quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
295s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (12) - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral16/memory/1924-1-0x0000000000EB0000-0x0000000000F1C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 16 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
4944	Client.exe
4992	Client.exe
688	Client.exe
1644	Client.exe
2364	Client.exe
4088	Client.exe
1028	Client.exe
872	Client.exe
2432	Client.exe
1512	Client.exe
2408	Client.exe
3836	Client.exe
1640	Client.exe
972	Client.exe
4640	Client.exe
4496	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
25	ip-api.com
36	ip-api.com
15	ip-api.com
17	ip-api.com
22	ip-api.com
13	ip-api.com
9	api.ipify.org
29	ip-api.com
31	ip-api.com
34	ip-api.com
2	ip-api.com
19	ip-api.com
27	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
632	4944	WerFault.exe	Client.exe
1760	4992	WerFault.exe	Client.exe
4372	688	WerFault.exe	Client.exe
5012	1644	WerFault.exe	Client.exe
512	2364	WerFault.exe	Client.exe
5080	4088	WerFault.exe	Client.exe
4940	1028	WerFault.exe	Client.exe
4784	872	WerFault.exe	Client.exe
3256	2432	WerFault.exe	Client.exe
1232	1512	WerFault.exe	Client.exe
4572	2408	WerFault.exe	Client.exe
768	3836	WerFault.exe	Client.exe
5104	1640	WerFault.exe	Client.exe
1940	972	WerFault.exe	Client.exe
1792	4640	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

SCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3780	SCHTASKS.exe
1080	schtasks.exe
2892	schtasks.exe
2312	schtasks.exe
4764	schtasks.exe
3324	schtasks.exe
2244	schtasks.exe
2432	schtasks.exe
5072	schtasks.exe
964	schtasks.exe
3584	schtasks.exe
1384	schtasks.exe
2220	schtasks.exe
4940	schtasks.exe
4556	schtasks.exe
3616	schtasks.exe
2096	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4260	PING.EXE
1644	PING.EXE
584	PING.EXE
1236	PING.EXE
4492	PING.EXE
4276	PING.EXE
4948	PING.EXE
5068	PING.EXE
4920	PING.EXE
3880	PING.EXE
4560	PING.EXE
2244	PING.EXE
5092	PING.EXE
1120	PING.EXE
5068	PING.EXE

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

Uni - Copy (12) - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	1924	Uni - Copy (12) - Copy - Copy.exe
Token: SeDebugPrivilege	4944	Client.exe
Token: SeDebugPrivilege	4992	Client.exe
Token: SeDebugPrivilege	688	Client.exe
Token: SeDebugPrivilege	1644	Client.exe
Token: SeDebugPrivilege	2364	Client.exe
Token: SeDebugPrivilege	4088	Client.exe
Token: SeDebugPrivilege	1028	Client.exe
Token: SeDebugPrivilege	872	Client.exe
Token: SeDebugPrivilege	2432	Client.exe
Token: SeDebugPrivilege	1512	Client.exe
Token: SeDebugPrivilege	2408	Client.exe
Token: SeDebugPrivilege	3836	Client.exe
Token: SeDebugPrivilege	1640	Client.exe
Token: SeDebugPrivilege	972	Client.exe
Token: SeDebugPrivilege	4640	Client.exe
Token: SeDebugPrivilege	4496	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
4944	Client.exe
4992	Client.exe
688	Client.exe
1644	Client.exe
2364	Client.exe
4088	Client.exe
1028	Client.exe
872	Client.exe
2432	Client.exe
1512	Client.exe
2408	Client.exe
3836	Client.exe
1640	Client.exe
972	Client.exe
4640	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (12) - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 1924 wrote to memory of 3616	1924	Uni - Copy (12) - Copy - Copy.exe	schtasks.exe
PID 1924 wrote to memory of 3616	1924	Uni - Copy (12) - Copy - Copy.exe	schtasks.exe
PID 1924 wrote to memory of 3616	1924	Uni - Copy (12) - Copy - Copy.exe	schtasks.exe
PID 1924 wrote to memory of 4944	1924	Uni - Copy (12) - Copy - Copy.exe	Client.exe
PID 1924 wrote to memory of 4944	1924	Uni - Copy (12) - Copy - Copy.exe	Client.exe
PID 1924 wrote to memory of 4944	1924	Uni - Copy (12) - Copy - Copy.exe	Client.exe
PID 1924 wrote to memory of 3780	1924	Uni - Copy (12) - Copy - Copy.exe	SCHTASKS.exe
PID 1924 wrote to memory of 3780	1924	Uni - Copy (12) - Copy - Copy.exe	SCHTASKS.exe
PID 1924 wrote to memory of 3780	1924	Uni - Copy (12) - Copy - Copy.exe	SCHTASKS.exe
PID 4944 wrote to memory of 1080	4944	Client.exe	schtasks.exe
PID 4944 wrote to memory of 1080	4944	Client.exe	schtasks.exe
PID 4944 wrote to memory of 1080	4944	Client.exe	schtasks.exe
PID 4944 wrote to memory of 3012	4944	Client.exe	cmd.exe
PID 4944 wrote to memory of 3012	4944	Client.exe	cmd.exe
PID 4944 wrote to memory of 3012	4944	Client.exe	cmd.exe
PID 3012 wrote to memory of 3052	3012	cmd.exe	chcp.com
PID 3012 wrote to memory of 3052	3012	cmd.exe	chcp.com
PID 3012 wrote to memory of 3052	3012	cmd.exe	chcp.com
PID 3012 wrote to memory of 4920	3012	cmd.exe	PING.EXE
PID 3012 wrote to memory of 4920	3012	cmd.exe	PING.EXE
PID 3012 wrote to memory of 4920	3012	cmd.exe	PING.EXE
PID 3012 wrote to memory of 4992	3012	cmd.exe	Client.exe
PID 3012 wrote to memory of 4992	3012	cmd.exe	Client.exe
PID 3012 wrote to memory of 4992	3012	cmd.exe	Client.exe
PID 4992 wrote to memory of 2244	4992	Client.exe	schtasks.exe
PID 4992 wrote to memory of 2244	4992	Client.exe	schtasks.exe
PID 4992 wrote to memory of 2244	4992	Client.exe	schtasks.exe
PID 4992 wrote to memory of 4724	4992	Client.exe	cmd.exe
PID 4992 wrote to memory of 4724	4992	Client.exe	cmd.exe
PID 4992 wrote to memory of 4724	4992	Client.exe	cmd.exe
PID 4724 wrote to memory of 2844	4724	cmd.exe	chcp.com
PID 4724 wrote to memory of 2844	4724	cmd.exe	chcp.com
PID 4724 wrote to memory of 2844	4724	cmd.exe	chcp.com
PID 4724 wrote to memory of 3880	4724	cmd.exe	PING.EXE
PID 4724 wrote to memory of 3880	4724	cmd.exe	PING.EXE
PID 4724 wrote to memory of 3880	4724	cmd.exe	PING.EXE
PID 4724 wrote to memory of 688	4724	cmd.exe	Client.exe
PID 4724 wrote to memory of 688	4724	cmd.exe	Client.exe
PID 4724 wrote to memory of 688	4724	cmd.exe	Client.exe
PID 688 wrote to memory of 4940	688	Client.exe	schtasks.exe
PID 688 wrote to memory of 4940	688	Client.exe	schtasks.exe
PID 688 wrote to memory of 4940	688	Client.exe	schtasks.exe
PID 688 wrote to memory of 344	688	Client.exe	cmd.exe
PID 688 wrote to memory of 344	688	Client.exe	cmd.exe
PID 688 wrote to memory of 344	688	Client.exe	cmd.exe
PID 344 wrote to memory of 1816	344	cmd.exe	chcp.com
PID 344 wrote to memory of 1816	344	cmd.exe	chcp.com
PID 344 wrote to memory of 1816	344	cmd.exe	chcp.com
PID 344 wrote to memory of 4560	344	cmd.exe	PING.EXE
PID 344 wrote to memory of 4560	344	cmd.exe	PING.EXE
PID 344 wrote to memory of 4560	344	cmd.exe	PING.EXE
PID 344 wrote to memory of 1644	344	cmd.exe	Client.exe
PID 344 wrote to memory of 1644	344	cmd.exe	Client.exe
PID 344 wrote to memory of 1644	344	cmd.exe	Client.exe
PID 1644 wrote to memory of 2892	1644	Client.exe	schtasks.exe
PID 1644 wrote to memory of 2892	1644	Client.exe	schtasks.exe
PID 1644 wrote to memory of 2892	1644	Client.exe	schtasks.exe
PID 1644 wrote to memory of 1288	1644	Client.exe	cmd.exe
PID 1644 wrote to memory of 1288	1644	Client.exe	cmd.exe
PID 1644 wrote to memory of 1288	1644	Client.exe	cmd.exe
PID 1288 wrote to memory of 3616	1288	cmd.exe	chcp.com
PID 1288 wrote to memory of 3616	1288	cmd.exe	chcp.com
PID 1288 wrote to memory of 3616	1288	cmd.exe	chcp.com
PID 1288 wrote to memory of 4492	1288	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3616

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7GCofwvtsWku.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:3052

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:4920

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qG3J3hZSGewW.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:2844

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:3880

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kNaQQY7YTCzK.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:1816

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4560

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TNQvoJl7qKCv.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:3616

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4492

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2364

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z7HOeolfw2Rt.bat" "
11⤵
PID:2852

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:1080

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4948

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4088

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ritXWk3H12yZ.bat" "
13⤵
PID:2324

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4468

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2244

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1028

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BWdeAcHJIhsX.bat" "
15⤵
PID:4372

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:1072

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4260

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:872

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dPFe1pEZtzvo.bat" "
17⤵
PID:4924

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:1032

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1644

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3nhp6qZloJ4A.bat" "
19⤵
PID:4820

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2512

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:5092

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1512

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XCykyb4GERvQ.bat" "
21⤵
PID:3908

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:4812

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:5068

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2408

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r0ircSIIV6pO.bat" "
23⤵
PID:4412

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:3288

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:584

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3836

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2Hhgvdac3CRe.bat" "
25⤵
PID:3784

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:1992

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4276

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:1384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\floT0joMnxRC.bat" "
27⤵
PID:3652

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:2488

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:1236

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:972

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQEv2zJJ7M2V.bat" "
29⤵
PID:3204

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:1772

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:1120

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4640

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fcMs7psOMpWS.bat" "
31⤵
PID:1396

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:1588

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:5068

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 1096
31⤵
- Program crash
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 2196
29⤵
- Program crash
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 1092
27⤵
- Program crash
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 1668
25⤵
- Program crash
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 2248
23⤵
- Program crash
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 1688
21⤵
- Program crash
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1672
19⤵
- Program crash
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 1092
17⤵
- Program crash
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1092
15⤵
- Program crash
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1092
13⤵
- Program crash
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 2200
11⤵
- Program crash
PID:512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 1636
9⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 1608
7⤵
- Program crash
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 2196
5⤵
- Program crash
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1200
3⤵
- Program crash
PID:632

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4944 -ip 4944
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4992 -ip 4992
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 688 -ip 688
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1644 -ip 1644
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2364 -ip 2364
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4088 -ip 4088
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1028 -ip 1028
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 872 -ip 872
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2432 -ip 2432
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1512 -ip 1512
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2408 -ip 2408
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3836 -ip 3836
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1640 -ip 1640
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 972 -ip 972
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4640 -ip 4640
1⤵
PID:2844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2Hhgvdac3CRe.bat
Filesize
207B

MD5
d944ecec0dc7738c0edb89f528cff59e

SHA1
c0c462b53a67d7b6fe276e63644d7604d85c8cf7

SHA256
3a1194492ac545bee511930108e8e73c242873443d5448f7e210515b81758bcf

SHA512
161a1b77e3749f0d7c24e14ef48f654f18c444548c8c29595334392da165736d38355790766bb5b4f50e1c1b4296cc0c91d7182ef64c202c60ce6646577897ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\3nhp6qZloJ4A.bat
Filesize
207B

MD5
187f18774235d8c0c20cd3ba44934797

SHA1
0986f85c6f1fdc05e439b4125f0d4238c53e2e63

SHA256
3e764043b9a09fb5b1b26d5bd2972744a31c10a8ffb237194968edbcc48a97a2

SHA512
74f7a440f9d5f13c26d906af995ef90bd210344c31c13b89106057b48d1317df777f5cc31189fe4ab62413f7b9be0b0124974fd5b514149b7ef4ca164d1b1cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7GCofwvtsWku.bat
Filesize
207B

MD5
dfec0ac1ece1808dcb5fdc7d05bc9bdf

SHA1
e051a19cf179c5ef8a8c638f0dc30a5e2ebdf3fb

SHA256
4d7209e49fa66dcfe16491dd6ed0572d3313945ca9f16dd8f9d1fdb84459e91c

SHA512
7ab9499b056cf13dca8f7ee391379f3ef736f28f9b0cbb8dceebb6ece6565084d96d122bb120c5297ef534e07b40040260e0dfa2882346f42a4a97db0b4e9490

Download Submit
C:\Users\Admin\AppData\Local\Temp\BWdeAcHJIhsX.bat
Filesize
207B

MD5
c76220ae32a41fa53f9e0d72d199cde6

SHA1
784a27069b13973d511226d66bff53ed34709d84

SHA256
db4fc1948a28b6c22cb4b560527ea84b34be0f0a97a3137d591dec47601b3e2d

SHA512
b71a126dee581c5d6f0e127cef3812dab6adabadbd3a75e1c484c9a2105eef4a0ab83634f0c7d15ea4e1588d443972faf5acdc7a12d930021fcf2ee28513bc93

Download Submit
C:\Users\Admin\AppData\Local\Temp\TNQvoJl7qKCv.bat
Filesize
207B

MD5
d1b685e6acb66e653919dc221f7f4b16

SHA1
a6e11300c9069c99456c1de10123a5871673004b

SHA256
d705f29b06f067628f6051d8b32fb2f6a183540097140e60b1e38fc961a5ef72

SHA512
5bf4e7fb630cf85b0c23e42893ea3b9268819ba6444458915a00e4d5e0632706eeb27dd79dd93c1a2138961c51b7668c4331d993d1a1dc514c9ccf5504ccbb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\XCykyb4GERvQ.bat
Filesize
207B

MD5
7ca0d3a0614503ec7ab87cadba703d69

SHA1
243129516a609f81f703f6b3e3fde06732458b1f

SHA256
e5fc0817c2df41f2c6485d453ebd50da08eb6da4db5930837cf2e4d33516e7b4

SHA512
3ee959071d063c3918aea00e1cf7403208ea3eadf58d229150f5cb1adef84753575528da88c646e77910a15ec89d414b4e8c04795e603771dc3ff404ee0847bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQEv2zJJ7M2V.bat
Filesize
207B

MD5
f57f078ed759a9af4738ef9d307dd968

SHA1
f756904b4edc698e3ce473bee6a07e5a3a094f0a

SHA256
ba23c6a96c3a2274bf2c7eb632704569400d82fed97da2e8a25b7f58099ef2a4

SHA512
a8b6d412613d8634ef0fe210db14bb6be60f7d87efc633bb755a24fcbaf3cfcb20004faee1585461fc723d5c320976f3846dd37ed86bf6621a993413639119b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dPFe1pEZtzvo.bat
Filesize
207B

MD5
8c2500d32d227758855b203290c214db

SHA1
8bffc60ac70ca90e5005967a5f4d9a5e6dacd051

SHA256
d013b576cc29da716c412a3020eb69ba7eca9676f0115d9a229f2e43e2033c51

SHA512
c179d1597b3eb67fc006ba2959ed76d987fd23236c6792f43642427e14d44e414316034c49711d1a7f06d78d4ecdee1a2b47e440dbd5080d976eff20c74a2e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcMs7psOMpWS.bat
Filesize
207B

MD5
3d723b602d36dbc5cabf30148d3b3927

SHA1
16244daef57b2fad0063f08eec809f60385ebdec

SHA256
8dfd2a4f9e7be0e3d076c65342c55034ca7c5acdc7e98acbebfb148154f2cba4

SHA512
1a3459aa2a949ac34e513fcf74d601af5b7fda2cf1c142f87888b2b16751d722a5690883c6eb1b6accaf8617165f376aef62418c57540a5e996d52062f1c60ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\floT0joMnxRC.bat
Filesize
207B

MD5
3b359322ade70be95ee93d5233cc4da4

SHA1
9a7d19000797f1863828157f88d9e56057805c1c

SHA256
2b8111138c0a1d3d23378437697427efaa39087cdb020ce1544acffb1cf7046f

SHA512
dec084cd7b91cf468ca136a2017f867b9b64f390da3daa7790bbba9b3b368293af139d60a36d71ae9a6dbda133e3e3bd2af97d093f15bad7f193a85d7fdca556

Download Submit
C:\Users\Admin\AppData\Local\Temp\kNaQQY7YTCzK.bat
Filesize
207B

MD5
3d03d86bdc99384ab0743ae36141c5c1

SHA1
37abd84fcff0e5083aeb91c149012a3ce428aba1

SHA256
2417652bd6af07225575659512342f4c99b1d12e7f9bb0b4e3793fc939431209

SHA512
85fa951f529ba5fa58f8f78d6a45dead7c2c98ab39c5c13eee348bafdc07358ce86b031e69385c7769b395946caef7bf9e0e64d84a365038d369fd3f0206f575

Download Submit
C:\Users\Admin\AppData\Local\Temp\qG3J3hZSGewW.bat
Filesize
207B

MD5
dc2d10dcfa11bc064ffb4ce5aa75015f

SHA1
7c17f89742b0cde18ac0e0cf2ae450e35668cb97

SHA256
55ff4bb4504ddaf619a2efddae75234e87942ccaccb090bf0577a747d3634984

SHA512
f17cec990e144f92065295b42e446eb69f4672124654f93f7ca53260450712ea4be21c9f86d47acc07f4f06cfcf470835b6c5547024a337c7cd7273000ba9227

Download Submit
C:\Users\Admin\AppData\Local\Temp\r0ircSIIV6pO.bat
Filesize
207B

MD5
4ace390cb03be6bbc18fc535b779461e

SHA1
287c84679c1e7613e305d9fd29cc150587361cd5

SHA256
18fd75333773f6c0c9c24e6aadc132ba3aa965a8c774e8d5e4e412e63f564dce

SHA512
edd4355fe00375d5e3045024bbf9c4a12a40126321d0be456dc042dfca1459a8485893670d92f0b602f031b99873f597d53dd2d0b22e077e37ec00b46f4c5401

Download Submit
C:\Users\Admin\AppData\Local\Temp\ritXWk3H12yZ.bat
Filesize
207B

MD5
013f843bb8b08562f34940cce5b769f3

SHA1
dfc8a6dcc562787cf59618749d9cba39e3e77bc4

SHA256
191755105482b5931a9b954019e5cfd472a9c67af436d4d38ad363e3908c9ec7

SHA512
76949a5de49e974eb7136808b6c449f6435636821e590e1e4978618f7757674b8c79d772e0bf2d927ea25a537a6af768fb5d776f90a050f142f3555a8237a018

Download Submit
C:\Users\Admin\AppData\Local\Temp\z7HOeolfw2Rt.bat
Filesize
207B

MD5
0567590aea33a728301f29014aa9a633

SHA1
0638d43fba7743d2269c9e2cf4e3d573f090d977

SHA256
8e433cf1f7fb70dee8cd8cb0b062e596bb0b770bec325deb26ae9c528f8f5d9c

SHA512
49e14fbfb6faf701764ecfea8aca41ec2ec49559e7a668e8f6a8b6a0bf027d355628c450160a167d30f9b75081a79a42b025584f0ffd688b900f65ab19372101

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
f441f876b641f662979ee61e06353aec

SHA1
6f58e92806b7e1b7587d75f8bac41bb8dd29756b

SHA256
e9e1812399c3b67063fd0c900f3075562f5e83dafd322d4b2f40a160415d9e20

SHA512
85acd71c5c360268b8e3d479db7652bccbd4e4737dd2f077b6787348ed2d3bc0965da00616779116d69e5d97683d98fa8567ff33393a98d65c6faa8454e71b27

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
b4fa6bc75f439fa020cbaa149f3a086c

SHA1
39c5e35bbbf8a42372ac203d8f136b7972f2655f

SHA256
2e8b1dcd2fcce77508d8232489bbc0afde310177c37d8a4e416ba343c7a8fb8b

SHA512
0b8a68f9dbd5de769c6ae0a7932bd23661e1f8641f0528d8f71466d5ee98ada2ab36263bf373d6c64bc1bb275fc48391456dc7761e2b01aebca08a6eb717f9ae

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
5a55355d24091ad683ced0c1825eebaa

SHA1
5e159d46537ce1818ef3b323f5e8a6d26caaf088

SHA256
484e2a9c890fc5e9c9c1f817fd777e5526c6ebded498cc992b7d4a47398479e1

SHA512
b586d8adf48525cf41c81c917dac21ddd360f5cb6a9ee54e50aae87ef09cd21dc549a9859e755ec8f8014e16f9fc25113059bedb8be3426ed63b34bf4830673b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
7e9027e933e4326539614b8e76acd364

SHA1
8dceab2516270f0d393526fd3dcb52fed22a82a0

SHA256
f71e2a3207068ae1d7017025efb834c0462fd0e2fa3b9e982234428c65a72dc8

SHA512
fc3ea417284e635b4d7ea2b05cd1acd0e11e3bb6b047fc440a524c184a2f8cce1b1582db67fd66dadde487ee9da1c161ade5351ea5977fa59f30e9ef9f417053

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
5fb0ea6c43acf982f9fc694fb873addd

SHA1
caff8af2cc30ff4c702047d09679b2d907a7d56c

SHA256
34de238b4102e7fba852f10092ad02bf0aebf83a1445416fed7846637bea6ff3

SHA512
acaee88dc8f34b70152448ed09f0c2f7936a2da58344fa85d7270971b18dfa1c11cd2c1d39e9550f501ac57e631968dc6a802bd4c9a604fa40827c219155820d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
1f2df5636bfa24776c47e681b09d9c6b

SHA1
c5cfd8ed4aff00f6a980c96b7bc700f77c868baa

SHA256
0ce708f309930092b2097376c0f482bcf3b972b18f7f54c60022f819d57ea96a

SHA512
f1866836f98cf9f29c0e2f29062612da2b5c8fbf7efee06b80aee083593e3365b8e5424c00fa6d5b369b734990e8bc60ba5c39aa1fd194d5c439896d05e4aef9

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
41eabc78f57712064f3f3fd258e9281c

SHA1
bb22cbae4b054c6c26bd775b066f99362b8e7653

SHA256
95d7d8445951eec3c5e2ad80f905ea0da430a92569dd79b49a35e5391b11f293

SHA512
4c4dd067868606d7017ff1ecbc0be75392416a56ac88a44523f48c8230dfb2b0d9060c0d2090a94eea1711c8eb5467a29b8a76e58a16d3d3ffdcaccaa3cef47e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
084768f2bc752c4a575221043b0d02b4

SHA1
3f6f34ca1f5e3b77f191c4d45f0d7d8ca9fd299b

SHA256
220273e49a2d850d08269df66d5c6f3a809b46051368af68d353ae384000c8e3

SHA512
20fa6588fbdd43fe9a147a1f27dd3536c94f1ebbc5b45bc12e31cf5a4d6f9b498cb0e0056581ce2f42856fa869dc80f5e832b076125c6e15bd41559c6aa40a68

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1924-5-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/1924-4-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/1924-16-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/1924-1-0x0000000000EB0000-0x0000000000F1C000-memory.dmp

Filesize
432KB

Download
memory/1924-2-0x0000000005F80000-0x0000000006524000-memory.dmp

Filesize
5.6MB

Download
memory/1924-3-0x0000000005920000-0x00000000059B2000-memory.dmp

Filesize
584KB

Download
memory/1924-8-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/1924-7-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

Filesize
4KB

Download
memory/1924-6-0x0000000006650000-0x0000000006662000-memory.dmp

Filesize
72KB

Download
memory/1924-0-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

Filesize
4KB

Download
memory/4944-15-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/4944-24-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/4944-19-0x00000000067B0000-0x00000000067BA000-memory.dmp

Filesize
40KB

Download
memory/4944-17-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download