quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
296s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (14) - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral28/memory/2824-1-0x0000000000A90000-0x0000000000AFC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
4932	Client.exe
892	Client.exe
4656	Client.exe
2900	Client.exe
3512	Client.exe
3680	Client.exe
1016	Client.exe
3936	Client.exe
4648	Client.exe
3496	Client.exe
3680	Client.exe
2348	Client.exe
4824	Client.exe
2412	Client.exe
224	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
28	ip-api.com
24	ip-api.com
32	ip-api.com
34	ip-api.com
18	ip-api.com
20	ip-api.com
26	ip-api.com
30	ip-api.com
3	ip-api.com
11	api.ipify.org
16	ip-api.com
22	ip-api.com
36	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4336	4932	WerFault.exe	Client.exe
2300	892	WerFault.exe	Client.exe
2348	4656	WerFault.exe	Client.exe
8	2900	WerFault.exe	Client.exe
2260	3512	WerFault.exe	Client.exe
1484	3680	WerFault.exe	Client.exe
3276	1016	WerFault.exe	Client.exe
760	3936	WerFault.exe	Client.exe
3208	4648	WerFault.exe	Client.exe
676	3496	WerFault.exe	Client.exe
2336	3680	WerFault.exe	Client.exe
2756	2348	WerFault.exe	Client.exe
4336	4824	WerFault.exe	Client.exe
1344	2412	WerFault.exe	Client.exe
4596	224	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
760	schtasks.exe
2656	schtasks.exe
2396	schtasks.exe
4484	schtasks.exe
4968	schtasks.exe
1920	SCHTASKS.exe
436	schtasks.exe
1208	schtasks.exe
624	schtasks.exe
2052	schtasks.exe
2848	schtasks.exe
4632	schtasks.exe
1752	schtasks.exe
2824	schtasks.exe
1572	schtasks.exe
1760	schtasks.exe
3100	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2668	PING.EXE
2384	PING.EXE
3904	PING.EXE
4968	PING.EXE
756	PING.EXE
4420	PING.EXE
4356	PING.EXE
4256	PING.EXE
1376	PING.EXE
3704	PING.EXE
988	PING.EXE
2148	PING.EXE
5064	PING.EXE
892	PING.EXE
4080	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Uni - Copy (14) - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2824	Uni - Copy (14) - Copy - Copy.exe
Token: SeDebugPrivilege	4932	Client.exe
Token: SeDebugPrivilege	892	Client.exe
Token: SeDebugPrivilege	4656	Client.exe
Token: SeDebugPrivilege	2900	Client.exe
Token: SeDebugPrivilege	3512	Client.exe
Token: SeDebugPrivilege	3680	Client.exe
Token: SeDebugPrivilege	1016	Client.exe
Token: SeDebugPrivilege	3936	Client.exe
Token: SeDebugPrivilege	4648	Client.exe
Token: SeDebugPrivilege	3496	Client.exe
Token: SeDebugPrivilege	3680	Client.exe
Token: SeDebugPrivilege	2348	Client.exe
Token: SeDebugPrivilege	4824	Client.exe
Token: SeDebugPrivilege	2412	Client.exe
Token: SeDebugPrivilege	224	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
4932	Client.exe
892	Client.exe
4656	Client.exe
2900	Client.exe
3512	Client.exe
3680	Client.exe
1016	Client.exe
3936	Client.exe
4648	Client.exe
3496	Client.exe
3680	Client.exe
2348	Client.exe
4824	Client.exe
2412	Client.exe
224	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (14) - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 2824 wrote to memory of 760	2824	Uni - Copy (14) - Copy - Copy.exe	schtasks.exe
PID 2824 wrote to memory of 760	2824	Uni - Copy (14) - Copy - Copy.exe	schtasks.exe
PID 2824 wrote to memory of 760	2824	Uni - Copy (14) - Copy - Copy.exe	schtasks.exe
PID 2824 wrote to memory of 4932	2824	Uni - Copy (14) - Copy - Copy.exe	Client.exe
PID 2824 wrote to memory of 4932	2824	Uni - Copy (14) - Copy - Copy.exe	Client.exe
PID 2824 wrote to memory of 4932	2824	Uni - Copy (14) - Copy - Copy.exe	Client.exe
PID 2824 wrote to memory of 1920	2824	Uni - Copy (14) - Copy - Copy.exe	SCHTASKS.exe
PID 2824 wrote to memory of 1920	2824	Uni - Copy (14) - Copy - Copy.exe	SCHTASKS.exe
PID 2824 wrote to memory of 1920	2824	Uni - Copy (14) - Copy - Copy.exe	SCHTASKS.exe
PID 4932 wrote to memory of 436	4932	Client.exe	schtasks.exe
PID 4932 wrote to memory of 436	4932	Client.exe	schtasks.exe
PID 4932 wrote to memory of 436	4932	Client.exe	schtasks.exe
PID 4932 wrote to memory of 1512	4932	Client.exe	cmd.exe
PID 4932 wrote to memory of 1512	4932	Client.exe	cmd.exe
PID 4932 wrote to memory of 1512	4932	Client.exe	cmd.exe
PID 1512 wrote to memory of 4776	1512	cmd.exe	chcp.com
PID 1512 wrote to memory of 4776	1512	cmd.exe	chcp.com
PID 1512 wrote to memory of 4776	1512	cmd.exe	chcp.com
PID 1512 wrote to memory of 1376	1512	cmd.exe	PING.EXE
PID 1512 wrote to memory of 1376	1512	cmd.exe	PING.EXE
PID 1512 wrote to memory of 1376	1512	cmd.exe	PING.EXE
PID 1512 wrote to memory of 892	1512	cmd.exe	Client.exe
PID 1512 wrote to memory of 892	1512	cmd.exe	Client.exe
PID 1512 wrote to memory of 892	1512	cmd.exe	Client.exe
PID 892 wrote to memory of 1760	892	Client.exe	schtasks.exe
PID 892 wrote to memory of 1760	892	Client.exe	schtasks.exe
PID 892 wrote to memory of 1760	892	Client.exe	schtasks.exe
PID 892 wrote to memory of 1680	892	Client.exe	cmd.exe
PID 892 wrote to memory of 1680	892	Client.exe	cmd.exe
PID 892 wrote to memory of 1680	892	Client.exe	cmd.exe
PID 1680 wrote to memory of 2244	1680	cmd.exe	chcp.com
PID 1680 wrote to memory of 2244	1680	cmd.exe	chcp.com
PID 1680 wrote to memory of 2244	1680	cmd.exe	chcp.com
PID 1680 wrote to memory of 2148	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 2148	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 2148	1680	cmd.exe	PING.EXE
PID 1680 wrote to memory of 4656	1680	cmd.exe	Client.exe
PID 1680 wrote to memory of 4656	1680	cmd.exe	Client.exe
PID 1680 wrote to memory of 4656	1680	cmd.exe	Client.exe
PID 4656 wrote to memory of 2656	4656	Client.exe	schtasks.exe
PID 4656 wrote to memory of 2656	4656	Client.exe	schtasks.exe
PID 4656 wrote to memory of 2656	4656	Client.exe	schtasks.exe
PID 4656 wrote to memory of 752	4656	Client.exe	cmd.exe
PID 4656 wrote to memory of 752	4656	Client.exe	cmd.exe
PID 4656 wrote to memory of 752	4656	Client.exe	cmd.exe
PID 752 wrote to memory of 2704	752	cmd.exe	chcp.com
PID 752 wrote to memory of 2704	752	cmd.exe	chcp.com
PID 752 wrote to memory of 2704	752	cmd.exe	chcp.com
PID 752 wrote to memory of 4420	752	cmd.exe	PING.EXE
PID 752 wrote to memory of 4420	752	cmd.exe	PING.EXE
PID 752 wrote to memory of 4420	752	cmd.exe	PING.EXE
PID 752 wrote to memory of 2900	752	cmd.exe	Client.exe
PID 752 wrote to memory of 2900	752	cmd.exe	Client.exe
PID 752 wrote to memory of 2900	752	cmd.exe	Client.exe
PID 2900 wrote to memory of 1208	2900	Client.exe	schtasks.exe
PID 2900 wrote to memory of 1208	2900	Client.exe	schtasks.exe
PID 2900 wrote to memory of 1208	2900	Client.exe	schtasks.exe
PID 2900 wrote to memory of 828	2900	Client.exe	cmd.exe
PID 2900 wrote to memory of 828	2900	Client.exe	cmd.exe
PID 2900 wrote to memory of 828	2900	Client.exe	cmd.exe
PID 828 wrote to memory of 4668	828	cmd.exe	chcp.com
PID 828 wrote to memory of 4668	828	cmd.exe	chcp.com
PID 828 wrote to memory of 4668	828	cmd.exe	chcp.com
PID 828 wrote to memory of 2668	828	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:760

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsLPUktLY3Hx.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4776

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1376

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYZaJkYbOGaA.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:2244

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2148

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VAvtvPTdvrj3.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:2704

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4420

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YLJtVbjzS2vA.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:4668

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2668

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3512

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lxsGmWXMgiw7.bat" "
11⤵
PID:4120

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:2824

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4080

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3680

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TPs1Yukx1Cfu.bat" "
13⤵
PID:4052

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:2852

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2384

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1016

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P1IuCbBtdzsU.bat" "
15⤵
PID:1752

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:4084

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3904

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3936

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vvidqYJTk5ce.bat" "
17⤵
PID:4472

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:3640

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4968

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4648

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQeAiOhWzeJ7.bat" "
19⤵
PID:3512

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2588

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:3704

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3496

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HvahaF5aFD0a.bat" "
21⤵
PID:2428

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:2300

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:988

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3680

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6VN6eRDspOpL.bat" "
23⤵
PID:1100

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:3148

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:5064

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2348

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PJ7DIIRu64jJ.bat" "
25⤵
PID:1308

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:3356

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:756

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4824

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ebumODtYAx3T.bat" "
27⤵
PID:3940

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:3792

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:4356

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K6qJG4HbQWkv.bat" "
29⤵
PID:736

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:1728

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:4256

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:224

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VNp8YFZvzbMB.bat" "
31⤵
PID:1544

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:1152

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 2248
31⤵
- Program crash
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 2224
29⤵
- Program crash
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 2232
27⤵
- Program crash
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 1708
25⤵
- Program crash
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 2224
23⤵
- Program crash
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 2236
21⤵
- Program crash
PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 2196
19⤵
- Program crash
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 1708
17⤵
- Program crash
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 2252
15⤵
- Program crash
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 1092
13⤵
- Program crash
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 2196
11⤵
- Program crash
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 1608
9⤵
- Program crash
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1612
7⤵
- Program crash
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 1608
5⤵
- Program crash
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1640
3⤵
- Program crash
PID:4336

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4932 -ip 4932
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 892 -ip 892
1⤵
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4656 -ip 4656
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2900 -ip 2900
1⤵
PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3512 -ip 3512
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3680 -ip 3680
1⤵
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1016 -ip 1016
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3936 -ip 3936
1⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4648 -ip 4648
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3496 -ip 3496
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3680 -ip 3680
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2348 -ip 2348
1⤵
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4824 -ip 4824
1⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2412 -ip 2412
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 224 -ip 224
1⤵
PID:2428

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6VN6eRDspOpL.bat
Filesize
207B

MD5
fa29c15bc88c1fee2a6e9c8777282e49

SHA1
5a43c79c0b2cec68eb50a89e671e3a4c874a8e01

SHA256
5462c39edaa04478ac04eb7f7a589a21a631fec4179372fc17fde5610396cf75

SHA512
aa09388d492c36384005f75ff93bee76904a2b539254ca238abeaa3ed4a1852614886e24dfbd40cfc0b45e46d6630e54dab44b9802f1707c9dc3cf0c91e348c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HvahaF5aFD0a.bat
Filesize
207B

MD5
e8ae4a8486145d1d5cde320406d0e6f8

SHA1
ec428e2e37c7ff612f15d92cff812bb0b719aa0f

SHA256
6c9f64ad29933d10250a447987122c4876731bc7801544db5ace8c3ad91f09dd

SHA512
baf86956d2011404a9c4b4405c739a53e9c28d59dec35f2c983040bec4d53ea115666a85bf846bd316a0a009a57cf5174704c211853258940b7bdaa65ef0734e

Download Submit
C:\Users\Admin\AppData\Local\Temp\K6qJG4HbQWkv.bat
Filesize
207B

MD5
f1cb578283fecdf46338492fe3dbd295

SHA1
66ddc80062e1ec9a225d2bfbee0e603d57498f6d

SHA256
13c5346ae1caea145df5d2a9f1ba26c49c9d637ecefe68229d25418d8e9b2b5e

SHA512
e49696e41704936a71e04e0012c50c671a3820d2f329e90dbcfa5b7cc24965f9242eb2a644ac47aa851fe212d056bc374b380565af06a5ceeb83bc436a9b153e

Download Submit
C:\Users\Admin\AppData\Local\Temp\P1IuCbBtdzsU.bat
Filesize
207B

MD5
a1121975abac3b96a80d35be667621c7

SHA1
379dc8e11f25400f67fa704109ae171c985e03aa

SHA256
b838c261fed1418d5b2dada6a8a9e827ec927eb8cf216b8559d9416dbd09c5df

SHA512
00b0527bf67ab1d277a2d9786f3f41afec096d7eeebf8bae338892f5cd4d82d6deb7075a7b7b1b320d1717b78aa3a0b8e943d801da144a6867fb77d12ac41434

Download Submit
C:\Users\Admin\AppData\Local\Temp\PJ7DIIRu64jJ.bat
Filesize
207B

MD5
6a68cf7d80c3f15c9435d592c9e189ae

SHA1
1d17f971f94eed79b8854875f9d40464c7530422

SHA256
01e52e5d484266474c7b3b5c7a8f29e810c0501e5891eef2084ec4b747a7c312

SHA512
2240b625d3af0b4b71008b1660ac8b90de275844e4ed5632b2adce1a2e634bd8d8ef29e2729481f8c3ef07336971211093575e264f4c972724142ab8cc48e773

Download Submit
C:\Users\Admin\AppData\Local\Temp\TPs1Yukx1Cfu.bat
Filesize
207B

MD5
6879fee7a7c79d6053445210a8de8f44

SHA1
de5b063f0f686e8af718a0a9171b1fe4a2c4d4a8

SHA256
42fb3f8b671379c78b1df8777fdc3a4ded592b7b1385ac7a434e8b1826d558aa

SHA512
e349cc6d98ba5cf3449db952064e60f06114a4b53b15a3719d590e720d669592a4e01c8f938744be329c49a3f64ebdfed2543870b44985c4346bc4b02c67171c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAvtvPTdvrj3.bat
Filesize
207B

MD5
88abcc22d36754c6dde0252c263229e4

SHA1
205534d408772f8b946b540fa77317e4b04073ba

SHA256
871aa9c605aad7369cc7aff1d1b0d14768d4f486856d9c4eeae74539ca164249

SHA512
ded405ac018e47f3f15e06029166f69f2fe38393197c65978b16d1842aae82cd136a338e609c6a2c065abf06f7f87f3c6e23853e01b2b4d61b9cfe8bce993065

Download Submit
C:\Users\Admin\AppData\Local\Temp\VNp8YFZvzbMB.bat
Filesize
207B

MD5
4be25e9916f82917706eff4fc5451e64

SHA1
33d5c50374ffc7ba798f416faf06f0f46576fb45

SHA256
25a64a1c9f0e9b440af463e6a4a209823a4d883580d7ecff194d826b90c752d0

SHA512
69df3be123659a04fc7d6ac5046966604e1f8160c6d7450ad24d737b4ba7a5239b92d99bba6f5935262f557c678f83d10c64e68109a081a507c1d371348c1ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\YLJtVbjzS2vA.bat
Filesize
207B

MD5
6d9b9aec0b39867c868ae1ce69a7863f

SHA1
3c170cb7b090e86b07b197d7501df78e19ea73b3

SHA256
28be0d7364a3693c3d5888446b8da03bdeaff324210be82ca7d8c28c6febfd0c

SHA512
211d81e06a1310614146818b82cb4c552a46555770d96924bffb100152a31cbd9bf3c3f42c32a4d289a53f53b6ede4e49771a130be6616f2dbd3f09bf73c27f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQeAiOhWzeJ7.bat
Filesize
207B

MD5
33d43761861510dea04da9b3f4459e01

SHA1
7d7b1ad6e6bfabe315477d1a62f73c5224f1b837

SHA256
6f010bc58449f84f8456ca22b134076bc0ab82bd162cd2b4d2ae05f5af260a06

SHA512
3db0b5db2a4351ab46d6ae034f78f32499a33ce7b4fd39f72fc4938d795ba4089c2ad4f6462e691990314e2e451e94b6db2b7db395e520a9940ad29e14ba1107

Download Submit
C:\Users\Admin\AppData\Local\Temp\bsLPUktLY3Hx.bat
Filesize
207B

MD5
e5f1cc853503a610ada273793e7de878

SHA1
5ade44e0b989d92346743326954db6af9b37232d

SHA256
55b8b9c53f0f5f2230cda4f1d80150de191b3ff65c34a2550b19288e67571d09

SHA512
aa17907f319c7b8128395abab492aa3a1fd26125de0735a19c6b3de12f294dcad57fd6faca4d1e42262417694619d358e6edf23a3ecc32d5be15dbfd80bca413

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYZaJkYbOGaA.bat
Filesize
207B

MD5
f1325231cd5bae084ed42032656d62e5

SHA1
f231c4bdc516dedc7a955e31c4795fbf05362d83

SHA256
05aabc5147d50cc17ca14eb8d7c12ee40d726849468c1b8b6a3fa9d16f41fc52

SHA512
58475241739df0b9b2634e282e5c64667626a5dfb00f74fcbe5e69aa397db21cc1b2527a6d66bf845ed3c4db02299bbb435d22aae9652d88291d3951bf7b77df

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebumODtYAx3T.bat
Filesize
207B

MD5
4e38e13fda93eac168dd9aec3f32c507

SHA1
ce6c92d2a8e581ed14f2214048e9474d7a94adf3

SHA256
f10ea0ced4c4769874fcdcbece9b0597219c94d98445bdbc406c74a775412dd1

SHA512
b705519debfee96019377635e6c93786eac6742aaf6ebc6d527656b29de7d5160df57afc7a415baa45f47393f642e842ef518b4a5713b275fd3d7101399146e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxsGmWXMgiw7.bat
Filesize
207B

MD5
144025ab35a57877a34d467892238d80

SHA1
273ca1acd2279ad0bf6853ce630bbb815777b885

SHA256
e4edbfb8acafcfb6708830b3807bc245598fb41f9e0c3622edf9e146dc673683

SHA512
a5a491f052e19c35b8dec495fc955da4d1126c4a4b1c8cb60fdf304001783981c837d2ba435e1297191dd30488dc635e6101776dea53a2d355933d77fd37ce4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvidqYJTk5ce.bat
Filesize
207B

MD5
ab61d086591627c1dd11194e6fd9f775

SHA1
432091c0da6389c247238d3edfcababa0d931495

SHA256
39082e4a556ef6b14935dac38936b0658a7e7bded64162577742328d819ec6c6

SHA512
ae48b7af0696f440a43cff63ff11ad1754a8299881a69b3a0980b3598f3f1a8f68d372dd49a64632b203e891fd8b425747a625a66988002e8dc5c6e581380691

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
39857ca3a21b43b533c1a4ade2204c4f

SHA1
da61bf9fa038c96a45f995af7d43c3dc77ce9e91

SHA256
1bdee5adbb44f98054d0d50b7caf5fc47251e889122024796de02fc5c11621b9

SHA512
d26aebcd08b4de512660079d3cbd093e548fb16842c0d2b4295f86b2167137c74deb924c7e0dac85763242307e233e1636f103528cc83d05824047f48b36fd9a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
62d2938290718846efba0b142d752b92

SHA1
356ac168007a9187de834bbcbe811baf1f179087

SHA256
f3b6332708f026a34300bd06babe5f02fe0167a085b24e2096b4eb262e9feb31

SHA512
87fbc20c10a4d382de6e9fcf49c970f672381285d4a9bf5e011386debd0585f2826934d8651d5e850b667b0d521c0e141988b17fef28cd09ab7069186a57558a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
c3678b61735d5b60f496a7a35bea5b47

SHA1
8b8f37c23499f7e39ff146d3d50fcfe6796da9ac

SHA256
feb801b7e59eae7552a95858278935ba95c5be14dfcec2481eb2b627159d8b3a

SHA512
a3aaca65dbae08ce66186564f36010bfbf77c77ff74cf6ba27cef63aea8f85ce7ff8bb0b97a20be6293fc2e1c4e782f209f8066a230e8d24aa54d25b6ef95770

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
b85913bb3dd1b3bf6479c161f9aec592

SHA1
b7bb438732ecb1e681dbf6d0242af6d58dab2ca8

SHA256
0687a867b4a89b54a4d886a9cbddb60e6aede461a41f018b945c6fb11628ff5b

SHA512
d5b8abc53a3bdc89ad18c3ebe9b0ab66ac3f28d8c2071e9567717c6e4e9e5b087150cdd611f8e2f002b41b6aec4a97aac5cb4baf0bc4021e9006f7b8fc790282

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
3bd40f41f0ec6727600c62b35dd03258

SHA1
2d7315a7437cdd5e00a8007ca6240a1809b6a10f

SHA256
0a4d18a791a17c72305543bb59eda7c431b24cec3ef0785938bf6de0bb5f384d

SHA512
380a30b80b9948b5fe22c477c75594b9012cb31970b547f8b324b78d23d0fe564c0307130a531bf501059b0f8284603289ee488539b3d729bfaf82d1245c2959

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
f81ef3aeff862169bf754a3541a0518f

SHA1
bf3109862ac669c7c7a5de51fa14984f88dc0191

SHA256
81d8806e9bfd53bddc074ac97e4232dd3d22b02e15bfd6a3904caa46e97f6faa

SHA512
6382e4d0b592cf9f248f6cb7ee369bb8319533e69e94a763ff1d70e51d94317cc8adf3b8b8b60166830281f5c517e5bbe8c776bdb3a78106ad93f9177530e740

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
e460c04f5451d4cbfdef6a7a530423f5

SHA1
2584cd8e8f397e5e7337fcaadaf613c9177aaf59

SHA256
21a0510318102e04b677d2b0d040792532bbc809de28844f87e3d498413b3c54

SHA512
a5b09717535e2e6547f6486a4b91fbb2d795369b94d9ca6547dfef83777564045932cb4fe2cb92b156245877dfa358ade26d6b1dea038b50fdc5d602b29893d0

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
43a856880652307be0ffe2e49ad3d37e

SHA1
5a601ccd6f0609c4cda951d8f6023af0a117b131

SHA256
954cf5dc92d514d08918448561577e260f8f894ced6b3a3b2ffd234b78f1a069

SHA512
7f629a6a8796d9bf9823ce851cef39deff9255957bbbcdb34072f35c2ffb627ee5be2f81107aba39ad59db32ef9bf743b3d843a8f51c01e6110275458abfd14c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
49c16a9494913ebcf8dfc9978fc4a09e

SHA1
f660e0d47ea1597ff07c942857805227b37aa748

SHA256
05b738b79aa07754f300a4bf718d253b2d7436fdfb4c829ad9ae23e27c63c58b

SHA512
3a926a2d7c9737dfc5158157710723c813584860b5d33e033545e0a40387883597bcdb2f7bb55983807f30a4f3bfb6c44ef502a662891defe54d2c7c996a60e2

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/2824-5-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/2824-4-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/2824-1-0x0000000000A90000-0x0000000000AFC000-memory.dmp

Filesize
432KB

Download
memory/2824-2-0x0000000005A60000-0x0000000006004000-memory.dmp

Filesize
5.6MB

Download
memory/2824-3-0x0000000005570000-0x0000000005602000-memory.dmp

Filesize
584KB

Download
memory/2824-8-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/2824-16-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/2824-7-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/2824-6-0x0000000006210000-0x0000000006222000-memory.dmp

Filesize
72KB

Download
memory/2824-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/4932-24-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4932-19-0x0000000006570000-0x000000000657A000-memory.dmp

Filesize
40KB

Download
memory/4932-17-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/4932-15-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download