quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
298s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (13) - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral22/memory/2612-1-0x0000000000DB0000-0x0000000000E1C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1976	Client.exe
852	Client.exe
4868	Client.exe
596	Client.exe
4600	Client.exe
4340	Client.exe
2800	Client.exe
4816	Client.exe
2332	Client.exe
1372	Client.exe
1636	Client.exe
3816	Client.exe
544	Client.exe
4596	Client.exe
1180	Client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
24	ip-api.com
30	ip-api.com
20	ip-api.com
13	ip-api.com
32	ip-api.com
34	ip-api.com
8	api.ipify.org
26	ip-api.com
28	ip-api.com
18	ip-api.com
16	ip-api.com
22	ip-api.com
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4104	1976	WerFault.exe	Client.exe
2632	852	WerFault.exe	Client.exe
5104	4868	WerFault.exe	Client.exe
4528	596	WerFault.exe	Client.exe
940	4600	WerFault.exe	Client.exe
336	4340	WerFault.exe	Client.exe
3144	2800	WerFault.exe	Client.exe
532	4816	WerFault.exe	Client.exe
868	2332	WerFault.exe	Client.exe
336	1372	WerFault.exe	Client.exe
2256	1636	WerFault.exe	Client.exe
2460	3816	WerFault.exe	Client.exe
3820	544	WerFault.exe	Client.exe
5024	4596	WerFault.exe	Client.exe
4484	1180	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4420	schtasks.exe
4192	schtasks.exe
1472	schtasks.exe
4384	schtasks.exe
1920	schtasks.exe
3244	schtasks.exe
1320	schtasks.exe
4880	schtasks.exe
3244	SCHTASKS.exe
4780	schtasks.exe
844	schtasks.exe
2396	schtasks.exe
1724	schtasks.exe
3120	schtasks.exe
2808	schtasks.exe
4188	schtasks.exe
4332	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
452	PING.EXE
3580	PING.EXE
3804	PING.EXE
324	PING.EXE
876	PING.EXE
4404	PING.EXE
2132	PING.EXE
1168	PING.EXE
2400	PING.EXE
4300	PING.EXE
388	PING.EXE
5088	PING.EXE
2052	PING.EXE
4000	PING.EXE
4492	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Uni - Copy (13) - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2612	Uni - Copy (13) - Copy - Copy.exe
Token: SeDebugPrivilege	1976	Client.exe
Token: SeDebugPrivilege	852	Client.exe
Token: SeDebugPrivilege	4868	Client.exe
Token: SeDebugPrivilege	596	Client.exe
Token: SeDebugPrivilege	4600	Client.exe
Token: SeDebugPrivilege	4340	Client.exe
Token: SeDebugPrivilege	2800	Client.exe
Token: SeDebugPrivilege	4816	Client.exe
Token: SeDebugPrivilege	2332	Client.exe
Token: SeDebugPrivilege	1372	Client.exe
Token: SeDebugPrivilege	1636	Client.exe
Token: SeDebugPrivilege	3816	Client.exe
Token: SeDebugPrivilege	544	Client.exe
Token: SeDebugPrivilege	4596	Client.exe
Token: SeDebugPrivilege	1180	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1976	Client.exe
852	Client.exe
4868	Client.exe
596	Client.exe
4600	Client.exe
4340	Client.exe
2800	Client.exe
4816	Client.exe
2332	Client.exe
1372	Client.exe
1636	Client.exe
3816	Client.exe
544	Client.exe
4596	Client.exe
1180	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (13) - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 2612 wrote to memory of 1472	2612	Uni - Copy (13) - Copy - Copy.exe	schtasks.exe
PID 2612 wrote to memory of 1472	2612	Uni - Copy (13) - Copy - Copy.exe	schtasks.exe
PID 2612 wrote to memory of 1472	2612	Uni - Copy (13) - Copy - Copy.exe	schtasks.exe
PID 2612 wrote to memory of 1976	2612	Uni - Copy (13) - Copy - Copy.exe	Client.exe
PID 2612 wrote to memory of 1976	2612	Uni - Copy (13) - Copy - Copy.exe	Client.exe
PID 2612 wrote to memory of 1976	2612	Uni - Copy (13) - Copy - Copy.exe	Client.exe
PID 2612 wrote to memory of 3244	2612	Uni - Copy (13) - Copy - Copy.exe	SCHTASKS.exe
PID 2612 wrote to memory of 3244	2612	Uni - Copy (13) - Copy - Copy.exe	SCHTASKS.exe
PID 2612 wrote to memory of 3244	2612	Uni - Copy (13) - Copy - Copy.exe	SCHTASKS.exe
PID 1976 wrote to memory of 4332	1976	Client.exe	schtasks.exe
PID 1976 wrote to memory of 4332	1976	Client.exe	schtasks.exe
PID 1976 wrote to memory of 4332	1976	Client.exe	schtasks.exe
PID 1976 wrote to memory of 4792	1976	Client.exe	cmd.exe
PID 1976 wrote to memory of 4792	1976	Client.exe	cmd.exe
PID 1976 wrote to memory of 4792	1976	Client.exe	cmd.exe
PID 4792 wrote to memory of 4680	4792	cmd.exe	chcp.com
PID 4792 wrote to memory of 4680	4792	cmd.exe	chcp.com
PID 4792 wrote to memory of 4680	4792	cmd.exe	chcp.com
PID 4792 wrote to memory of 1168	4792	cmd.exe	PING.EXE
PID 4792 wrote to memory of 1168	4792	cmd.exe	PING.EXE
PID 4792 wrote to memory of 1168	4792	cmd.exe	PING.EXE
PID 4792 wrote to memory of 852	4792	cmd.exe	Client.exe
PID 4792 wrote to memory of 852	4792	cmd.exe	Client.exe
PID 4792 wrote to memory of 852	4792	cmd.exe	Client.exe
PID 852 wrote to memory of 2808	852	Client.exe	schtasks.exe
PID 852 wrote to memory of 2808	852	Client.exe	schtasks.exe
PID 852 wrote to memory of 2808	852	Client.exe	schtasks.exe
PID 852 wrote to memory of 372	852	Client.exe	cmd.exe
PID 852 wrote to memory of 372	852	Client.exe	cmd.exe
PID 852 wrote to memory of 372	852	Client.exe	cmd.exe
PID 372 wrote to memory of 5028	372	cmd.exe	chcp.com
PID 372 wrote to memory of 5028	372	cmd.exe	chcp.com
PID 372 wrote to memory of 5028	372	cmd.exe	chcp.com
PID 372 wrote to memory of 4000	372	cmd.exe	PING.EXE
PID 372 wrote to memory of 4000	372	cmd.exe	PING.EXE
PID 372 wrote to memory of 4000	372	cmd.exe	PING.EXE
PID 372 wrote to memory of 4868	372	cmd.exe	Client.exe
PID 372 wrote to memory of 4868	372	cmd.exe	Client.exe
PID 372 wrote to memory of 4868	372	cmd.exe	Client.exe
PID 4868 wrote to memory of 3120	4868	Client.exe	schtasks.exe
PID 4868 wrote to memory of 3120	4868	Client.exe	schtasks.exe
PID 4868 wrote to memory of 3120	4868	Client.exe	schtasks.exe
PID 4868 wrote to memory of 4304	4868	Client.exe	cmd.exe
PID 4868 wrote to memory of 4304	4868	Client.exe	cmd.exe
PID 4868 wrote to memory of 4304	4868	Client.exe	cmd.exe
PID 4304 wrote to memory of 212	4304	cmd.exe	chcp.com
PID 4304 wrote to memory of 212	4304	cmd.exe	chcp.com
PID 4304 wrote to memory of 212	4304	cmd.exe	chcp.com
PID 4304 wrote to memory of 324	4304	cmd.exe	PING.EXE
PID 4304 wrote to memory of 324	4304	cmd.exe	PING.EXE
PID 4304 wrote to memory of 324	4304	cmd.exe	PING.EXE
PID 4304 wrote to memory of 596	4304	cmd.exe	Client.exe
PID 4304 wrote to memory of 596	4304	cmd.exe	Client.exe
PID 4304 wrote to memory of 596	4304	cmd.exe	Client.exe
PID 596 wrote to memory of 4384	596	Client.exe	schtasks.exe
PID 596 wrote to memory of 4384	596	Client.exe	schtasks.exe
PID 596 wrote to memory of 4384	596	Client.exe	schtasks.exe
PID 596 wrote to memory of 4476	596	Client.exe	cmd.exe
PID 596 wrote to memory of 4476	596	Client.exe	cmd.exe
PID 596 wrote to memory of 4476	596	Client.exe	cmd.exe
PID 4476 wrote to memory of 4960	4476	cmd.exe	chcp.com
PID 4476 wrote to memory of 4960	4476	cmd.exe	chcp.com
PID 4476 wrote to memory of 4960	4476	cmd.exe	chcp.com
PID 4476 wrote to memory of 4492	4476	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1472

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c8q3rmnBFtnf.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4680

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1168

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RjOcggZtFgFf.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:5028

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4000

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iW69HWG2R85y.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:212

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:324

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NW9vsXkGJSbf.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:4960

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4492

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4600

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAR936GkSTUA.bat" "
11⤵
PID:4180

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:3644

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4404

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4340

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:4780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nLkMMBeWB8GD.bat" "
13⤵
PID:1624

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:652

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:876

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fwMVD7w7H8ns.bat" "
15⤵
PID:3452

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:4572

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:452

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4816

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqmEr43hNDX3.bat" "
17⤵
PID:2628

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:4664

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2400

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yvPpA4ZvGRTt.bat" "
19⤵
PID:5096

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:1652

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:3580

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2cga16j5Csql.bat" "
21⤵
PID:4824

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:3368

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4300

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKSabuFPyWtd.bat" "
23⤵
PID:4048

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:3904

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:388

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3816

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:4880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7iumgvaasq2z.bat" "
25⤵
PID:2844

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:4760

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:2132

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:544

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kC2Zl1oKcb2Y.bat" "
27⤵
PID:3152

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:3524

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:5088

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4596

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0zywc9s3OSFc.bat" "
29⤵
PID:4696

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:1540

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:3804

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1180

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2B6tiyR8cuiZ.bat" "
31⤵
PID:4424

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:2092

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 2224
31⤵
- Program crash
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1708
29⤵
- Program crash
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 2248
27⤵
- Program crash
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 1092
25⤵
- Program crash
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 2248
23⤵
- Program crash
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 2224
21⤵
- Program crash
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 1092
19⤵
- Program crash
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 2228
17⤵
- Program crash
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 1688
15⤵
- Program crash
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 1096
13⤵
- Program crash
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 2196
11⤵
- Program crash
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 2184
9⤵
- Program crash
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 2196
7⤵
- Program crash
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1608
5⤵
- Program crash
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 1636
3⤵
- Program crash
PID:4104

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1976 -ip 1976
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 852 -ip 852
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4868 -ip 4868
1⤵
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 596 -ip 596
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4600 -ip 4600
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4340 -ip 4340
1⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2800 -ip 2800
1⤵
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4816 -ip 4816
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2332 -ip 2332
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1372 -ip 1372
1⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1636 -ip 1636
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3816 -ip 3816
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 544 -ip 544
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4596 -ip 4596
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1180 -ip 1180
1⤵
PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0zywc9s3OSFc.bat
Filesize
207B

MD5
762b915faf4c8943e9bdeaf8c8b32da7

SHA1
0dc2f2b2d953b333b05ee550296f3ed3f8efa062

SHA256
4b03cdb56fdc504caf01b43af20485726c4f349f07269cd6569b857f49ee509c

SHA512
95051ff7fa2db46e09eb008aeced57b9fbd0bed73cf398a6a546117c13d1dfda05337b7956a38b64e268535cdc00f27915e9ba3bf5a786154e5a3e48994efb8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B6tiyR8cuiZ.bat
Filesize
207B

MD5
f4065ceccdcc671583882d294591f159

SHA1
c8002c422acd4f5ed044c3eeaadec0439c92086b

SHA256
9b4e8095760583a94e3502662ab7fe8c507674a8eb3a216e7c9721e9c21570ad

SHA512
664a4f175987bcf7743238f8e9ec4e617e58043a97aee745bf683aa82c16182a132be965cadb5b9e43bba62c55a1a951fcb4efd42ba30f2b58e5e454deaf3fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2cga16j5Csql.bat
Filesize
207B

MD5
76b21c344db60e0821985ba9e8031030

SHA1
aa14fb61f9698d9d46c805278fba81345847ec31

SHA256
6022249a7d12650668d44244a1e213212a91e80d725bfe0e2d6970bdba09e723

SHA512
623b8719ce4e1ac766bdd95a4a042a8175423b1f527b1e857bafd60e13b3c8a86bbf5f17f40aa04d8da72ee3aa56559da9a49698e7dd1c134a4ed6db39ff9ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7iumgvaasq2z.bat
Filesize
207B

MD5
9e4308d767510b13cc4347789fc91406

SHA1
315886a5b390673366b479659ba33b25c692cd7b

SHA256
75fd03ec4e1d0ac45424a7b2d328b60d128498f1a90d89bed4d4ae8862fac183

SHA512
bd7637188cbb444f821184892d1f837e5157fc319d2c03c72bdbb3379b592d9a540276ba5e1e88c6a2ae7f90b81c20b8795f789f8495324e99ce1e25b478c637

Download Submit
C:\Users\Admin\AppData\Local\Temp\BqmEr43hNDX3.bat
Filesize
207B

MD5
78f1472af2ea6069f62b6fdb152b7720

SHA1
343ec998ec8ea5881b911c8977df6bac28a7e068

SHA256
b87fd8dd7dd0871f99cfc7144aca24856e709897f2ce0e27f3c53dbeba8382b8

SHA512
20598058be7b9df95eaaa152cd3f0f17f23597df63086ea45aae997b21e80fa63824671df56e1356710d2eb7203120f0df5f52b87e61d4f10b86383fe5ab0242

Download Submit
C:\Users\Admin\AppData\Local\Temp\NW9vsXkGJSbf.bat
Filesize
207B

MD5
76c26ee0821bc129dccfd953c76b19c9

SHA1
4c86ef5a7dcce2fd309090b77fab54d24552adc4

SHA256
0da800d46b008ea0e3cbe96acead44c778ae7697a84523ccdcae4bd3c27dd588

SHA512
5700f49daf806a2e935233ade0090fa75f4e45b0c1fb84f172f24a056e8027b7e49d1569dfe97dd4859f611358ce8865a3efe5bb12fdaf94501bea78e69ee7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RjOcggZtFgFf.bat
Filesize
207B

MD5
3602838911e84e18d9b5102bb3723d3c

SHA1
b0f0d2b3ea45a2d4594cbc72211e4080ebb9c228

SHA256
7909d7eea1fe06388eaaf702fcab6f0ac8ceba5ecaa0823aa1f54fe33ab9cec5

SHA512
78661df543278c9d59741061b398599a88cc272c37002e099c23b2ab0fb2a25ddfd37ade20d033727774b8e2676cebcfff89993d2b930d29e6f9e1ea95e4e860

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8q3rmnBFtnf.bat
Filesize
207B

MD5
24a1a6842324903ae07ae31da62b355c

SHA1
d961db82d7d430d5156a859a02d08138204e7915

SHA256
83c6f5acdfa0a77d4418d9cea389c65230d5bb5e1fba4b83e4a70ab0ce7b7caa

SHA512
126ea8c0d9c0f050a053315cbbcef79c2e571921008a29b73d61acf5ffce87608ae5b022c8937c85a6f9907a034652be4265ee79b3a8dc906f5e2a62f36ebf39

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwMVD7w7H8ns.bat
Filesize
207B

MD5
0ae786025a0e765c872edd09447713d7

SHA1
b54cd19db06ee85bd4695c39e8161f894bbd9c5a

SHA256
5591e1044cddc86a284f551831c6fe0ccbcb79ab8ebae5373ff631d0c1d5a675

SHA512
c1df28c7ae27ca7f11c5f7fff604fa699607f71ca1a4e5e05e6e88858f7879a12e4d02722a388dd6729cc8145df80fb17d971cfc7545f49e6f0f3152c46c1594

Download Submit
C:\Users\Admin\AppData\Local\Temp\hKSabuFPyWtd.bat
Filesize
207B

MD5
2baab2928e0642b5bb098fbf6b3d4fa2

SHA1
ebedc2c6a5bd4e1f0b1831a4d9e7ef9005aa1b86

SHA256
ce81b8eaf87c92503f45ee796f2becc7d9e54f72abbc95c6103dfcdc144626f6

SHA512
796e5f4b38df564009aa3181cf7c16c5cbd781215f65363e04915e864fbffc53c615998357bcfdb3d64f9a0ce45fdb7026b62a7c2fa7511384a5068164093088

Download Submit
C:\Users\Admin\AppData\Local\Temp\iW69HWG2R85y.bat
Filesize
207B

MD5
177a4ab9623533898a8d2307414be81c

SHA1
c5ad792bc4c8a837a1345339777f17b61445c139

SHA256
a830d56a5d194f2946bd4cf905f73f307c2b67689c955ae4027e6d5ae1506f8e

SHA512
2ea48e6ce05f5a889ded24555ca2d933061bb06e215d0cceb6ae158d9fcacb522aa2d7986b5827daeb26df4501de9013d2f18d1109fea4460442d78dbeacd16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kC2Zl1oKcb2Y.bat
Filesize
207B

MD5
68e9a116255ca66b6bc6d23aa4e2d873

SHA1
47056dd2f5ec94653a6a7422fb3cc1a28c98cf41

SHA256
02c84388b1156fe97858b10f7e96e5e29734a0edb33979ea9296e85ab13e6216

SHA512
b5e86db1c8e24ab2d3badd6f6fecd710778c6bc330c5fd6922de655d416732027ffaa03c639367dfea83f3b46c36d5eea80d72fe054021943b3d921ca4481873

Download Submit
C:\Users\Admin\AppData\Local\Temp\nLkMMBeWB8GD.bat
Filesize
207B

MD5
094498573400594563d248579988eb4c

SHA1
a720d55c9fbd1717a22ed00810c216b4aedb6eba

SHA256
c329bbc820beaede675cfc5660c342e96c1bba504c3a86c8e8687e9970a30ec9

SHA512
1e6b1eb692b9a352e989e7beb6c3258f7e598264f5f45b2d6a28a8c0d2cea594d372f12618035623c63782ef5bea0cf500a71505b20f826ca5cc4308cf8d59ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAR936GkSTUA.bat
Filesize
207B

MD5
f202c2ccaf3a008a1f9cf2400e92218e

SHA1
75b490c81f4acb3bb8ed3308532331fb861ba6f1

SHA256
f877fb4e0b417b9c9dd588a9c309cd3961685d2b2a6f4d4e24015de23e130a6d

SHA512
511230a0cbe335b3ad725ccf4a4777552fced722a655239b375c398d6d75e696aa9c5e75c995a69bd7314ad166b1e0de933c1d7a00f5d2805c80d3874cdf8571

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvPpA4ZvGRTt.bat
Filesize
207B

MD5
675c1fca2861fd63b24cb6a52c6ad6a6

SHA1
a172d3d8a5387b058f4940187095dfe202bfaa5d

SHA256
3f10ae51b5dd237920acbee7c7c715fba00cbb00a2304898444c50742772a38c

SHA512
b60ccd42b62e3e64de870a887c8f14f0545499801098d492a8060482e5c6b4ccc437cf2604f363aea609be10e8edc89129d947e3b9c0c4f24d85fb4d46515d9e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
0c861cc6a74a062ccd823da372d9b0e7

SHA1
3a3e49c14fbd9870fbbdc1bc7ae0c00e5886d0a5

SHA256
cf4383fa284d0d5ecd871b43fba45e0e243448abe115a89c190001620aab7a65

SHA512
5e37f6c094f11cae7ec45890751ea442e94ecc16a1441b548d8d69451f04c59b2274b94d5361a3e20fc2887a1cb8d0f18ea1cf11d5d8680f49577ff511c6d305

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
ba3469deeb494c4eb8e0e32e7117d1b7

SHA1
1dbe426441b4ecfe822154ffedc3d22897a97a92

SHA256
0731b86c74e20476a391b2b8f6d77b50661a0ee049a9c099015ca68b484fd7cf

SHA512
507727a2e40042983f9921615f9ecf5969345b412a42e4613b4b7d593bf509c55bcc8b2996adffec801d42bb82365dfbf8bed30f21d4e3536130d1e112a7216b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
c484b2b91ff0bf05b6e695795de9ba17

SHA1
e07ecaa39c1909965791b8426102a371bf4f84d8

SHA256
31c68483aba79de51d3d750a5d4c341f264266a8a422f54d5065ba2d7894f24d

SHA512
da528746cd1c04ca5ba18517fe20ab86cea3fbc65e6269acfbc8bb7c9f717f969d4470fe95814529cfecb7ac7e5988a296b5cf120ce0348908454fd97935af0e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
7b6a7cfdd8bb7abfde2ef5def577fca6

SHA1
3e612616b6e8a42af50907e6189cb5c25e457603

SHA256
2e2f08cf46e18b85bec43d416a95d3fe2a412a7e2d448aade7043a588d363393

SHA512
ab9cd7ae936f1a771f87caacd8ba8d005645c49611a3c5fbea1ae9771f84b0de30b4da3d8310dc96001efdcdff0c308808394300efd280703a221adb1ef60f4e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
68f656a4f5ecb4f8c4609525f6c545a0

SHA1
6b57dc67c28badb85357a6194a29add9b9ebabfe

SHA256
57775c019140f5d1998b4a3bac21d8ad4196c71e75dbfed64dc9a447936dd255

SHA512
ddbf8cd7970a2f792629d1b95ec5696b9a1cc994a8e3717903b06118c62f37dc3648b6029d5ef3c68cae45dda6109ade4f85bbfb441bb1fb0d56bfd6d0ba2f0e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
1edd6b6d77314677b01cad3ae02168c6

SHA1
667e64f3fd107192cd6d3ab67c43f544ba0adba9

SHA256
cbfb2053238cb3493c5445945208a399de67c47b320d2505cf49a13975e0ebd9

SHA512
10685c70616ba665221c81ae464200bfd2c78200cee11285eb8e8d3659ecc9a66ed512b6a8bd0e0e75a4d2b38285dcc6d79a0d0d862035c6206627e8aa989c1b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
87816129998f9bb22bf4e92958f57397

SHA1
5a4fc17ced7ee7ced1ac33e8fa254d4fb6c46588

SHA256
c008ca418a9d3af7774b86a33485aaffdea8218a47dbbb8cfe8a16c47191415b

SHA512
fd5b323c4a819890aa1007290f385c826eb0b53246668fae89d4a266a8a3c8dc09b1eb78ae3e16d95fa910f186e127db563c503783f4dd15fafda8405e2a12ac

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
9f86567fa629482edb846bc4d8805964

SHA1
df33899c9e70c05494d7458344afdb5058bc927f

SHA256
61d2e9fd901facf5d5593de362d981b75b50d02f4e5960cf09ff9c980262c407

SHA512
bfaa73d31aead9babf2576712fd825cce11f1c2f655faae23f86c0253d98a1af32cc4393d193c1dad99037bf5d9770c112dd78813b6f8d24b52cb586a26a4b83

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
9f8e870d3ab7b3dddc4c2ce5dcb247b9

SHA1
a2a606bf6a6fd5f0367e1d76c1837bdf5bb2ef77

SHA256
502ca69ffd1d31c5a59edcefd42eb1d6d9de395ecd37c5d006ded63c2890298c

SHA512
b26161901fd7759a183d6a24c8004b555312e1ce9df71234c63503ab1335f2bd6054f4479da499ce9ea4652300b6d4ea583d55b570d18b03195669c2f670ac68

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1976-19-0x00000000062A0000-0x00000000062AA000-memory.dmp

Filesize
40KB

Download
memory/1976-17-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/1976-15-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/1976-24-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2612-16-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2612-8-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2612-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

Filesize
4KB

Download
memory/2612-7-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

Filesize
4KB

Download
memory/2612-6-0x0000000005D50000-0x0000000005D62000-memory.dmp

Filesize
72KB

Download
memory/2612-5-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/2612-4-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2612-3-0x00000000058F0000-0x0000000005982000-memory.dmp

Filesize
584KB

Download
memory/2612-2-0x0000000005D70000-0x0000000006314000-memory.dmp

Filesize
5.6MB

Download
memory/2612-1-0x0000000000DB0000-0x0000000000E1C000-memory.dmp

Filesize
432KB

Download