.exe	cmd.exe
PID 2288 wrote to memory of 4500	2288	cmd.exe	chcp.com
PID 2288 wrote to memory of 4500	2288	cmd.exe	chcp.com
PID 2288 wrote to memory of 4500	2288	cmd.exe	chcp.com
PID 2288 wrote to memory of 956	2288	cmd.exe	PING.EXE
PID 2288 wrote to memory of 956	2288	cmd.exe	PING.EXE
PID 2288 wrote to memory of 956	2288	cmd.exe	PING.EXE
PID 2288 wrote to memory of 408	2288	cmd.exe	Client.exe
PID 2288 wrote to memory of 408	2288	cmd.exe	Client.exe
PID 2288 wrote to memory of 408	2288	cmd.exe	Client.exe
PID 408 wrote to memory of 3600	408	Client.exe	schtasks.exe
PID 408 wrote to memory of 3600	408	Client.exe	schtasks.exe
PID 408 wrote to memory of 3600	408	Client.exe	schtasks.exe
PID 408 wrote to memory of 1688	408	Client.exe	cmd.exe
PID 408 wrote to memory of 1688	408	Client.exe	cmd.exe
PID 408 wrote to memory of 1688	408	Client.exe	cmd.exe
PID 1688 wrote to memory of 4044	1688	cmd.exe	chcp.com
PID 1688 wrote to memory of 4044	1688	cmd.exe	chcp.com
PID 1688 wrote to memory of 4044	1688	cmd.exe	chcp.com
PID 1688 wrote to memory of 1484	1688	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3228

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eMUGLU4lInqz.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1240

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2796

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsUaVSKOMswV.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:2524

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4568

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rlrk6Nv5Olc0.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4500

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:956

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z2nzMXhVrdAa.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:4044

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1484

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4228

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqVKPNRIHzYr.bat" "
11⤵
PID:2452

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:4872

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3508

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:948

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7B2jOvb2GDkX.bat" "
13⤵
PID:4236

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:1388

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2392

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qzmq2np4XteV.bat" "
15⤵
PID:60

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:1348

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:1352

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2960

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:3288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaOzuj6gdsAB.bat" "
17⤵
PID:3228

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:4620

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:3916

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4880

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tZMyDdjLgfHp.bat" "
19⤵
PID:3508

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:3364

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4576

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:548

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3maIdbftorEV.bat" "
21⤵
PID:1252

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:1900

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:2572

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1520

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LnBszR0CccUs.bat" "
23⤵
PID:2784

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:348

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3684

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGG51Wi2HAPm.bat" "
25⤵
PID:1868

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:4624

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:3448

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4420

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\blCctM76Xi6E.bat" "
27⤵
PID:2912

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:4552

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:640

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2844

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YslKJFA6pUDi.bat" "
29⤵
PID:4156

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:392

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:3944

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:528

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sgWRx7O8697g.bat" "
31⤵
PID:516

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:3028

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:2972

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 1092
31⤵
- Program crash
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1668
29⤵
- Program crash
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 1732
27⤵
- Program crash
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 1604
25⤵
- Program crash
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2232
23⤵
- Program crash
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 2232
21⤵
- Program crash
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1092
19⤵
- Program crash
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 2248
17⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1088
15⤵
- Program crash
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 2228
13⤵
- Program crash
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 2200
11⤵
- Program crash
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1084
9⤵
- Program crash
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 1640
7⤵
- Program crash
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 2196
5⤵
- Program crash
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 2204
3⤵
- Program crash
PID:1396

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2848 -ip 2848
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 388 -ip 388
1⤵
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1788 -ip 1788
1⤵
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 408 -ip 408
1⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4228 -ip 4228
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 948 -ip 948
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2724 -ip 2724
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2960 -ip 2960
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4880 -ip 4880
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 548 -ip 548
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1520 -ip 1520
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1064 -ip 1064
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4420 -ip 4420
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2844 -ip 2844
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 528 -ip 528
1⤵
PID:764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3maIdbftorEV.bat
Filesize
207B

MD5
669664d89406c134ebe508f1ff97bd0b

SHA1
023ec874bc6b16777977cf72181d1fb4a969f8fc

SHA256
c1b705e2d4ca0a5e5d72195100eae87c5c9f7498953fc710ccdfcee5f42ab29b

SHA512
67d630f3323463ab9dbd452d06628e013b180c94c53991385ab4d9ad61a290a4ba4bb97a4da86838503a8af37bc6abdd2b4699580b19bbd6172e1f52b49f5d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7B2jOvb2GDkX.bat
Filesize
207B

MD5
c119f451baef25e6ba172faf397c12ee

SHA1
a51cbf0bcf61d744b7c7320b2ab2bd8414f56ae5

SHA256
bc3e31878c950cfc010ddf38ea10caa13982ec7f5abec491ab5090c506d2118f

SHA512
c9fd0f398d4441a776dd2b39294e1218de68a54147d95e3ab68376d6641fca554f78a1819324e3115daea53b94a1d6287907e0f2a0871743b752a1dceff9ee7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaOzuj6gdsAB.bat
Filesize
207B

MD5
59f903945f6bf6738ddd0ce7f78c4f9a

SHA1
45179e313485d4ba4ce8a180c53d17b4be7250c3

SHA256
66f9c5bbca54dd7d0871a0e41e1d2d6166edb6652a57ab7330edd4036d7ada3b

SHA512
55c3a2a21195e42260047e78167e2ec1f03bb51d4dc4735c09527eca5095e08e7f013e9a03742b546b544c0ffe45051c290c5b3a90e0e9977a6f1043f5480e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LnBszR0CccUs.bat
Filesize
207B

MD5
bf8672a5b1402c1e604fcda4fa4f78df

SHA1
83c977daa8b364db55b63d4605d7d34aa13def6b

SHA256
217d0b2cdf30b9b1162cdc235a2635f7966a12833490642d4d0782e1b28ea9bc

SHA512
f1f226cdfd5648670eddcda3bdda8c305b6fe813792fe28ba3e9a22a7c820b31de2d8ccaf854a036bb1b1b2eefbb49c81ab5b9e4c7876da4e30bc5ff0b9ce121

Download Submit
C:\Users\Admin\AppData\Local\Temp\PsUaVSKOMswV.bat
Filesize
207B

MD5
601d15851805267dfe3e316fd45e886f

SHA1
d8be1e5e29b50bfe7a3d0a7b3899c184e999cdd3

SHA256
7f5983efb062bbc9892b79c82b53b299d90b79165ce43757721b8d0212ab144c

SHA512
47e357bd6a0a36f51ce2ffa31e6ba7ba147368b8f356387751c9bdb005af1672dd4db91fbe1af3f67c4bf3b36bdf4c562eb025b3edb85db5f9f8e9adb1869c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qzmq2np4XteV.bat
Filesize
207B

MD5
b0fd3d86cdf5d7587f61e6f849d72c45

SHA1
995188fc113141a0a4b3f829554fa5b5205c851a

SHA256
df1e64f527dfbea81c1d84bffc2b46852bd1d16d2bed019d5d47552cc2d2503f

SHA512
294f3cdea29b0960ca49b727a30937dea8662df82fc596af2497b580d5712e7131a60c7a7a7b0e4fa27f0b8a1e530e9c0d003978282d8e9370f6c56451380e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\YslKJFA6pUDi.bat
Filesize
207B

MD5
4ca70d06fc56e8958ac0adce98be5a25

SHA1
8f170b60ba3ece0e6b4c515aab883162d3bc7b3e

SHA256
87bd194f66d3827efbff4989bbe40a7693b6630547df3aec781d14850c1549e5

SHA512
876115d8d70bd4068279fdecaf1b0d92826e70e442045bc2b03be0685638105f0feb8736465671dda73b5b16fee35e94dad7a4400f7005036ba689833ad2a23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\blCctM76Xi6E.bat
Filesize
207B

MD5
b6aadfacacdde6f99cf4041e01d62e50

SHA1
dc753acdcb7b09ca79562ea05b4784d3ab5ebad5

SHA256
20563a21bf5d26d4865b10f386539aadc0349fe45501abc8f06dd7fef365cb98

SHA512
e9c7b70d4a48e3852f30f7c508b70a66eb00bfee694beb0ba45230880d10c09212b10b9f4f093987155e15f0f566899885d639085835617cfa4a26d7e3f78f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMUGLU4lInqz.bat
Filesize
207B

MD5
80d13a5c33019e2adf122a4b19ee3bc1

SHA1
ce5c1d4c638549ba9bb86e9b6dceba0d11bc90fc

SHA256
cc6e3240d9588ae521817e710591b916dd58bc2c8a9d375c1351f87f4165eaaf

SHA512
31923b32f14d1996d93005fd0bb4eea20964b9eb0933c451bf8f1a61285cc57a44195250eacbbb93fc7716e3c4d43669e30096dd1b461bc76a19f26518dc2d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\eqVKPNRIHzYr.bat
Filesize
207B

MD5
1fbd4fa3a3f1107bb296a114062c6874

SHA1
c43e01f00b7659e369333aa579c9d22c46da3934

SHA256
aa0c4a6ad02c29644ce9dda263a5fdba5a177ded16dc46ab8111272168ef0953

SHA512
4886dae776b37f09348f91d2f197a72e5849dcb9ddd24753c63420f02eece6b634f006ffcef5f0fc2cc8a239e13b3ee7a4ff933fd4d49700da26d4f0d4afd0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rlrk6Nv5Olc0.bat
Filesize
207B

MD5
9aa030a594e9471473a7d827a689adb3

SHA1
378d63e34175630ec4864724bc7fd62f19c0cfcb

SHA256
cf7db04791fdecad64a1789a896ee91f72b1cdf053d6c9030ede07805aa5555e

SHA512
3135276391b0421314c29968ed12ff6f0c10a0e2f5fa2e18b0457f31a62840680e5393169b0c919ff0e65e1ec7ab7deefaec0e627aa746393042a090f4f1123b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgWRx7O8697g.bat
Filesize
207B

MD5
328b76688f2ab18a93b126ac8627947a

SHA1
f407cd1710104d37538f5c6d5c745d5559a99b5e

SHA256
fed0a5834a93fbd7e857a9114e68f6ec51234eab238affe29018928be2931801

SHA512
af1819b57c4a48f7b01fab85e9b83fde0324f88c1b77e56fca5be1494b838297500f5c297c6df68d028fcb8434ec8c90876083575a022edd3344b574708b99fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tZMyDdjLgfHp.bat
Filesize
207B

MD5
98f7cec0ae736cdf36586fa8c1cbd91b

SHA1
9381fd5011769b2f7c726de000c67dbcaca749a0

SHA256
57efc5f19ab9c6e032a9629896784de0f80a006785e4d8ba4581b4a87f9ef8eb

SHA512
2a87c4e6956d916a113bcdd7552be2eda9b128011aa40f44cab1d9fc305289e7289d2d9399478edc1b357be8fa14aa05ae09f6067fb7017952d760077a7a0fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGG51Wi2HAPm.bat
Filesize
207B

MD5
c315a63d1e5a2377b1d9428eba107279

SHA1
0b494ec211ce7803ab79c3c5af59ab4c2273e086

SHA256
1f7377c91fcbfaaf67560715f4fbb5853e4f45f2369ad756c181f81d70ca4c6e

SHA512
665931e044996d92b0ffff3e2b3ce55d5823789c7a7bf2a1e3736ae0bafe3860ea3a4f113f9411d0c65042ad1e9b75256b1ed6e25d1acc2af2ac9795cf5cf8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\z2nzMXhVrdAa.bat
Filesize
207B

MD5
ac9997304df78fe2a3504aec6be28cd1

SHA1
2cdc68b0a1a9acb9244d9e9b45987a62087b72de

SHA256
21966280745c029c828f0df0484e25d9e204d9fb44605b8b3533069632c5c494

SHA512
3e031e9408b97bea5f2d03a389a3bd336e8e2d387760525c4e25905c525208b516999b592c4282b68a9c92b4c682616eaadf9629c5894c9d4599da06e4c28cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
7d267891675ba33661067453595c76c7

SHA1
a9cfdcf8f3409622c880f913b799b420e510573e

SHA256
638b5c16d407b3be26e534791d9707ea3314433a4b1a4753f7626c45ef9d82f7

SHA512
72b9177777605e86bc9afdf54cb57ccf3867960e8efdbe350fdce6049871a11b06e0585d39e9a1375e094542b595f0db60708c6bd510f26bee1f17fd7aba4575

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
a83f4da8419c1082b338d2182a92bf2b

SHA1
958f439aea190ec539eaa5b51c4d0f4d4c747259

SHA256
c0355425f0da6554251890161501133348dd167e55b8f7d49fc9c4d3e5cbd4a5

SHA512
04578f56a5e3410ddd9726c20ea8a081a9a35624748cf9e6f06613c43258589d064517c1f1cfa1cb1cc7139ed40a0072a08865ad44ded070ba965050ba21a93d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
89362c79caa169e2b1dc16936efcdea3

SHA1
225d871be3a42c60b3ca8cf8cb0104524db4b0ba

SHA256
e3e43d900b46baf187bbd94517a34246f23dc8a5432b92dfd68e407d4e0d5595

SHA512
02b8b74c4900530eda326e556f1a6a8f35eeb6f232e5ba12a593e3b30bf360764d5d78e5d70164e5956b2a72cf01d6d8729052b4b587d4f0b5970c7167d6fc7c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
0e9729c0f2597b7c5550a4990cba31d9

SHA1
04594143ddcd73055a926e8c8812209f585a2c7f

SHA256
a830880a494e581dde2af758deb49a405b21d50394607267ecd9394de985edc7

SHA512
9f4dbba123d266bfbfa9656edb8723faa3bb832e6e6191dfe69423308a1cd34dcdc600f68f0e90b8c4b09498402e46b50718531eb96e6a72cceb399a212448e3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
470b3230ae533b755ea1fb9ac37fa047

SHA1
3c645065dc9cfcc35fdefd20f7b152a128eeab38

SHA256
e0fe021d3620b71dd8791a4fff3cccdce6a29e9661451b68b35ebceccbec52c7

SHA512
d81ded538069f9701a9dbc9cd497c6c6a3f4d41921a1c2408c728a1ee34e7951bcac3d4a7a875bc4056a7b3725fb3b54ad1bfed00c482a23defc3112c01fbdbf

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
6738b0c960c7ad8c6b2f5756caabce9e

SHA1
c6364f3d944db132209d08eaae8c7cdc198a703b

SHA256
cc32c992ce4d7b7864eabfb1e72d99703ac1790938726783cdef562e3ba7068b

SHA512
606ff03690b954dc456c1d450f70eb722f50cb49b10c4c66e640a395effad2d98b2e630e75b2a7534a2d404b79b825a279f8133ea2391ca3bdedd8a45e28b1f1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
ea3d4b298a36befba19504dea4d44211

SHA1
030c312d7afa348be7e3be5af705724301748be6

SHA256
a5d120cf205a84a1cdb4bf38e534a9376ce8a3e2b61732a4ecea05a57240107e

SHA512
e6e0d8e6c751ada704affa5a8fcc9c1f1f963ee3f4399dd2e2af21f9b8f5a2f32930a90cc07b0a5ef26b199a2289c8c0e7812a8a77e36b82bd51f72ba3239ede

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/640-0-0x00000000750BE000-0x00000000750BF000-memory.dmp

Filesize
4KB

Download
memory/640-7-0x00000000750BE000-0x00000000750BF000-memory.dmp

Filesize
4KB

Download
memory/640-1-0x0000000000EE0000-0x0000000000F4C000-memory.dmp

Filesize
432KB

Download
memory/640-2-0x0000000005FC0000-0x0000000006564000-memory.dmp

Filesize
5.6MB

Download
memory/640-8-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/640-3-0x0000000005950000-0x00000000059E2000-memory.dmp

Filesize
584KB

Download
memory/640-15-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/640-6-0x0000000006670000-0x0000000006682000-memory.dmp

Filesize
72KB

Download
memory/640-4-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/640-5-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/2848-16-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/2848-19-0x00000000068E0000-0x00000000068EA000-memory.dmp

Filesize
40KB

Download
memory/2848-24-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download
memory/2848-17-0x00000000750B0000-0x0000000075860000-memory.dmp

Filesize
7.7MB

Download