quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
294s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (13) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral20/memory/1520-1-0x0000000000510000-0x000000000057C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 16 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2256	Client.exe
588	Client.exe
4796	Client.exe
4604	Client.exe
4868	Client.exe
4692	Client.exe
1132	Client.exe
4468	Client.exe
2620	Client.exe
3952	Client.exe
2736	Client.exe
2136	Client.exe
1044	Client.exe
2092	Client.exe
4400	Client.exe
1728	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ip-api.com
32	ip-api.com
34	ip-api.com
37	ip-api.com
39	ip-api.com
44	ip-api.com
8	api.ipify.org
47	ip-api.com
25	ip-api.com
14	ip-api.com
16	ip-api.com
18	ip-api.com
42	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3984	2256	WerFault.exe	Client.exe
116	588	WerFault.exe	Client.exe
688	4796	WerFault.exe	Client.exe
892	4604	WerFault.exe	Client.exe
4356	4868	WerFault.exe	Client.exe
1660	4692	WerFault.exe	Client.exe
3168	1132	WerFault.exe	Client.exe
1068	4468	WerFault.exe	Client.exe
2984	2620	WerFault.exe	Client.exe
3280	3952	WerFault.exe	Client.exe
968	2736	WerFault.exe	Client.exe
4932	2136	WerFault.exe	Client.exe
2032	1044	WerFault.exe	Client.exe
2632	2092	WerFault.exe	Client.exe
3712	4400	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2856	schtasks.exe
3680	schtasks.exe
3408	schtasks.exe
3700	schtasks.exe
564	schtasks.exe
1448	schtasks.exe
2896	schtasks.exe
2168	schtasks.exe
1188	schtasks.exe
4392	SCHTASKS.exe
1576	schtasks.exe
3708	schtasks.exe
3036	schtasks.exe
4528	schtasks.exe
2320	schtasks.exe
5076	schtasks.exe
452	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4940	PING.EXE
3556	PING.EXE
748	PING.EXE
3880	PING.EXE
2780	PING.EXE
1112	PING.EXE
1480	PING.EXE
4940	PING.EXE
4344	PING.EXE
2764	PING.EXE
1440	PING.EXE
4188	PING.EXE
2108	PING.EXE
1904	PING.EXE
1068	PING.EXE

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

Uni - Copy (13) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	1520	Uni - Copy (13) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	2256	Client.exe
Token: SeDebugPrivilege	588	Client.exe
Token: SeDebugPrivilege	4796	Client.exe
Token: SeDebugPrivilege	4604	Client.exe
Token: SeDebugPrivilege	4868	Client.exe
Token: SeDebugPrivilege	4692	Client.exe
Token: SeDebugPrivilege	1132	Client.exe
Token: SeDebugPrivilege	4468	Client.exe
Token: SeDebugPrivilege	2620	Client.exe
Token: SeDebugPrivilege	3952	Client.exe
Token: SeDebugPrivilege	2736	Client.exe
Token: SeDebugPrivilege	2136	Client.exe
Token: SeDebugPrivilege	1044	Client.exe
Token: SeDebugPrivilege	2092	Client.exe
Token: SeDebugPrivilege	4400	Client.exe
Token: SeDebugPrivilege	1728	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2256	Client.exe
588	Client.exe
4796	Client.exe
4604	Client.exe
4868	Client.exe
4692	Client.exe
1132	Client.exe
4468	Client.exe
2620	Client.exe
3952	Client.exe
2736	Client.exe
2136	Client.exe
1044	Client.exe
2092	Client.exe
4400	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (13) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 1520 wrote to memory of 4528	1520	Uni - Copy (13) - Copy - Copy - Copy.exe	schtasks.exe
PID 1520 wrote to memory of 4528	1520	Uni - Copy (13) - Copy - Copy - Copy.exe	schtasks.exe
PID 1520 wrote to memory of 4528	1520	Uni - Copy (13) - Copy - Copy - Copy.exe	schtasks.exe
PID 1520 wrote to memory of 2256	1520	Uni - Copy (13) - Copy - Copy - Copy.exe	Client.exe
PID 1520 wrote to memory of 2256	1520	Uni - Copy (13) - Copy - Copy - Copy.exe	Client.exe
PID 1520 wrote to memory of 2256	1520	Uni - Copy (13) - Copy - Copy - Copy.exe	Client.exe
PID 1520 wrote to memory of 4392	1520	Uni - Copy (13) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 1520 wrote to memory of 4392	1520	Uni - Copy (13) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 1520 wrote to memory of 4392	1520	Uni - Copy (13) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 2256 wrote to memory of 2856	2256	Client.exe	schtasks.exe
PID 2256 wrote to memory of 2856	2256	Client.exe	schtasks.exe
PID 2256 wrote to memory of 2856	2256	Client.exe	schtasks.exe
PID 2256 wrote to memory of 1444	2256	Client.exe	cmd.exe
PID 2256 wrote to memory of 1444	2256	Client.exe	cmd.exe
PID 2256 wrote to memory of 1444	2256	Client.exe	cmd.exe
PID 1444 wrote to memory of 3664	1444	cmd.exe	chcp.com
PID 1444 wrote to memory of 3664	1444	cmd.exe	chcp.com
PID 1444 wrote to memory of 3664	1444	cmd.exe	chcp.com
PID 1444 wrote to memory of 3556	1444	cmd.exe	PING.EXE
PID 1444 wrote to memory of 3556	1444	cmd.exe	PING.EXE
PID 1444 wrote to memory of 3556	1444	cmd.exe	PING.EXE
PID 1444 wrote to memory of 588	1444	cmd.exe	Client.exe
PID 1444 wrote to memory of 588	1444	cmd.exe	Client.exe
PID 1444 wrote to memory of 588	1444	cmd.exe	Client.exe
PID 588 wrote to memory of 1448	588	Client.exe	schtasks.exe
PID 588 wrote to memory of 1448	588	Client.exe	schtasks.exe
PID 588 wrote to memory of 1448	588	Client.exe	schtasks.exe
PID 588 wrote to memory of 4404	588	Client.exe	cmd.exe
PID 588 wrote to memory of 4404	588	Client.exe	cmd.exe
PID 588 wrote to memory of 4404	588	Client.exe	cmd.exe
PID 4404 wrote to memory of 884	4404	cmd.exe	chcp.com
PID 4404 wrote to memory of 884	4404	cmd.exe	chcp.com
PID 4404 wrote to memory of 884	4404	cmd.exe	chcp.com
PID 4404 wrote to memory of 4344	4404	cmd.exe	PING.EXE
PID 4404 wrote to memory of 4344	4404	cmd.exe	PING.EXE
PID 4404 wrote to memory of 4344	4404	cmd.exe	PING.EXE
PID 4404 wrote to memory of 4796	4404	cmd.exe	Client.exe
PID 4404 wrote to memory of 4796	4404	cmd.exe	Client.exe
PID 4404 wrote to memory of 4796	4404	cmd.exe	Client.exe
PID 4796 wrote to memory of 2320	4796	Client.exe	schtasks.exe
PID 4796 wrote to memory of 2320	4796	Client.exe	schtasks.exe
PID 4796 wrote to memory of 2320	4796	Client.exe	schtasks.exe
PID 4796 wrote to memory of 4460	4796	Client.exe	cmd.exe
PID 4796 wrote to memory of 4460	4796	Client.exe	cmd.exe
PID 4796 wrote to memory of 4460	4796	Client.exe	cmd.exe
PID 4460 wrote to memory of 4588	4460	cmd.exe	chcp.com
PID 4460 wrote to memory of 4588	4460	cmd.exe	chcp.com
PID 4460 wrote to memory of 4588	4460	cmd.exe	chcp.com
PID 4460 wrote to memory of 748	4460	cmd.exe	PING.EXE
PID 4460 wrote to memory of 748	4460	cmd.exe	PING.EXE
PID 4460 wrote to memory of 748	4460	cmd.exe	PING.EXE
PID 4460 wrote to memory of 4604	4460	cmd.exe	Client.exe
PID 4460 wrote to memory of 4604	4460	cmd.exe	Client.exe
PID 4460 wrote to memory of 4604	4460	cmd.exe	Client.exe
PID 4604 wrote to memory of 3680	4604	Client.exe	schtasks.exe
PID 4604 wrote to memory of 3680	4604	Client.exe	schtasks.exe
PID 4604 wrote to memory of 3680	4604	Client.exe	schtasks.exe
PID 4604 wrote to memory of 4556	4604	Client.exe	cmd.exe
PID 4604 wrote to memory of 4556	4604	Client.exe	cmd.exe
PID 4604 wrote to memory of 4556	4604	Client.exe	cmd.exe
PID 4556 wrote to memory of 816	4556	cmd.exe	chcp.com
PID 4556 wrote to memory of 816	4556	cmd.exe	chcp.com
PID 4556 wrote to memory of 816	4556	cmd.exe	chcp.com
PID 4556 wrote to memory of 2764	4556	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4528

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EbrJTe830DwZ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:3664

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3556

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQNarEzVhTTm.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:884

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4344

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VTxv9dLA0wXu.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4588

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:748

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PaU2WUtHDUai.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:816

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2764

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoUK8BVu0Ajb.bat" "
11⤵
PID:4236

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:4468

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3880

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4692

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsJBeQroNayY.bat" "
13⤵
PID:4392

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:1380

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2780

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1132

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oaOgJCBIop2J.bat" "
15⤵
PID:884

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:5056

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4940

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OVc9juTBRjTO.bat" "
17⤵
PID:3684

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:2284

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1440

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2620

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaGk2tyPKwQF.bat" "
19⤵
PID:780

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2696

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1112

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3952

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:1576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KnV3SsvxS8Nv.bat" "
21⤵
PID:4600

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:1060

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1480

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CO6CKoCZY8ta.bat" "
23⤵
PID:1584

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:4116

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:4188

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2136

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2UYXQYs6wAXL.bat" "
25⤵
PID:2036

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:1988

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:2108

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1044

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:3700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUes3bsEth7i.bat" "
27⤵
PID:3196

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:3156

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:1904

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c5F1vXAqzgeN.bat" "
29⤵
PID:1108

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:512

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:4940

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4400

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OezrxhlFTfPT.bat" "
31⤵
PID:4124

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:2684

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:1068

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 2196
31⤵
- Program crash
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1092
29⤵
- Program crash
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 2228
27⤵
- Program crash
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 2236
25⤵
- Program crash
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 2232
23⤵
- Program crash
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1712
21⤵
- Program crash
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1092
19⤵
- Program crash
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1088
17⤵
- Program crash
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 1616
15⤵
- Program crash
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 1092
13⤵
- Program crash
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 1096
11⤵
- Program crash
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 2196
9⤵
- Program crash
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1604
7⤵
- Program crash
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 2196
5⤵
- Program crash
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 1648
3⤵
- Program crash
PID:3984

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2256 -ip 2256
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 588 -ip 588
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4796 -ip 4796
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4604 -ip 4604
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4868 -ip 4868
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4692 -ip 4692
1⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1132 -ip 1132
1⤵
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4468 -ip 4468
1⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2620 -ip 2620
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3952 -ip 3952
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2736 -ip 2736
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2136 -ip 2136
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1044 -ip 1044
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2092 -ip 2092
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4400 -ip 4400
1⤵
PID:2476

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2UYXQYs6wAXL.bat
Filesize
207B

MD5
9f58b0bc70bc634086ad722ca36593cb

SHA1
350cda2f13a3de07eb9026108328b3182b335146

SHA256
4b79996af7277327716067beddc366bbeb914cd34b1b0293e63f58613854e76a

SHA512
8e8f7e3abe8dccbf83e4ff44e498ea875cfb09926c0bd390e00da50ee8bbf4088e85e36c8f0d7bddfed0062a4a32a18d0d3d7d19570511db80fcb776d7af43e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AaGk2tyPKwQF.bat
Filesize
207B

MD5
651f5e0a5c57c367409df2736f562675

SHA1
9f2f2521a4d2bf00b0c11c1ac1ea7de5343b56e1

SHA256
235371639da3382bec4c07f3480864ea8f17051808ddadd7da88cef71e3b3d31

SHA512
863af8dafb8d2f2354f90636ba66a21649f02d7d663bcf38af58c6f4d6f53a53ae54d07d270d7e04680ff5ff544c02a981a1f689393861ea7f80102e9f46040b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CO6CKoCZY8ta.bat
Filesize
207B

MD5
daf12d3b42e71a0b38f01e1b3686a118

SHA1
568fe3fa18bfc86b761235d77c3a081551fa9dd9

SHA256
532d25a8495687e0775669380a106df31afd8cabcaacdfd12fb082667e08f23c

SHA512
f27cfef085e3da2c901c9290ceae45e175fc97a26a44745cfcf9463869312b26284e03719e1dd03ce6765085fcf672541fe6023d95d83ca9cc714ffb419f6357

Download Submit
C:\Users\Admin\AppData\Local\Temp\EbrJTe830DwZ.bat
Filesize
207B

MD5
01306112cd555bd26fd8fd474af7ca45

SHA1
37d4eebf5e8835f3c07ba3eb59fd33fd63e54564

SHA256
24226dd1ea6e2b40c3822faa9d876d13a40263850295e7aaa4abcdc7d84e3e50

SHA512
ea36dc3a715e8ebd72fb8c7ca901f1a8734535845019e890dda8509e23c5db750daac4b50378bdc30db58349713522275543db5ab362f9889d22b56467bad8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\KnV3SsvxS8Nv.bat
Filesize
207B

MD5
29b4f81e3fd151a63307f6bf349bfec4

SHA1
ed1f3e3ebf46c48ee14f98174823340ce485fcf5

SHA256
1cc82c576f9d7b88848999e2f2ab037d65970c8832e73b986a499a463f5b1882

SHA512
f9f02f1259671910d8681c0836760eb6f8815c76b222bc5efcb1a111ec6024f1554de0aa53d177481552d368773808bb66185adce77208f9dc13431c517ecb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\OVc9juTBRjTO.bat
Filesize
207B

MD5
9bfe8b114f279df0ab21b8b041b697fd

SHA1
da04acf4fba410e9c9dddd4322e69c16cae20543

SHA256
017bd8362a581a129dc4dafd44b024da24b85162509ebb11c39d0c381d3f8a37

SHA512
46e600270454dd6d8bd5c041bbb11909b53f3ddcd55af9d1aca6f3c950dbafd12ac10432a45b1b27ca5c45cafa5ce75e71fc0a7e8033c3ec29cb4396d714bd66

Download Submit
C:\Users\Admin\AppData\Local\Temp\OezrxhlFTfPT.bat
Filesize
207B

MD5
d9d163a38503c9b3434da1919cd21b84

SHA1
db72c85085e66f31072d4cc12c82033ab2c6a8f7

SHA256
5f328c5cb31b40cd343f8ec9431f5052157051952dbb1746f4c14301cae9179a

SHA512
d76275d6a3f9bbce69f0326cbb407d19ca5d858c6c5b7fee4ac95101ecac28dbbb2f07d6b5b3a4e093870dd38c8c8d34f2b23b66adfecbc2ee3db4c166a53ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PaU2WUtHDUai.bat
Filesize
207B

MD5
728e13826682bbfcced19a3332569b74

SHA1
f01974604fd946bc7379e6f31a6878a3747b7ab6

SHA256
6a215b44090e83cca83925fa050988360b7e129359c2b06b266fb33ec1fcc7fd

SHA512
03cc0e866e70f0db1426447f79fc802b79695ce2502b90fe1d201b8d72225eecd043342291dbfe4813863237a26f37f26d16078e381e5b8e25cc57b601c445ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\VTxv9dLA0wXu.bat
Filesize
207B

MD5
5f3fcecacf2905fac58a2e9337a018cc

SHA1
79e3534d57d789fdb20a401575b1b75ce9ea2033

SHA256
0bd65fc501af58219a67b9d1fcbb08db9cdae7e0eed04b57b51702f1d386df6a

SHA512
45b504bb392e4bb79c67b19c06ec8558b5f6dd28b104d7a0c5dbeae8761784393269d7fd5e999a0e531cb6fc7cabc43f3d4601102a6307b5b759fe784fb9c004

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQNarEzVhTTm.bat
Filesize
207B

MD5
78eeb63074443dcedda2ee5e893e37a6

SHA1
899b99d0f9358ab4922ec239c6bf8bbb8433cc7c

SHA256
ea3bf747b80ef68e1b6b7a8e8c3cd60852e42d77a9e1927427a70fd52f18038a

SHA512
e4fe02a4bd4d433f7c9236835373b174eae7e942cc08ff37070e9406a69de2b24c3f0afca72fb336e3771ade0da50ba73af9286806bfea7c6c68df389de49489

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5F1vXAqzgeN.bat
Filesize
207B

MD5
7bdfd547df71109d9e3b4ca151ac9e25

SHA1
700c54c548270f6c8b2b9aa91426982cf3804c03

SHA256
cc848740f99520fd67f545397ed81d84330d51044377f93b6adaf954a78b5e12

SHA512
0e200382156df18d7d255d5e7b7479a7302da66acb79a3bb3218d6fc559152f0611c0a28b1145c9f95be9ced4daf6e61abb930538756f9d0606c27e34202069e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsJBeQroNayY.bat
Filesize
207B

MD5
ca13d17dd3cddfca21f325c30a223033

SHA1
9c9e960c6631bf85deee2dce4327f34df0362bbf

SHA256
093f5c714e703ee1c7b80294e6fb90d0ca6eb78893d80b7598e2e69c4a41700c

SHA512
a44fc4fa2aeff9d8d6cf6a9ab6c93af9693c06255bc469ce48fbaeb631b6474126adb1993e25b1f41537d1ef83e03d8928ae831895b487f1c950768bbcea383d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUes3bsEth7i.bat
Filesize
207B

MD5
a6dcc80494668d9d9a8af51c3d1666f2

SHA1
c49b85720113f9c53ee8bcc1d40a90fe53a16313

SHA256
5a97e8b4537d6e35e925906b67ed8e1a275d76909ddd3c80299917e09be902af

SHA512
179e4c8d0c3414ba17f8e1f4b3954d89dc06ac1b8fa2a7e7654678bff63d606fb6d52a6c837d9ef0430316935870547942e6bc2dc97e93b792584c1620684659

Download Submit
C:\Users\Admin\AppData\Local\Temp\oaOgJCBIop2J.bat
Filesize
207B

MD5
de8dda894f8250eecb45979ca077ebd4

SHA1
2d92a741e0443a2e5c40c0f02026585d014eb528

SHA256
72586efb4bdec323f5cf7d4bb597d2c928dd4c68826844b01fb41cc9c055076e

SHA512
afbb7a0d8dde3e23b22c5c3c576fb8cd87bc6b35c79d47e986103b78fec23714df067fd5c7ee2d09b17be9298c7c4f9db1e42dd7a4e981df402bc72b4ed89bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xoUK8BVu0Ajb.bat
Filesize
207B

MD5
619730df4a229b38d88a6137b1d431b7

SHA1
9688945e96eee27e8a36d97bb805716c6e0f5207

SHA256
94c1a3d8bdee0ca8bae566201d1140cfa82731a85abe8cab1b65fdc74644d9eb

SHA512
835095d86e9d0d252cbcd09a7dff65f3ddf1a61f0c18e7e0856b79c2cacab1b3057413f0b779fe13e5663e6c7a9cd537be6ec7ebfb668ff7e8517760c448056b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
4c11015866481eab7a6c96ee1f6b94e1

SHA1
907e789b07704eb2101d4d6b9b9c93c1a075f411

SHA256
0c1da1ce8247f79240812f35b5453011f739500e142ff59010391a1297b293e1

SHA512
b3b046c34f33876365d16d0c37af34f93e301a5d1521fed1f225bee2230b75d40b93c2cdaff44a59e8e6236dcbf8ec47f5fa080447443029ae327f9a51a659a3

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
422fca6b556e0b71e8c6dbd72674c664

SHA1
a455e9c01db1b181e49a9b474a7bf31e911718aa

SHA256
e04dfb7055b51b31ad95b15f29b44c7bbdb8b5025037cf955049306dba9940d4

SHA512
212189a30018e70735b69e301f4e38c618d23f36324507be9a7dd1a9116608c249fd762d87388d51de9e11c31e8569f4c9ee31ad26df5f1103afaf25531f5f54

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
81f9adff0a19fbf136a990fb6ae8a6ce

SHA1
575ce415c97139fc52c3d3eea723cf3481bfb6cc

SHA256
81e3b98c7ce99c0d732a01226a86d66d53cab09d33df395a41cbbde3ff334fd1

SHA512
f62124ef82e69aa541dcf5c258273a1c0b3e1b8f00dcd6ee4464ae439c5c5083312285fe753878deef938e5a0a450314a05d61ab91c43aa24db1a69944852bb1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
c896d9104295f1b4c519230703c7e7de

SHA1
025072d64072200029123bb072abeec8b8bbfa0a

SHA256
b69a91ba34fd3b7c08181c6f97cada0b24390202e835e9d676da0fd027b3dedd

SHA512
d02c4d3ed5debad9db117cc1b7669978b07d61505953cea54572e0aa9c386651a873e8720d5d43232ebd099a26b932ed6ba89eae2a89ad565d79e0e07d0401f8

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
d2998788c6b3d1cd52c6fdfcbe4917b3

SHA1
f3eed960f23889a0768ff069b4309d91b1ea8e4a

SHA256
fa93f84e655becfef5b2ef3f0014f78f374c0c28b61f0899989ad3dbfc40a40a

SHA512
f869a884bb6debd8875b4d55d96d4b5ee8bb5ac70efc1fc8bc0c541ae09cf280197ef9b2654d6f0835dcdf2c386e271423b8d85159bbe61951d08b8e05c16d5e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
ba0bbf3f2d5fd725ed2eb28cb42fd7f2

SHA1
25aa4258cdc1748f604b738d078dfb61c49a10f0

SHA256
913274aa3d7544f1a07ace7c20ad1b2fd63738bbd42272622571022656876afd

SHA512
ff121e2cfa579008009905b99e16323c0f9ae8164bd682e41a76a0269688f2601af6a030147df688aeb564be0f0f826b8de6daefc9676746ccb541a11aaa18ca

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1520-6-0x0000000005560000-0x0000000005572000-memory.dmp

Filesize
72KB

Download
memory/1520-7-0x000000007503E000-0x000000007503F000-memory.dmp

Filesize
4KB

Download
memory/1520-1-0x0000000000510000-0x000000000057C000-memory.dmp

Filesize
432KB

Download
memory/1520-2-0x0000000005590000-0x0000000005B34000-memory.dmp

Filesize
5.6MB

Download
memory/1520-15-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/1520-3-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/1520-8-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/1520-4-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/1520-0-0x000000007503E000-0x000000007503F000-memory.dmp

Filesize
4KB

Download
memory/1520-5-0x0000000005080000-0x00000000050E6000-memory.dmp

Filesize
408KB

Download
memory/2256-19-0x00000000066F0000-0x00000000066FA000-memory.dmp

Filesize
40KB

Download
memory/2256-24-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/2256-16-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download
memory/2256-17-0x0000000075030000-0x00000000757E0000-memory.dmp

Filesize
7.7MB

Download