quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
296s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (12) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral14/memory/3664-1-0x0000000000940000-0x00000000009AC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
3984	Client.exe
972	Client.exe
3324	Client.exe
2832	Client.exe
5112	Client.exe
1292	Client.exe
2168	Client.exe
2736	Client.exe
1308	Client.exe
1456	Client.exe
1292	Client.exe
4480	Client.exe
5104	Client.exe
4148	Client.exe
732	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
23	ip-api.com
27	ip-api.com
29	ip-api.com
2	ip-api.com
15	ip-api.com
17	ip-api.com
21	ip-api.com
19	ip-api.com
33	ip-api.com
8	api.ipify.org
25	ip-api.com
13	ip-api.com
31	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3344	3984	WerFault.exe	Client.exe
3708	972	WerFault.exe	Client.exe
4544	3324	WerFault.exe	Client.exe
4216	2832	WerFault.exe	Client.exe
836	5112	WerFault.exe	Client.exe
4332	1292	WerFault.exe	Client.exe
1604	2168	WerFault.exe	Client.exe
3532	2736	WerFault.exe	Client.exe
4700	1308	WerFault.exe	Client.exe
5028	1456	WerFault.exe	Client.exe
244	1292	WerFault.exe	Client.exe
2912	4480	WerFault.exe	Client.exe
2684	5104	WerFault.exe	Client.exe
4956	4148	WerFault.exe	Client.exe
960	732	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
964	schtasks.exe
2848	schtasks.exe
3120	schtasks.exe
3172	SCHTASKS.exe
3916	schtasks.exe
4628	schtasks.exe
1452	schtasks.exe
4760	schtasks.exe
4412	schtasks.exe
3632	schtasks.exe
4584	schtasks.exe
964	schtasks.exe
4704	schtasks.exe
1656	schtasks.exe
5040	schtasks.exe
3076	schtasks.exe
2644	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
5056	PING.EXE
3164	PING.EXE
4556	PING.EXE
4364	PING.EXE
2092	PING.EXE
2932	PING.EXE
2988	PING.EXE
752	PING.EXE
1640	PING.EXE
5076	PING.EXE
4712	PING.EXE
2420	PING.EXE
1376	PING.EXE
4728	PING.EXE
1320	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Uni - Copy (12) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3664	Uni - Copy (12) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	3984	Client.exe
Token: SeDebugPrivilege	972	Client.exe
Token: SeDebugPrivilege	3324	Client.exe
Token: SeDebugPrivilege	2832	Client.exe
Token: SeDebugPrivilege	5112	Client.exe
Token: SeDebugPrivilege	1292	Client.exe
Token: SeDebugPrivilege	2168	Client.exe
Token: SeDebugPrivilege	2736	Client.exe
Token: SeDebugPrivilege	1308	Client.exe
Token: SeDebugPrivilege	1456	Client.exe
Token: SeDebugPrivilege	1292	Client.exe
Token: SeDebugPrivilege	4480	Client.exe
Token: SeDebugPrivilege	5104	Client.exe
Token: SeDebugPrivilege	4148	Client.exe
Token: SeDebugPrivilege	732	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
3984	Client.exe
972	Client.exe
3324	Client.exe
2832	Client.exe
5112	Client.exe
1292	Client.exe
2168	Client.exe
2736	Client.exe
1308	Client.exe
1456	Client.exe
1292	Client.exe
4480	Client.exe
5104	Client.exe
4148	Client.exe
732	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (12) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 3664 wrote to memory of 2644	3664	Uni - Copy (12) - Copy - Copy - Copy.exe	schtasks.exe
PID 3664 wrote to memory of 2644	3664	Uni - Copy (12) - Copy - Copy - Copy.exe	schtasks.exe
PID 3664 wrote to memory of 2644	3664	Uni - Copy (12) - Copy - Copy - Copy.exe	schtasks.exe
PID 3664 wrote to memory of 3984	3664	Uni - Copy (12) - Copy - Copy - Copy.exe	Client.exe
PID 3664 wrote to memory of 3984	3664	Uni - Copy (12) - Copy - Copy - Copy.exe	Client.exe
PID 3664 wrote to memory of 3984	3664	Uni - Copy (12) - Copy - Copy - Copy.exe	Client.exe
PID 3664 wrote to memory of 3172	3664	Uni - Copy (12) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 3664 wrote to memory of 3172	3664	Uni - Copy (12) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 3664 wrote to memory of 3172	3664	Uni - Copy (12) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 3984 wrote to memory of 964	3984	Client.exe	schtasks.exe
PID 3984 wrote to memory of 964	3984	Client.exe	schtasks.exe
PID 3984 wrote to memory of 964	3984	Client.exe	schtasks.exe
PID 3984 wrote to memory of 4324	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 4324	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 4324	3984	Client.exe	cmd.exe
PID 4324 wrote to memory of 1292	4324	cmd.exe	chcp.com
PID 4324 wrote to memory of 1292	4324	cmd.exe	chcp.com
PID 4324 wrote to memory of 1292	4324	cmd.exe	chcp.com
PID 4324 wrote to memory of 4712	4324	cmd.exe	PING.EXE
PID 4324 wrote to memory of 4712	4324	cmd.exe	PING.EXE
PID 4324 wrote to memory of 4712	4324	cmd.exe	PING.EXE
PID 4324 wrote to memory of 972	4324	cmd.exe	Client.exe
PID 4324 wrote to memory of 972	4324	cmd.exe	Client.exe
PID 4324 wrote to memory of 972	4324	cmd.exe	Client.exe
PID 972 wrote to memory of 4584	972	Client.exe	schtasks.exe
PID 972 wrote to memory of 4584	972	Client.exe	schtasks.exe
PID 972 wrote to memory of 4584	972	Client.exe	schtasks.exe
PID 972 wrote to memory of 1732	972	Client.exe	cmd.exe
PID 972 wrote to memory of 1732	972	Client.exe	cmd.exe
PID 972 wrote to memory of 1732	972	Client.exe	cmd.exe
PID 1732 wrote to memory of 4072	1732	cmd.exe	chcp.com
PID 1732 wrote to memory of 4072	1732	cmd.exe	chcp.com
PID 1732 wrote to memory of 4072	1732	cmd.exe	chcp.com
PID 1732 wrote to memory of 5056	1732	cmd.exe	PING.EXE
PID 1732 wrote to memory of 5056	1732	cmd.exe	PING.EXE
PID 1732 wrote to memory of 5056	1732	cmd.exe	PING.EXE
PID 1732 wrote to memory of 3324	1732	cmd.exe	Client.exe
PID 1732 wrote to memory of 3324	1732	cmd.exe	Client.exe
PID 1732 wrote to memory of 3324	1732	cmd.exe	Client.exe
PID 3324 wrote to memory of 3632	3324	Client.exe	schtasks.exe
PID 3324 wrote to memory of 3632	3324	Client.exe	schtasks.exe
PID 3324 wrote to memory of 3632	3324	Client.exe	schtasks.exe
PID 3324 wrote to memory of 1668	3324	Client.exe	cmd.exe
PID 3324 wrote to memory of 1668	3324	Client.exe	cmd.exe
PID 3324 wrote to memory of 1668	3324	Client.exe	cmd.exe
PID 1668 wrote to memory of 2988	1668	cmd.exe	chcp.com
PID 1668 wrote to memory of 2988	1668	cmd.exe	chcp.com
PID 1668 wrote to memory of 2988	1668	cmd.exe	chcp.com
PID 1668 wrote to memory of 2092	1668	cmd.exe	PING.EXE
PID 1668 wrote to memory of 2092	1668	cmd.exe	PING.EXE
PID 1668 wrote to memory of 2092	1668	cmd.exe	PING.EXE
PID 1668 wrote to memory of 2832	1668	cmd.exe	Client.exe
PID 1668 wrote to memory of 2832	1668	cmd.exe	Client.exe
PID 1668 wrote to memory of 2832	1668	cmd.exe	Client.exe
PID 2832 wrote to memory of 4628	2832	Client.exe	schtasks.exe
PID 2832 wrote to memory of 4628	2832	Client.exe	schtasks.exe
PID 2832 wrote to memory of 4628	2832	Client.exe	schtasks.exe
PID 2832 wrote to memory of 1936	2832	Client.exe	cmd.exe
PID 2832 wrote to memory of 1936	2832	Client.exe	cmd.exe
PID 2832 wrote to memory of 1936	2832	Client.exe	cmd.exe
PID 1936 wrote to memory of 4228	1936	cmd.exe	chcp.com
PID 1936 wrote to memory of 4228	1936	cmd.exe	chcp.com
PID 1936 wrote to memory of 4228	1936	cmd.exe	chcp.com
PID 1936 wrote to memory of 2932	1936	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2644

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqDMB2sDAm0C.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1292

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:4712

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u51Z8TcVFNH0.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4072

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:5056

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UY6mAXKLtvDt.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:2988

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2092

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2xRUKPhQ7ZSD.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:4228

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2932

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5112

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hm9pNGRDXvrU.bat" "
11⤵
PID:4956

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:5044

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3164

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1292

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KiC2aisRgczS.bat" "
13⤵
PID:2376

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4652

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2420

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:3120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQHXFUDu7r3E.bat" "
15⤵
PID:3672

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:2520

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2988

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1LV0fBUoklUJ.bat" "
17⤵
PID:4664

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:1624

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1376

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QfDfszUEEBy5.bat" "
19⤵
PID:4356

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:4740

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:752

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u4UakkzkeJpL.bat" "
21⤵
PID:2668

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:220

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4556

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1292

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7IXdxT6cIJTw.bat" "
23⤵
PID:3548

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:1852

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:4364

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4480

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xgzo2TRoCddI.bat" "
25⤵
PID:1880

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:2216

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4728

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5104

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUjvgLfpTJXG.bat" "
27⤵
PID:3936

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:2892

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:1320

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4148

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIU2KDtrkyRE.bat" "
29⤵
PID:536

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:1328

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:5076

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:732

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:3916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoEIznREWKpb.bat" "
31⤵
PID:5028

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:2708

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1688
31⤵
- Program crash
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 1684
29⤵
- Program crash
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 1096
27⤵
- Program crash
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 2200
25⤵
- Program crash
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 1708
23⤵
- Program crash
PID:244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1712
21⤵
- Program crash
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1668
19⤵
- Program crash
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 1708
17⤵
- Program crash
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1084
15⤵
- Program crash
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 1692
13⤵
- Program crash
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 2200
11⤵
- Program crash
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1076
9⤵
- Program crash
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 1088
7⤵
- Program crash
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 1092
5⤵
- Program crash
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 2220
3⤵
- Program crash
PID:3344

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3984 -ip 3984
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 972 -ip 972
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3324 -ip 3324
1⤵
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2832 -ip 2832
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5112 -ip 5112
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1292 -ip 1292
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2168 -ip 2168
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2736 -ip 2736
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1308 -ip 1308
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1456 -ip 1456
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1292 -ip 1292
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4480 -ip 4480
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5104 -ip 5104
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4148 -ip 4148
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 732 -ip 732
1⤵
PID:2584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1LV0fBUoklUJ.bat
Filesize
207B

MD5
ad239f8532211491ec909434108930d8

SHA1
a77bd3460e8604bb783ce43d65f1951d1abdfa55

SHA256
9776546a2ce939ce5d7c8a4b8fded284f4f74e53e7085f2a281c7a0a09021bde

SHA512
8e17e1e311b525be58148437c830d129e0d8efb02666cca136fb381568dcd684ce1283ce4e956af6a6c36b9d70198b207c943ec9c85a45377926a85215c6edae

Download Submit
C:\Users\Admin\AppData\Local\Temp\2xRUKPhQ7ZSD.bat
Filesize
207B

MD5
db4f4cdcab8db7f3832c85618ce732f3

SHA1
52a6852aa4b7a77e0f38b84224f6ce5ad058d08f

SHA256
cf38bb7cdb980c731bc6b7b8ff242dd1c6880f5b786beee58b53ed85c62a0594

SHA512
d9494e72d6ef819ad76ef8797221698d173948efb78dee3be6900aa4e2e96fdc8484c2fafd92bd758420394eb98ac0c5f615424a5f05b8d0d89155697ff250f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7IXdxT6cIJTw.bat
Filesize
207B

MD5
7a80df2e2bc935a2508cda17d791f89c

SHA1
71249f294763bfd73ce17671c4c33575b14c1af3

SHA256
871810ed7779c11df346ee0ce417861c5141236b9185169b61c38929d3e8faeb

SHA512
a2d6b411fc01979eb787bbce59dd350512b878b02d52a33eb828290615d8111e44eb23f7646bf6a22e72910bf0b441606d8409d150d9fde79fe411b89312019e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BIU2KDtrkyRE.bat
Filesize
207B

MD5
18aa3f6254eb97b195a1113681c9c89b

SHA1
d954717d226673a0690e7ffa9de30832429db554

SHA256
1ae158f90df3253b1a0687a518b9f51409f14e7c1feeff85332903ace0de5f8d

SHA512
0e8d591181d8a3b21fcf8688fc6c0be1bdb86afaaf798da1ef9e8438ecbfaf3c5c8239366863f3745b8a0a73a66057759399c9997b4ed605091f5dd9873e5685

Download Submit
C:\Users\Admin\AppData\Local\Temp\KiC2aisRgczS.bat
Filesize
207B

MD5
ca754ac2cddd63fef9feb029a55a9a09

SHA1
e2ae36d4736c68d158065338588f31bd7c65af32

SHA256
819209d396599bbc3431d6234759a56b74a0caefeb390a290ea5f22b0044b208

SHA512
3da4a7578de0aff120ee24be56de91f17fd914d41299831c8bd70c858fc957c243732f715c9dbe83cabd2fa3d32bddfb07f20ae12377c111138ea539cb86cd14

Download Submit
C:\Users\Admin\AppData\Local\Temp\QfDfszUEEBy5.bat
Filesize
207B

MD5
3c5ee841fb936aba189f78bb7e060b89

SHA1
ab693632a08525dff05f223c04581e34546a1f26

SHA256
d8aa3433983b0dff4afcdf85b833973e573ff17ebeaccd5cd172b4ce68e32e4a

SHA512
023a635b982c8fccc84e8860ef63056e7b986140490c9b61d1faecd521b8e8c968973ad2ebd2943ad05630cd25e30713bc1a47a1a49fe7de1c1b588e0251a40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RQHXFUDu7r3E.bat
Filesize
207B

MD5
3a1e261bb5f93cf8b753814a662903cd

SHA1
3b7055af2586ef578578da49b64841203021187e

SHA256
8d54fc5e1d89a01951064f8bea425a65d0b81d272ac9bf39191ddbe5f9e94653

SHA512
85bafafdf6f07ccec1c0e6acc1c1791fc951750bb683024e36827023681099b28605b102e8e1e4c3393430b2133ed8cbdf0cee62e468c877ba354f4d78ec42da

Download Submit
C:\Users\Admin\AppData\Local\Temp\UY6mAXKLtvDt.bat
Filesize
207B

MD5
2c5485fad0e92641163a23e4e06b4ab9

SHA1
a3fc4452e934431bc47af6b34af59409a992ab3d

SHA256
9990a4619ecd97ffffe57822426f7ef262f0655eb7283d646b06e359a273d5a8

SHA512
be51ae744dcb65f3f0806f3e42c419cee1d579feed368bafedef10d1b0741db370d0aa0ed42af7ffe1c95d1acaa76f60bad26061073474d49053cc2a3c8bf025

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xgzo2TRoCddI.bat
Filesize
207B

MD5
341f1a34f1bb0bb74cfdffc83c6aafec

SHA1
dd9388b1f9757974196e29d14d8ccf22e5f53ff3

SHA256
75db160efab312251dc0f4946daf3b0a4a4564a76b948ccc3a1f7f0c3ace4b28

SHA512
1f4fff59de7d64a7d3b7d5402f1c14c36e31a0d3b517d8cf133cbf8f9675589e070d0a978e04fa2e841fed6759dc3d6a54e7decabc3b471ad8575c7ab4ec325a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hm9pNGRDXvrU.bat
Filesize
207B

MD5
fcffa554d2c517fcf1801ea0612fb2ae

SHA1
3c6fdeeac15525406a9b1e54eefff95a9fa2eab9

SHA256
3cedd5a31c24bdcbdb9784e66cba8ce1995cdae1902c7817b09543284e9f7905

SHA512
32f1afb84108ef093752a390af0f8719a639290789313a1bfc1aec6a8846490d909e97faa62a385abf2a67b537da8b25530fce6256204b6c949c59962ca3dc04

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqDMB2sDAm0C.bat
Filesize
207B

MD5
8753cb27f2f9dfc44a5a5ddc3add85eb

SHA1
57cf5c53888ba662e2c7f075fdbaa3902e55956c

SHA256
41f827fbf96ab53efce03642d78677e9b6592d2a73b5375882384b8ea673455a

SHA512
ccea575f7bfdb7db9c4391adbafce2d84b94631432bd421516ee8c387f70b9b2049fe1d3384ba798b037d7621c036bdecc12bf4a88c921363584783ddc5ee4b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUjvgLfpTJXG.bat
Filesize
207B

MD5
f2df2a4f6b5cce23c820f5243a7f7f4a

SHA1
4f9697ee4230f13f88d78ff6fa2ba9412bdcead5

SHA256
40f01deff79b74b7d157e3c1caf1a067963bfdc2d1b8211a88cd98c398a0ca26

SHA512
00f597942528cbf8b152ff19505992db9ba21a254729c5242e7fea5e09b9c6b182d0457dcd9b3b241ba9cddebec3574785954b96d1eecbb71fb0d75fb425ec1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4UakkzkeJpL.bat
Filesize
207B

MD5
e3c852221c9566ccfb721acd66942c86

SHA1
328e1f95114fc9c0f2dc388dcf41f68f0704ac61

SHA256
d95246ba89b0045454bcaafcfe2eebe61f1055daec17fd0c4a8bcbaeaf765f60

SHA512
3d00b8540f792e8616843623b92b9e70d3bc8bdaa3ef641c1cb0196cad6fd0cb68251b6cf0eb1d17af55c6e0a982879e6086a525f5e6986386080fc9d98cf503

Download Submit
C:\Users\Admin\AppData\Local\Temp\u51Z8TcVFNH0.bat
Filesize
207B

MD5
1caf9e99192dec734f7a9fc1004ae45c

SHA1
cdf72fa27885ceef980e52ba715a69e019d292cd

SHA256
efacf43c3587f26f890e363d8cc895895c75b86853852d440a03e7c45e91b83f

SHA512
1aa2d87bed8970aa0b4728e0e64f51052e4c5da43f772df8835da8c155269c6baaa3c2a8dc330195c5cef8985fd6f6456726351115497f389525b93d254bbe53

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoEIznREWKpb.bat
Filesize
207B

MD5
c65bbf2baf10e696a8d1c3c5d8b64ab3

SHA1
2c924f297e0b1fd3f43ffb43ea5bbac85700ede1

SHA256
57491a77bb18b7cfa837c7fa6003f92ba77b96e4d0eae43d0b82fc8cda5cd23e

SHA512
d45958e46e7283574d906556c40446bd75b21ad610f897ca62861966b2f2a778142654031ac9fa82abeafc34d048e51a2c14f831059d407563a810a7b19b2f20

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
275650efdc39e9dbe8caeb6d3d4a26ae

SHA1
f18cbd9811d406ce982aa532e96e39ba8b8f9927

SHA256
e181c307f566beb1c6433b04e3921724ec1787cbf30a7a3769887d7ad70378ec

SHA512
ae2ea792d98a46a13af06f6df25376c5d4d035d6d3269d1e997e52937c27114f5faa25c1a77f9b6a8f8f8618d2acbe3470ab1d1cb8bf375f3b9023aa708b0cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
c27558994d1d2c9991aacf3f54ac4a8f

SHA1
c6558796cb6b0e3fe9798a7924bb1d6edf5942ef

SHA256
01ca0893da6078e24950d9f45187c24e1af578dc2a0455a467eaf7d2f8cb3fe9

SHA512
6e910a3ddbac2f4603e44a4f43797ff86287c7d4cf4006401faf339cade9ffb89a80195d69100f82c56357243433bdfffe31c9aa7e663f637b85b705e1521ce6

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
28a2b9fab00c6ef72f77f42ce568f547

SHA1
51ad8012461bad000018d05477a72c79f8796c49

SHA256
4a7e50a33d1a6b493e27db8ba674567e3855fc21f120f0a59f0bd3532da38503

SHA512
193f6f1a0b0887920bbd9241c0c83705e1aad6bf1f10d65e3704dc87af38074aaf3e1f4a6f08295b47259325d74f7ec71627f3d7bf6b4eb594129385e176808c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
8f272f94562f1a9ac09da0116f3631bc

SHA1
6e2a9315bc529c3b7876f5fa79a188aa574f52da

SHA256
233c8f3fc183a90d4a0da9a747945887901853de5c3ce542040e49ebfcfca7a0

SHA512
410c19b116cb1e99311c3a32d9472f80cadab3b46aa28997b970a565988125b008efe5078b0a272a01f390bd4ac3021bdbf9e7cae018dab6ba6023d9e5e2f88d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
6001f0bcffaf4135834edad4f9942c11

SHA1
1148fc38f0f492df8abca8b635df275fc3e8e62e

SHA256
a6b856700991d9f7af7432a51738ac7c93381f38ac2305a5f3f9a2340009dbc6

SHA512
d7b0400e29e8a25b2476dfdb1bda0448d8548535f3900287908f27c7b9f7a1cd976eac205019a92022df74676c54bc653b6d15106647f5854df3f18ebcb69446

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
fa3846b520ca51ea5e12b173f3789446

SHA1
f33efc7b314e31fde7b85a8c8dffa312543e6824

SHA256
b4b38fbbd572e1dfceb5c355063e599bedca74b5cc435b0511672f01fb8cc131

SHA512
beda2f6dcf4178dbfa569966b03dcea18da0626fc5a3c6b8da9036ce115575bf65cd998da37cf39065e04b8d82b309d5850bb0af786fff334e9580e4fb24f47f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
cd4019bc32731b3a6893dd86630ee63b

SHA1
41bc51267789a1dce8b6647a59b983d7d65971b9

SHA256
13c04e19eb763f716aa2fef4ce0e41ff5de99af16b99961f1fc5ea820e1718d5

SHA512
ea524a5ce3609195790927858c8ba57a1f6aa1adc614968dd1dffa60bcb174ace6aa3240c07ee3f6b6747dd7d49d4982d9bcbf6bf354e35acd6308ba22ca3ddd

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
5cfdac76a2624c4f0d487f05d0bd3d44

SHA1
5f336cbdcb7d4711e2c699336935f2100768aa83

SHA256
6b36d7a32ab9141424f9acd7c73260c9d4b0273e9565a169535bd5c2740922eb

SHA512
eecf8e555dd74001e7863eae50eaa5a9da2ae543a07ab3d26a9ac524a36151d50c5034f5ffe4c7eb1ce5e7d2ffdb8356ab4f45a75c4fffe407ecb24f16a76afb

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
6251e8a98f8f7ded4e4fc3a01446acc4

SHA1
79fad1597b4dbff16ddc459c5f2b770c87145440

SHA256
a64a3f74793e5fa002bf6f24dc3a5287914cc30df884c7354ff00326dce7b9b0

SHA512
0126dbc6f089dd2782a28ca514a95fc8d843aaf0440e2717103f0596055c662b3f403b2915699cb95279f73dc4741a7bb00c2309cee54300710ade34df973aa4

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/3664-16-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/3664-2-0x00000000058E0000-0x0000000005E84000-memory.dmp

Filesize
5.6MB

Download
memory/3664-3-0x00000000053D0000-0x0000000005462000-memory.dmp

Filesize
584KB

Download
memory/3664-5-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/3664-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

Filesize
4KB

Download
memory/3664-1-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download
memory/3664-4-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/3664-8-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/3664-6-0x00000000058B0000-0x00000000058C2000-memory.dmp

Filesize
72KB

Download
memory/3664-7-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

Filesize
4KB

Download
memory/3984-15-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/3984-24-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download
memory/3984-19-0x00000000064F0000-0x00000000064FA000-memory.dmp

Filesize
40KB

Download
memory/3984-17-0x0000000074C00000-0x00000000753B0000-memory.dmp

Filesize
7.7MB

Download