quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
294s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (14) - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral30/memory/4296-1-0x0000000000AA0000-0x0000000000B0C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 16 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1984	Client.exe
3208	Client.exe
5108	Client.exe
4864	Client.exe
876	Client.exe
1832	Client.exe
1952	Client.exe
936	Client.exe
3224	Client.exe
4400	Client.exe
3148	Client.exe
3340	Client.exe
5004	Client.exe
4636	Client.exe
1432	Client.exe
1068	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ip-api.com
22	ip-api.com
27	ip-api.com
34	ip-api.com
13	ip-api.com
32	ip-api.com
8	api.ipify.org
19	ip-api.com
24	ip-api.com
36	ip-api.com
15	ip-api.com
17	ip-api.com
29	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4188	1984	WerFault.exe	Client.exe
1836	3208	WerFault.exe	Client.exe
4564	5108	WerFault.exe	Client.exe
3804	4864	WerFault.exe	Client.exe
4100	876	WerFault.exe	Client.exe
3132	1832	WerFault.exe	Client.exe
3568	1952	WerFault.exe	Client.exe
2044	936	WerFault.exe	Client.exe
4896	3224	WerFault.exe	Client.exe
4964	4400	WerFault.exe	Client.exe
3788	3148	WerFault.exe	Client.exe
2452	3340	WerFault.exe	Client.exe
1416	5004	WerFault.exe	Client.exe
696	4636	WerFault.exe	Client.exe
208	1432	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4712	schtasks.exe
2044	schtasks.exe
5060	schtasks.exe
2248	schtasks.exe
3380	schtasks.exe
4536	schtasks.exe
4888	schtasks.exe
3860	SCHTASKS.exe
2440	schtasks.exe
3836	schtasks.exe
784	schtasks.exe
880	schtasks.exe
2160	schtasks.exe
1384	schtasks.exe
1596	schtasks.exe
3836	schtasks.exe
4864	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
396	PING.EXE
4932	PING.EXE
660	PING.EXE
4636	PING.EXE
2564	PING.EXE
784	PING.EXE
3288	PING.EXE
4140	PING.EXE
640	PING.EXE
4840	PING.EXE
3592	PING.EXE
4920	PING.EXE
2772	PING.EXE
4316	PING.EXE
3700	PING.EXE

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

Uni - Copy (14) - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4296	Uni - Copy (14) - Copy.exe
Token: SeDebugPrivilege	1984	Client.exe
Token: SeDebugPrivilege	3208	Client.exe
Token: SeDebugPrivilege	5108	Client.exe
Token: SeDebugPrivilege	4864	Client.exe
Token: SeDebugPrivilege	876	Client.exe
Token: SeDebugPrivilege	1832	Client.exe
Token: SeDebugPrivilege	1952	Client.exe
Token: SeDebugPrivilege	936	Client.exe
Token: SeDebugPrivilege	3224	Client.exe
Token: SeDebugPrivilege	4400	Client.exe
Token: SeDebugPrivilege	3148	Client.exe
Token: SeDebugPrivilege	3340	Client.exe
Token: SeDebugPrivilege	5004	Client.exe
Token: SeDebugPrivilege	4636	Client.exe
Token: SeDebugPrivilege	1432	Client.exe
Token: SeDebugPrivilege	1068	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1984	Client.exe
3208	Client.exe
5108	Client.exe
4864	Client.exe
876	Client.exe
1832	Client.exe
1952	Client.exe
936	Client.exe
3224	Client.exe
4400	Client.exe
3148	Client.exe
3340	Client.exe
5004	Client.exe
4636	Client.exe
1432	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (14) - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 4296 wrote to memory of 2248	4296	Uni - Copy (14) - Copy.exe	schtasks.exe
PID 4296 wrote to memory of 2248	4296	Uni - Copy (14) - Copy.exe	schtasks.exe
PID 4296 wrote to memory of 2248	4296	Uni - Copy (14) - Copy.exe	schtasks.exe
PID 4296 wrote to memory of 1984	4296	Uni - Copy (14) - Copy.exe	Client.exe
PID 4296 wrote to memory of 1984	4296	Uni - Copy (14) - Copy.exe	Client.exe
PID 4296 wrote to memory of 1984	4296	Uni - Copy (14) - Copy.exe	Client.exe
PID 4296 wrote to memory of 3860	4296	Uni - Copy (14) - Copy.exe	SCHTASKS.exe
PID 4296 wrote to memory of 3860	4296	Uni - Copy (14) - Copy.exe	SCHTASKS.exe
PID 4296 wrote to memory of 3860	4296	Uni - Copy (14) - Copy.exe	SCHTASKS.exe
PID 1984 wrote to memory of 4712	1984	Client.exe	schtasks.exe
PID 1984 wrote to memory of 4712	1984	Client.exe	schtasks.exe
PID 1984 wrote to memory of 4712	1984	Client.exe	schtasks.exe
PID 1984 wrote to memory of 1120	1984	Client.exe	cmd.exe
PID 1984 wrote to memory of 1120	1984	Client.exe	cmd.exe
PID 1984 wrote to memory of 1120	1984	Client.exe	cmd.exe
PID 1120 wrote to memory of 2056	1120	cmd.exe	chcp.com
PID 1120 wrote to memory of 2056	1120	cmd.exe	chcp.com
PID 1120 wrote to memory of 2056	1120	cmd.exe	chcp.com
PID 1120 wrote to memory of 396	1120	cmd.exe	PING.EXE
PID 1120 wrote to memory of 396	1120	cmd.exe	PING.EXE
PID 1120 wrote to memory of 396	1120	cmd.exe	PING.EXE
PID 1120 wrote to memory of 3208	1120	cmd.exe	Client.exe
PID 1120 wrote to memory of 3208	1120	cmd.exe	Client.exe
PID 1120 wrote to memory of 3208	1120	cmd.exe	Client.exe
PID 3208 wrote to memory of 880	3208	Client.exe	schtasks.exe
PID 3208 wrote to memory of 880	3208	Client.exe	schtasks.exe
PID 3208 wrote to memory of 880	3208	Client.exe	schtasks.exe
PID 3208 wrote to memory of 4336	3208	Client.exe	cmd.exe
PID 3208 wrote to memory of 4336	3208	Client.exe	cmd.exe
PID 3208 wrote to memory of 4336	3208	Client.exe	cmd.exe
PID 4336 wrote to memory of 4112	4336	cmd.exe	chcp.com
PID 4336 wrote to memory of 4112	4336	cmd.exe	chcp.com
PID 4336 wrote to memory of 4112	4336	cmd.exe	chcp.com
PID 4336 wrote to memory of 784	4336	cmd.exe	PING.EXE
PID 4336 wrote to memory of 784	4336	cmd.exe	PING.EXE
PID 4336 wrote to memory of 784	4336	cmd.exe	PING.EXE
PID 4336 wrote to memory of 5108	4336	cmd.exe	Client.exe
PID 4336 wrote to memory of 5108	4336	cmd.exe	Client.exe
PID 4336 wrote to memory of 5108	4336	cmd.exe	Client.exe
PID 5108 wrote to memory of 2440	5108	Client.exe	schtasks.exe
PID 5108 wrote to memory of 2440	5108	Client.exe	schtasks.exe
PID 5108 wrote to memory of 2440	5108	Client.exe	schtasks.exe
PID 5108 wrote to memory of 2888	5108	Client.exe	cmd.exe
PID 5108 wrote to memory of 2888	5108	Client.exe	cmd.exe
PID 5108 wrote to memory of 2888	5108	Client.exe	cmd.exe
PID 2888 wrote to memory of 2584	2888	cmd.exe	chcp.com
PID 2888 wrote to memory of 2584	2888	cmd.exe	chcp.com
PID 2888 wrote to memory of 2584	2888	cmd.exe	chcp.com
PID 2888 wrote to memory of 4932	2888	cmd.exe	PING.EXE
PID 2888 wrote to memory of 4932	2888	cmd.exe	PING.EXE
PID 2888 wrote to memory of 4932	2888	cmd.exe	PING.EXE
PID 2888 wrote to memory of 4864	2888	cmd.exe	Client.exe
PID 2888 wrote to memory of 4864	2888	cmd.exe	Client.exe
PID 2888 wrote to memory of 4864	2888	cmd.exe	Client.exe
PID 4864 wrote to memory of 2044	4864	Client.exe	schtasks.exe
PID 4864 wrote to memory of 2044	4864	Client.exe	schtasks.exe
PID 4864 wrote to memory of 2044	4864	Client.exe	schtasks.exe
PID 4864 wrote to memory of 1864	4864	Client.exe	cmd.exe
PID 4864 wrote to memory of 1864	4864	Client.exe	cmd.exe
PID 4864 wrote to memory of 1864	4864	Client.exe	cmd.exe
PID 1864 wrote to memory of 2580	1864	cmd.exe	chcp.com
PID 1864 wrote to memory of 2580	1864	cmd.exe	chcp.com
PID 1864 wrote to memory of 2580	1864	cmd.exe	chcp.com
PID 1864 wrote to memory of 660	1864	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2248

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eydYZm8p9GGB.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2056

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:396

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tibZIPUCvpQu.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4112

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:784

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G1GfSCyiJ3q1.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:2584

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4932

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCWIiFqaxVYP.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:2580

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:660

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:876

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WG7RReEuTrBV.bat" "
11⤵
PID:3492

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:2780

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4636

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeZcWfZ6NBLr.bat" "
13⤵
PID:3148

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:880

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:3592

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:1384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pFBmObrhTAsW.bat" "
15⤵
PID:1712

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:5072

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3700

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:936

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAPEpJ8b64Jb.bat" "
17⤵
PID:3804

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:3860

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:3288

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3224

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2iHXmci7Giyj.bat" "
19⤵
PID:3492

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2388

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4920

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4400

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6PYJedsHB9Kb.bat" "
21⤵
PID:208

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:4112

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4140

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3148

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4W704WwHUuS5.bat" "
23⤵
PID:1688

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:3448

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2772

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3340

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:3380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\En5pMhEb2z4K.bat" "
25⤵
PID:1452

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:2188

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4316

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AyLSdk6TfRmi.bat" "
27⤵
PID:1392

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:5052

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:640

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4636

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LFKIvvOnEXOy.bat" "
29⤵
PID:2588

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:4980

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:4840

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1432

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f35PZncoVCIw.bat" "
31⤵
PID:4056

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:3752

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:2564

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 2248
31⤵
- Program crash
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1092
29⤵
- Program crash
PID:696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1092
27⤵
- Program crash
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 1516
25⤵
- Program crash
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 2220
23⤵
- Program crash
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1688
21⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 1708
19⤵
- Program crash
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 1092
17⤵
- Program crash
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1716
15⤵
- Program crash
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 2232
13⤵
- Program crash
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 2200
11⤵
- Program crash
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1644
9⤵
- Program crash
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 2196
7⤵
- Program crash
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 2176
5⤵
- Program crash
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 2164
3⤵
- Program crash
PID:4188

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1984 -ip 1984
1⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3208 -ip 3208
1⤵
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5108 -ip 5108
1⤵
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4864 -ip 4864
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 876 -ip 876
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1832 -ip 1832
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1952 -ip 1952
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 936 -ip 936
1⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3224 -ip 3224
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4400 -ip 4400
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3148 -ip 3148
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3340 -ip 3340
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5004 -ip 5004
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4636 -ip 4636
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1432 -ip 1432
1⤵
PID:2724

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2iHXmci7Giyj.bat
Filesize
207B

MD5
140e7d210262d61ef74f6efd68bc4977

SHA1
d638bffb980adbe5e77c331bf831a686a4aae575

SHA256
5de49f8b850e56bf01b573e710250d0ce413d16b9a295028462632c4a55ee93d

SHA512
29969a79ea409e4d84cd597ad394bd271d9cbf153d8875ac37a8739d2acd04542e5e1b96602f4fb09fa938a45f8857cf3b1ca0ca7f2f14697c87dd48707ce2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4W704WwHUuS5.bat
Filesize
207B

MD5
148f8b09cdd946b31faa1f6dcf44009c

SHA1
67848e8ec54c308e4ee97a5db7e7d1684a737799

SHA256
dbe050c06e2ad7762be10f3bf871f79735225a03a1a0191654b010733c772ed8

SHA512
85b88bb12867f94fbba0a2178c83ef2f88a76a4ee52f39e000a889e3fb8418447f039533f91587cd5a4755ce88f658849beef0e56783c9f77844886e33027433

Download Submit
C:\Users\Admin\AppData\Local\Temp\6PYJedsHB9Kb.bat
Filesize
207B

MD5
66fc4029a9acd691e5f69f2a98d2cb0f

SHA1
84d08c3bf46d457783e27aac34439729f560872b

SHA256
7fb1c2fc90eab45c660f2af3a5f92f868720b1980d98573bd20d77bdfc8c3d80

SHA512
7e9e91caf28c11b30c204b7d24cf40d0047b20dcecb8abf03029a8b208cfb57bb01363c4b2c1075f22fbdc71d317d70d221503364c6c1d6d61914f256311bfc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AyLSdk6TfRmi.bat
Filesize
207B

MD5
22e2fe5c1d70bb9ebdd146b9d03c02e2

SHA1
2b59bcd0d7360e8aad733e9cad2e0792951b4bba

SHA256
db8b01df69a43e0d382af898ce00b0dc512372903719b42c0fa77c8ee513ee8d

SHA512
25e9cb99abb31a04a5654ddd41a666d04849a97b2b94c05c8bc89e7ecb4a9159c56a9a87a65b8a432099ab36220005952f5068008ca1ef488631af88a7079eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCWIiFqaxVYP.bat
Filesize
207B

MD5
f735f0b2b62ad8115a70b3ee8b718d65

SHA1
40a1263641f0e8c827c5c61b1cde3313bf8dfbb7

SHA256
87641ad833f79cbe6a727812393329ba171e03f2de8a8fa1deb2082ef891f147

SHA512
fb23e197c76da43d4023d2d487da3652b5f5f92bd86e042dd88babb9b8af883ece37e75608db6dcef417e14715bd7797b0912d7ae8248e57102e6a03a0d9bb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\En5pMhEb2z4K.bat
Filesize
207B

MD5
bc38cfc7668558bea0964482e76caa29

SHA1
61cae5c9f5a833e44bf6a63d414e260147dfea22

SHA256
f118ebabfb6025119bf0991e3714a93ad7a350279607ebbddea59a075abaa8f3

SHA512
5563d9987a13661eaba11a29c30967419292e9923e62b3fcd368e600c4b1178743557ddb92d7afb449fabfe92f4792ee17edccc7838838853b7aa30501116c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\G1GfSCyiJ3q1.bat
Filesize
207B

MD5
bcb8b7a7f83d8609cae7e24449f0f3ad

SHA1
70e172f776ba884c1e0fe93d85fff6d54d07ca06

SHA256
58b59bfb9f3aadedc906fbec2597d91ca09a045e35331744921d1284e3c886f8

SHA512
eb5239eb67fb0cf78020e033e9a45adf7327a0e383990887e027545b69fbe5fc05419dd09e574cb57cbd537628cd83bda04b38355a4c0b405c57989bd2e01910

Download Submit
C:\Users\Admin\AppData\Local\Temp\LFKIvvOnEXOy.bat
Filesize
207B

MD5
ae2773a9fe5c1828f5e14d5c3295e204

SHA1
999107b5bcd25ba97db4769e60e3e3530f9c67c6

SHA256
bec17a95333f140864407721114f749f58012d70f2e3c9e490d4cb3d41d06543

SHA512
e1e5e4c46ebdb740c603d2ab5c77251b973034e34e1f4d3ededcd2f0cee84ee968fc625867a916e48446b6c3b319b2db94d903ae71baeb0b2d0be1435171b9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAPEpJ8b64Jb.bat
Filesize
207B

MD5
8cdefdad9781251d18c936186c8b53d8

SHA1
5597475f3ec27ae582513166b3faca5d2a178ded

SHA256
4a97a4b69f8757196a3321d3b8bd12f0da609f00b6a5f52ab7a69253b4150399

SHA512
8635b708fc7631cc26f1d769d32e112cb7c3cda06206adc3a8e93062b7d45b86835f3e9388bde275ee89dcc1f2cffd79efb6bb1217b5e56d1c5f292e77cc3868

Download Submit
C:\Users\Admin\AppData\Local\Temp\WG7RReEuTrBV.bat
Filesize
207B

MD5
07702f6c759e7213945b324141421405

SHA1
8a3d172c82de14d563e97ee1418781ec944c80c7

SHA256
a4c7421ad62cbf10ba1e39321ad949f538fcef54b28a61494e2917ba015bef4a

SHA512
192c173bfad2b0c2c787171ed24083141dfdb4fd25a25fae12b8cc74572df8b1767fcf453507134bda1f28eb18a1d0ce5fcc6af65d08c6e811333aa5c4d0e4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\eydYZm8p9GGB.bat
Filesize
207B

MD5
2cb9aaea3c7feca92e15ca3322a768d9

SHA1
a2b00159aaee73d9ee0f5e38c4174c9bbc42ef85

SHA256
6a3b3e3b76c6740e2390fc832d8587627778484fee0edcc8adfbe3afe7860bf6

SHA512
2eea8068d2bca6465ff725bcd27c55f76ba181375728d2b2d4b1eb0ce1ba8d5b2e39a547a534dbf602fba5773f027b4318fcc5bd009ff98d422fef0df4fabf72

Download Submit
C:\Users\Admin\AppData\Local\Temp\f35PZncoVCIw.bat
Filesize
207B

MD5
605268c14e9de363a97cfd47618bde7b

SHA1
58321be1b698344df450b42895bfe083850a4263

SHA256
eafc1efa5dafc5251f55313ccc9209c9923223e6fe2097dd18f902917086a4bd

SHA512
09af184f5e64ab2d2ec3b7eca0b03ea3c146c87365add4fa972193def6c533a971c0c4fee2f3d669776c63ce8375531a5d9dc71d52f1769606590b88314342f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pFBmObrhTAsW.bat
Filesize
207B

MD5
0d57f0e1952f7623f419424f4b0e9e72

SHA1
b8a1f1e1b57ebdf018917db41bf7d22932f10674

SHA256
627385bb1f52e1d6f33f07d8ba1ed5dff608704c2d42914514f04ed9362db323

SHA512
96d0f779d70fa344c7e5c5cbaa43a2af9c3b4af16220ce4713c478160f41bbc866bb58a2ede2292206f8f3f771734a4e3774a0d33c798657fe55b7b20bb39f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tibZIPUCvpQu.bat
Filesize
207B

MD5
bc3830992f9bb8d216c131e35d8e3fac

SHA1
48688ca4cd239cd926c49a3c2ae24c837dd0c1a8

SHA256
dbbdaa93aea379d277804f864d8ac9428edd10edd4cb4c881ed6f6c40f3a76e9

SHA512
ea5c918781003035cbe0aa930b7fdbad1814f48f5e8958eae876b89dd5265d95787eca7f4f998b070c77c93cecd22f92f7fb7fd5125954cb6ec0cde625333526

Download Submit
C:\Users\Admin\AppData\Local\Temp\xeZcWfZ6NBLr.bat
Filesize
207B

MD5
7866fc4151663471faf40ef1e0bc2ece

SHA1
f003b00febbce0832e42087d5f6db4e8a036d6fa

SHA256
417f87c76d45cafab7743101fc23e862d1829a0f2a25299d566aa4e1130e89cc

SHA512
c5dc14a7623f637209fb376c9fa1b5327ca082f9ccf33fc04c8e2834278996309ffaed4d1f695b27191afcbd672b0a2fba98fb437847895d419c86567445e54b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
da6a7a97ed43a7eaa569609eb1bb6a39

SHA1
87fdfa76a15bb718f79572c2bab68c4bb2f85d1e

SHA256
d8a38604702b1c2bce0ecc7c1941f7ba0ee5d97dc8a0a8b1d01e53626e0eec6d

SHA512
83fb889f85008a72d3a3b59bcbfa2bbe824c4b898e69e52b9eef724d435dd01c039486c5cb749fd40fb1f094876c4a976a6af7fe6af1a74835affdc6e842b4b7

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
40009b0c430ef02781a49edcbbc10432

SHA1
f761db2fa3e08e03df5476f88fb96a51fc9230a7

SHA256
bf58666fa1fff99cdffcfbe2edad24f487894a998a94a4f47e7b05c2a5140b4c

SHA512
c5ca6fec25bdd25887e0a789e56c132fd65e914b06fbe9a72d62abf66ad1d6edc8edfec3467a24dcc86bcc1217d9e3004d5a08de1e46a921f4a899a040618dda

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
f49f6bf6ec1100c66e660ebfa237a5c9

SHA1
686b507e4acc366d54cb07e11cf22b351b0172b2

SHA256
8a7ccb67406a8755382cd68a3ec6e00a48a76ed88a8f1fbabbeecad7a0ff3553

SHA512
44891f2c0d9cad9b0055a5a11ef4d4a01c957cfc961752657a7549bedc8592b64389fa31f3db678cca13b9618d9624aafd3f75f388eb2b111c67f09e3acb7575

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
a33ac7d2fa63ec71b293009457496df9

SHA1
6ec11bf8b367be39c630b18d0221f15eb2827c98

SHA256
159d570bf8c9b4df6b2f99ab529c9d78703468d599cc74a41ccf451094587ef3

SHA512
e76c0abe784b6e989b3e59f7a43d4c3adf3ed610589ed7e082f0f207a03847418e84136cdad01d918dcf867229da02ad145fb43bf47c261f84e2e177acf39dc4

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
bcc3178b4c70739f1e07db605ec312b6

SHA1
f1e2822ba73971f8b0eab00a6b094a162e62887c

SHA256
cf988455aa84acfe411f37969c40dfaa6c2e5d940b5196044a5708e22e175a65

SHA512
90ae93d586c00e127943529856149ef622653e12e55f83250f36c765252617e3029ce5edbaed1d70d3af8414fd6dcb803a12e502ff2fafe8712717e8fbfcdfcb

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
dcfdcf5874ddfb4f5422c808b26d19e6

SHA1
78d512869b861662c646f60fcbd74bc6475f6706

SHA256
e6b046a8edef63070ff6a395e30175280dd80d4a9639cfb8d0236f6665edf357

SHA512
e54f9f6c95d7eceeffe43059fcdcfdd7fc3a327656f1ce69d11cf9733f3541d76e0ba77b0b42cee796c54e27ed9775f875a59f632549b6e2f9108798b9b9f29c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
aa75e41dc53dc90a741b58d891855c60

SHA1
e7a9988ae79eacde543f89d49409c829535d6164

SHA256
796d904d949768be50185a9773a586f2f5dfdcd065da0b43d40c7c3bc3f38a9d

SHA512
ed165696d22313f39649ff3982fe1082a747bd556f8065fdf26b4081e3201e58dcd6c74c7fb114f1a32c44a08e75bb3db26ee135208568bd94b63b6e14c84fba

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1984-24-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/1984-19-0x00000000062C0000-0x00000000062CA000-memory.dmp

Filesize
40KB

Download
memory/1984-17-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/1984-15-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4296-16-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4296-0-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/4296-8-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4296-7-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/4296-6-0x0000000005450000-0x0000000005462000-memory.dmp

Filesize
72KB

Download
memory/4296-5-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/4296-4-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/4296-3-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download
memory/4296-2-0x0000000005910000-0x0000000005EB4000-memory.dmp

Filesize
5.6MB

Download
memory/4296-1-0x0000000000AA0000-0x0000000000B0C000-memory.dmp

Filesize
432KB

Download