quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
297s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (10) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4024-1-0x0000000000BB0000-0x0000000000C1C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2300	Client.exe
5068	Client.exe
2236	Client.exe
1316	Client.exe
4272	Client.exe
1376	Client.exe
2752	Client.exe
1836	Client.exe
4760	Client.exe
3788	Client.exe
2432	Client.exe
3980	Client.exe
432	Client.exe
2912	Client.exe
32	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
25	ip-api.com
27	ip-api.com
29	ip-api.com
20	ip-api.com
37	ip-api.com
3	ip-api.com
16	ip-api.com
32	ip-api.com
35	ip-api.com
39	ip-api.com
12	api.ipify.org
18	ip-api.com
22	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3796	2300	WerFault.exe	Client.exe
4932	5068	WerFault.exe	Client.exe
2672	2236	WerFault.exe	Client.exe
924	1316	WerFault.exe	Client.exe
4752	4272	WerFault.exe	Client.exe
1720	1376	WerFault.exe	Client.exe
904	2752	WerFault.exe	Client.exe
4420	1836	WerFault.exe	Client.exe
2364	4760	WerFault.exe	Client.exe
1248	3788	WerFault.exe	Client.exe
3340	2432	WerFault.exe	Client.exe
3388	3980	WerFault.exe	Client.exe
3184	432	WerFault.exe	Client.exe
4676	2912	WerFault.exe	Client.exe
4492	32	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exe

pid	process
2508	schtasks.exe
968	schtasks.exe
3748	schtasks.exe
4240	schtasks.exe
4912	schtasks.exe
1748	schtasks.exe
3112	schtasks.exe
1576	schtasks.exe
3468	schtasks.exe
1228	schtasks.exe
4656	schtasks.exe
3104	schtasks.exe
3644	schtasks.exe
3644	schtasks.exe
4648	schtasks.exe
2016	SCHTASKS.exe
1908	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3200	PING.EXE
564	PING.EXE
1316	PING.EXE
920	PING.EXE
4404	PING.EXE
3116	PING.EXE
3472	PING.EXE
2512	PING.EXE
3580	PING.EXE
2516	PING.EXE
3208	PING.EXE
3876	PING.EXE
4936	PING.EXE
2280	PING.EXE
4916	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Uni - Copy (10) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4024	Uni - Copy (10) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	2300	Client.exe
Token: SeDebugPrivilege	5068	Client.exe
Token: SeDebugPrivilege	2236	Client.exe
Token: SeDebugPrivilege	1316	Client.exe
Token: SeDebugPrivilege	4272	Client.exe
Token: SeDebugPrivilege	1376	Client.exe
Token: SeDebugPrivilege	2752	Client.exe
Token: SeDebugPrivilege	1836	Client.exe
Token: SeDebugPrivilege	4760	Client.exe
Token: SeDebugPrivilege	3788	Client.exe
Token: SeDebugPrivilege	2432	Client.exe
Token: SeDebugPrivilege	3980	Client.exe
Token: SeDebugPrivilege	432	Client.exe
Token: SeDebugPrivilege	2912	Client.exe
Token: SeDebugPrivilege	32	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2300	Client.exe
5068	Client.exe
2236	Client.exe
1316	Client.exe
4272	Client.exe
1376	Client.exe
2752	Client.exe
1836	Client.exe
4760	Client.exe
3788	Client.exe
2432	Client.exe
3980	Client.exe
432	Client.exe
2912	Client.exe
32	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (10) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 4024 wrote to memory of 4912	4024	Uni - Copy (10) - Copy - Copy - Copy.exe	schtasks.exe
PID 4024 wrote to memory of 4912	4024	Uni - Copy (10) - Copy - Copy - Copy.exe	schtasks.exe
PID 4024 wrote to memory of 4912	4024	Uni - Copy (10) - Copy - Copy - Copy.exe	schtasks.exe
PID 4024 wrote to memory of 2300	4024	Uni - Copy (10) - Copy - Copy - Copy.exe	Client.exe
PID 4024 wrote to memory of 2300	4024	Uni - Copy (10) - Copy - Copy - Copy.exe	Client.exe
PID 4024 wrote to memory of 2300	4024	Uni - Copy (10) - Copy - Copy - Copy.exe	Client.exe
PID 4024 wrote to memory of 2016	4024	Uni - Copy (10) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 4024 wrote to memory of 2016	4024	Uni - Copy (10) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 4024 wrote to memory of 2016	4024	Uni - Copy (10) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 2300 wrote to memory of 1748	2300	Client.exe	schtasks.exe
PID 2300 wrote to memory of 1748	2300	Client.exe	schtasks.exe
PID 2300 wrote to memory of 1748	2300	Client.exe	schtasks.exe
PID 2300 wrote to memory of 2892	2300	Client.exe	cmd.exe
PID 2300 wrote to memory of 2892	2300	Client.exe	cmd.exe
PID 2300 wrote to memory of 2892	2300	Client.exe	cmd.exe
PID 2892 wrote to memory of 2088	2892	cmd.exe	chcp.com
PID 2892 wrote to memory of 2088	2892	cmd.exe	chcp.com
PID 2892 wrote to memory of 2088	2892	cmd.exe	chcp.com
PID 2892 wrote to memory of 3116	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 3116	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 3116	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 5068	2892	cmd.exe	Client.exe
PID 2892 wrote to memory of 5068	2892	cmd.exe	Client.exe
PID 2892 wrote to memory of 5068	2892	cmd.exe	Client.exe
PID 5068 wrote to memory of 3748	5068	Client.exe	schtasks.exe
PID 5068 wrote to memory of 3748	5068	Client.exe	schtasks.exe
PID 5068 wrote to memory of 3748	5068	Client.exe	schtasks.exe
PID 5068 wrote to memory of 1984	5068	Client.exe	cmd.exe
PID 5068 wrote to memory of 1984	5068	Client.exe	cmd.exe
PID 5068 wrote to memory of 1984	5068	Client.exe	cmd.exe
PID 1984 wrote to memory of 4516	1984	cmd.exe	chcp.com
PID 1984 wrote to memory of 4516	1984	cmd.exe	chcp.com
PID 1984 wrote to memory of 4516	1984	cmd.exe	chcp.com
PID 1984 wrote to memory of 4916	1984	cmd.exe	PING.EXE
PID 1984 wrote to memory of 4916	1984	cmd.exe	PING.EXE
PID 1984 wrote to memory of 4916	1984	cmd.exe	PING.EXE
PID 1984 wrote to memory of 2236	1984	cmd.exe	Client.exe
PID 1984 wrote to memory of 2236	1984	cmd.exe	Client.exe
PID 1984 wrote to memory of 2236	1984	cmd.exe	Client.exe
PID 2236 wrote to memory of 4240	2236	Client.exe	schtasks.exe
PID 2236 wrote to memory of 4240	2236	Client.exe	schtasks.exe
PID 2236 wrote to memory of 4240	2236	Client.exe	schtasks.exe
PID 2236 wrote to memory of 4844	2236	Client.exe	cmd.exe
PID 2236 wrote to memory of 4844	2236	Client.exe	cmd.exe
PID 2236 wrote to memory of 4844	2236	Client.exe	cmd.exe
PID 4844 wrote to memory of 4332	4844	cmd.exe	chcp.com
PID 4844 wrote to memory of 4332	4844	cmd.exe	chcp.com
PID 4844 wrote to memory of 4332	4844	cmd.exe	chcp.com
PID 4844 wrote to memory of 4936	4844	cmd.exe	PING.EXE
PID 4844 wrote to memory of 4936	4844	cmd.exe	PING.EXE
PID 4844 wrote to memory of 4936	4844	cmd.exe	PING.EXE
PID 4844 wrote to memory of 1316	4844	cmd.exe	Client.exe
PID 4844 wrote to memory of 1316	4844	cmd.exe	Client.exe
PID 4844 wrote to memory of 1316	4844	cmd.exe	Client.exe
PID 1316 wrote to memory of 1908	1316	Client.exe	schtasks.exe
PID 1316 wrote to memory of 1908	1316	Client.exe	schtasks.exe
PID 1316 wrote to memory of 1908	1316	Client.exe	schtasks.exe
PID 1316 wrote to memory of 436	1316	Client.exe	cmd.exe
PID 1316 wrote to memory of 436	1316	Client.exe	cmd.exe
PID 1316 wrote to memory of 436	1316	Client.exe	cmd.exe
PID 436 wrote to memory of 3284	436	cmd.exe	chcp.com
PID 436 wrote to memory of 3284	436	cmd.exe	chcp.com
PID 436 wrote to memory of 3284	436	cmd.exe	chcp.com
PID 436 wrote to memory of 3200	436	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4912

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bh0zwZ9t75AW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2088

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3116

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oTtmkfhinjIv.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4516

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4916

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VXg4EtWi4wTC.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4332

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4936

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bjsncpwN7vMD.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:3284

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:3200

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4272

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:3104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N8HD6poKAw0r.bat" "
11⤵
PID:3796

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:664

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:2280

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1376

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\58NYjsoS6SaF.bat" "
13⤵
PID:2184

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:5100

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:3580

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2752

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:2508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3Jgl2xDEp7MI.bat" "
15⤵
PID:4800

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:4596

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:564

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N7QsgpQG6mGG.bat" "
17⤵
PID:4912

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:3608

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1316

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4760

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fi21YlisClnv.bat" "
19⤵
PID:3120

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2912

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:920

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3788

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWm8CcwuTRht.bat" "
21⤵
PID:3748

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:184

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4404

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\noZhHXOXXK13.bat" "
23⤵
PID:2688

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:1220

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3472

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\26MGNSqAbDKD.bat" "
25⤵
PID:516

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:2108

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:2516

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:432

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3mpIRkr11q0A.bat" "
27⤵
PID:1976

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:3572

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:3208

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2912

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q8Tjk12tPMSd.bat" "
29⤵
PID:4136

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:1668

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:3876

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:32

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l1xMG5bg6u1A.bat" "
31⤵
PID:3636

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:3560

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 2224
31⤵
- Program crash
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 1664
29⤵
- Program crash
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 2232
27⤵
- Program crash
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 2236
25⤵
- Program crash
PID:3388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 2248
23⤵
- Program crash
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1092
21⤵
- Program crash
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 2236
19⤵
- Program crash
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1092
17⤵
- Program crash
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 1092
15⤵
- Program crash
PID:904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1216
13⤵
- Program crash
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 1648
11⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 1600
9⤵
- Program crash
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1580
7⤵
- Program crash
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1644
5⤵
- Program crash
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 1668
3⤵
- Program crash
PID:3796

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2300 -ip 2300
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5068 -ip 5068
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2236 -ip 2236
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1316 -ip 1316
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4272 -ip 4272
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1376 -ip 1376
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2752 -ip 2752
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1836 -ip 1836
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4760 -ip 4760
1⤵
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3788 -ip 3788
1⤵
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2432 -ip 2432
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3980 -ip 3980
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 432 -ip 432
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2912 -ip 2912
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 32 -ip 32
1⤵
PID:416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26MGNSqAbDKD.bat
Filesize
207B

MD5
68427c8809b0488d83142f8917077153

SHA1
a1bb2f9e2d45b0487d9ff12999c22b225f7a02cc

SHA256
72b1a329e772598872d664f921966e35feeaf9af14ac1d982535fde93ce6560c

SHA512
743eed82c501d2b9a7f9a15797a557133dcf6c9ec71dcb7a1920d658b773fd2fe68e538ca5f730a81b30810536fc841e5b5ce4304e3983dc37482c356074e41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3mpIRkr11q0A.bat
Filesize
207B

MD5
94eef7973cc201455c86f8beaf17db61

SHA1
c2b61ca5a0e53f980e5f9b35f42a9a4d4b3f869f

SHA256
3f8e403b29d75e71f9276118d4fff0736559b45e6e356abda06b1361c46c51d6

SHA512
b131b97269116e1194c85656b372720c962da9ab5221fb8f20a1e6940859c01e07e7cf89e7059a13e4ed626bff60742a0353abda3ff0bf35c32b7723de1439c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\58NYjsoS6SaF.bat
Filesize
207B

MD5
bab7806d32f48ae2c15d351d6fecb9b1

SHA1
a5a4dbd598e20dcc19971ad047a413ed3f91cb2d

SHA256
67f7678b1bfc454fa8a29b087d46a00116e88fd0fff6a3507cbe8f79b44787c4

SHA512
94b4eabb6f22bed21f648435540c3ca3e557f61f7b1097171e39ce5ccfa1e8a34a84958d1c6877aee29d4fa283779cd2efb465ffab5b0e38e79a043c9796c852

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fi21YlisClnv.bat
Filesize
207B

MD5
a1f1d3627f205695f4ac7b7cf5e4c361

SHA1
dd9056ae9fcad4d9c7ed36aa5d33f56ebf925d07

SHA256
e456724ca22b9ecfc379e630bb20f44e6079d90ac91486758a6f9d7b6c75f42b

SHA512
54a172d59cc3255283780271e0493955e0c40ed6cf782427586d4c3c8e6ab8771e8a909675183ddb135dfd0f72671a1eefed09b06d4f2c9ce686624e60a93ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\N7QsgpQG6mGG.bat
Filesize
207B

MD5
6213c8a0c60cbfa6ab4bf0345a0dfcc0

SHA1
38e8834e935bd2375b23b29fe52679367738cc00

SHA256
626cc428cbfdb139a422f0bbc38d6e4963068e1e7b899b91beb4272b3504a239

SHA512
e41cdefdbd9880df65f3826caf95438c251bc19c4702ff59cd82db0ddb84b9e40c27af61a2ff593b3d732af656ea7ddac31f02a01e45fa55ce331d66bfc2cfbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\N8HD6poKAw0r.bat
Filesize
207B

MD5
67c1db9f16098fbadc082f95d30927b7

SHA1
3fb7765b6e876114ec4ade74c36836c0caf6f61c

SHA256
b9d29d62aa7b3c582b1f82a2cec9ef1cc30a2242a0fcb939d954122045495590

SHA512
e10e636a919a0abaca9df932884260032ee17f51421e022ac6c9ada2ab6bb9a6a8e7db6462a83f569bac340f69a31502a9f8893ee188877cfea539a067d1f939

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q8Tjk12tPMSd.bat
Filesize
207B

MD5
8b49d1a9799f72fe543bd7a985d4cd5e

SHA1
9ff6b2e5aa2393eed2c64078b6d2efda70b84787

SHA256
ee9f55cf0d2dd771eaecac4fc6385987941b6d56c23ee10276345e73271e86a5

SHA512
4057476dee4015b400354cdf557cd91c53fc43830a3ea43968f281529c85866c678bcd129d69611cc9d50043c1d428b45908866870b95cc0a32fc18df659fa3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VXg4EtWi4wTC.bat
Filesize
207B

MD5
de80d7b6284d2d49362212270efa7aaa

SHA1
c00414237a8249bf56ba942ee0244ffcaeee905f

SHA256
2ddeebe396ea8e76c85a669661c37d197f9d5a7d861780d3c73c5e1d339ebcff

SHA512
9635dfab238c8c1c6ce4a81c83afe58d6656054c2899b7b18011569962f18bf46641b6cd6a9581d56f59814f252d8e6a1e37826d4ee99562f37cc4e72978ce23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZWm8CcwuTRht.bat
Filesize
207B

MD5
fb9feb6cf2900b9cef8915a55106d139

SHA1
60164ab8618535a9630ea4a130ce657fdf78fbe7

SHA256
0e0322445944ff58941657d46c87702ac8c02d9ee3986b88cc4963fc5aae189c

SHA512
60c76e9b4c030d0a5b0ea6443c6f7bcd8d5212ba06ada568785b4abe4d194b706bcff0bf3a714ac3fb48eca10a22b1d70268e77f98dba3f13b0f751e02236c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\bh0zwZ9t75AW.bat
Filesize
207B

MD5
3b003f0a897a1a5f768a3c3c0fc2d39f

SHA1
463604971d70c9e942bb3f72ed238af44a82e544

SHA256
45fd3603ce97ac5b613f57e7cd3a5f4f18551e092b71692b7aae64b70c5feeaf

SHA512
119fb17e6ee0f94e5bf08ec9e07ac00ac9ca82b1635d324f0c357bd42796bc6f3107eb1199cfbb3b9a86eb9d32e367f6152ff1122dee72c7809ae0797d9327cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjsncpwN7vMD.bat
Filesize
207B

MD5
7736e89cf14f1cf06091438558e80dd0

SHA1
0d7cd0ec332ade80a32a78ca890a128a192bd170

SHA256
e5209e4d274962a094d9a869e5deb909b5babf57a1658f073f3e88740acb8b4d

SHA512
99554aff2f7660e5722eeac74ece79881ffab244e5f6c7b22e1d689a2e6a8ef9e21cb6d22f412d62c03ff8e955842f5a78d6b0701645a60cca8d113bcdbe2ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\l1xMG5bg6u1A.bat
Filesize
207B

MD5
a8a452e32cc03a49f195d837b2c8d864

SHA1
30fbb4eff406326e02f2665f2244e60796936867

SHA256
3d7dd643d65c92d60bee0eb824a5908e6fd32ea21e9ecdcaaea26bcb79115b99

SHA512
d45dc333d9f3e6cb281e09b7614a7201ae3e61600c7e49a2aadd7629662ec1524914fb565dbe37f2a47ea32cf40286cd88e61b554161f431089ef21c6b464224

Download Submit
C:\Users\Admin\AppData\Local\Temp\noZhHXOXXK13.bat
Filesize
207B

MD5
c143f9206ba6624356b03a6586026d7a

SHA1
b9e211fb7b073fe894cbdee907b5bc3b48b078ea

SHA256
0c58ed8ed9726d8e1a3e54d73a14f82df5c7caaef3ed553cf8e0eaa3eb46d1c0

SHA512
a7702d6039e8be6da7755b318028cb22e45ba0bdbcef081d445e47e84017cf0e00883c0a233f014cda4e5ad79bfa4bc474d7420292012b6d23b70f4b1a472374

Download Submit
C:\Users\Admin\AppData\Local\Temp\oTtmkfhinjIv.bat
Filesize
207B

MD5
cbb15c44477f019777d7d6e1b7dc6936

SHA1
645324864b6d605e947efd8f276d8095cdfd0a00

SHA256
a5b7ec1e7210b9bba933fafeba2bd467971364240effcda7e65e01bfd8e69010

SHA512
afd9dd693b8ac5848b2a24ab82345a7e487f7b66d3ebeae37595e358abb8b4a6edacca89c594b7ff44bed814da386698004fc333abda8929a3b963f80e29e2a1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
2bf82f64721d935d2595770adbb62f36

SHA1
ed492d00aaad55764cd8adf3613e7745ccf587c8

SHA256
d86b6de1b37d9531000319d0452db29a9dfe3ba1b5afe16f1b781f81bf2d968d

SHA512
00a25dd40c4a0fb7b8490941e9100f07259f5525daee5e7343c0e15f34ff7d32d5e4d1b242e959c7c768c178a3a997e35b8300a977bf3018e2ebbb38ff2f2913

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
8513b0f90151e2a5189a0f72996e7a6b

SHA1
d16f7d84ac4259db74b1cc4699bf105d98d42900

SHA256
0f715fa6799ddbe3f7639ede5eda73632e72573d4902656a2913288fb204f49f

SHA512
0bec69992d326d743df277a47538fc30575ccfb7ce25c10b6b75e4a00553e7b2ffe9b64f8bb79bb35de9b1bfd78ea429a11971207e642c89cf6ea8f394876f5f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
c12512a30e432cccaaf3ebcf69c4e95f

SHA1
2b5d8546ca8265c44c55bcd0955a3b0a6d62b97f

SHA256
1fccb3c480a8196c34dbfdaa00b5058dc54128971ca8afc60834ad3a8199bef9

SHA512
6c042e7c3cea5890db63414591c6f61ead3a7353771cb1bbf9aafd8d05f3933a0d9dbc05c5c08abad5a418033bc05facd7ed4d7c1a99c79f42bd875a21d49b2e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
19636f7ff8c0923a009eac6bc3d869bf

SHA1
62cd162b5364ad5e3e4074d99226bf60325d63ff

SHA256
67fee24e0ebf2117284efcea34e9b0a0a01a0ef57240fedc99f8147e0dc1c5db

SHA512
ae5d9aa928c4ba4ef0ebef097d77690012cd900d9a634e842e1095f6e30a981ad95dfd3e9cd1287990d9825152e316c4945bca91f23ca070368c088b321b5683

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
6d14c1973294fcdfce418bf5c7143243

SHA1
c96ccf8ab803e7bf02d98273c15f06fccce4525e

SHA256
b8188bc02d89ff92715f2b69b267f02af0e115c7a01ce5babec37a77e1d38686

SHA512
bc9c127195a6751c989d8035dfe4e4087813edc1369c590c9261e56a9be8578098d9b98343487ba046dbce143e99bf7db8f731fc46b2ff14c7e37d9272fbb8e0

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
728cfa75972556a3bbf14b586206c4ce

SHA1
5b1677e0d4bf9ee3e2a524c5d0f4686ecd132799

SHA256
81b5ac2665deb7d51ba1ee97469c9a07940d8c822c2d2781fbc28d91cecb6f80

SHA512
2938dcf597363efc645a000d21ea59509befe2baecdfcc82538b67a0e6b6194bb63c42edae0dbc089b20368a895df6d3927927bb1f40afeddf0de0b8a9bc26dc

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
2cfe57f21bd640fd10cc5300596b54cb

SHA1
0d884c1e82d77ae4a06e21779cf6abc623e16b7e

SHA256
0d9a6905faf82a98f08820989200a45841766f43a08932256bdd32501f78d836

SHA512
15fd10bd01ca29d40d31c374f16377bae652eabef44e0fb81852dce7cf07aed5909f4090193ddfc68c4eb03156d38143d0c3abf01060b02312050499b59a4575

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
2dd48adad31aa89f5e5005473839b9a2

SHA1
e2d8b0aa560f721e51b72ab2697d5e11bdaa0c6b

SHA256
aa5bc269e2ec4131386559a26ee6bd9066dc3a5c2195b175a829858a2d9467df

SHA512
557a23e77b88ea2b4bd29ce4e8934162f525f02b2ba76312c003e15ecdb9285e8bf54a58bfab82ca638392b6cdc9989365d54a56d46470f6ccd74ea95f35455c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/2300-15-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/2300-24-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/2300-19-0x0000000006260000-0x000000000626A000-memory.dmp

Filesize
40KB

Download
memory/2300-16-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4024-8-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4024-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/4024-7-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/4024-17-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4024-6-0x0000000005B50000-0x0000000005B62000-memory.dmp

Filesize
72KB

Download
memory/4024-5-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/4024-4-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4024-3-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/4024-2-0x0000000005B80000-0x0000000006124000-memory.dmp

Filesize
5.6MB

Download
memory/4024-1-0x0000000000BB0000-0x0000000000C1C000-memory.dmp

Filesize
432KB

Download