quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
296s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (10) - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral4/memory/1660-1-0x0000000000860000-0x00000000008CC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
4380	Client.exe
5052	Client.exe
1976	Client.exe
4228	Client.exe
2144	Client.exe
1608	Client.exe
928	Client.exe
1872	Client.exe
512	Client.exe
912	Client.exe
4136	Client.exe
4864	Client.exe
3456	Client.exe
2560	Client.exe
1204	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ip-api.com
17	ip-api.com
25	ip-api.com
27	ip-api.com
21	ip-api.com
23	ip-api.com
31	ip-api.com
33	ip-api.com
8	api.ipify.org
13	ip-api.com
15	ip-api.com
19	ip-api.com
29	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4924	4380	WerFault.exe	Client.exe
1448	5052	WerFault.exe	Client.exe
4348	1976	WerFault.exe	Client.exe
1964	4228	WerFault.exe	Client.exe
1524	2144	WerFault.exe	Client.exe
2752	1608	WerFault.exe	Client.exe
4348	928	WerFault.exe	Client.exe
5112	1872	WerFault.exe	Client.exe
2168	512	WerFault.exe	Client.exe
1604	912	WerFault.exe	Client.exe
4624	4136	WerFault.exe	Client.exe
2252	4864	WerFault.exe	Client.exe
1580	3456	WerFault.exe	Client.exe
5088	2560	WerFault.exe	Client.exe
4712	1204	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4280	schtasks.exe
1512	SCHTASKS.exe
1216	schtasks.exe
1400	schtasks.exe
5044	schtasks.exe
3612	schtasks.exe
2928	schtasks.exe
2932	schtasks.exe
1344	schtasks.exe
4656	schtasks.exe
760	schtasks.exe
1640	schtasks.exe
1412	schtasks.exe
2828	schtasks.exe
3076	schtasks.exe
4576	schtasks.exe
3712	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3820	PING.EXE
4996	PING.EXE
1508	PING.EXE
4100	PING.EXE
2252	PING.EXE
2368	PING.EXE
3392	PING.EXE
4792	PING.EXE
1668	PING.EXE
3904	PING.EXE
4620	PING.EXE
5084	PING.EXE
2588	PING.EXE
548	PING.EXE
5048	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Uni - Copy (10) - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	1660	Uni - Copy (10) - Copy - Copy.exe
Token: SeDebugPrivilege	4380	Client.exe
Token: SeDebugPrivilege	5052	Client.exe
Token: SeDebugPrivilege	1976	Client.exe
Token: SeDebugPrivilege	4228	Client.exe
Token: SeDebugPrivilege	2144	Client.exe
Token: SeDebugPrivilege	1608	Client.exe
Token: SeDebugPrivilege	928	Client.exe
Token: SeDebugPrivilege	1872	Client.exe
Token: SeDebugPrivilege	512	Client.exe
Token: SeDebugPrivilege	912	Client.exe
Token: SeDebugPrivilege	4136	Client.exe
Token: SeDebugPrivilege	4864	Client.exe
Token: SeDebugPrivilege	3456	Client.exe
Token: SeDebugPrivilege	2560	Client.exe
Token: SeDebugPrivilege	1204	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
4380	Client.exe
5052	Client.exe
1976	Client.exe
4228	Client.exe
2144	Client.exe
1608	Client.exe
928	Client.exe
1872	Client.exe
512	Client.exe
912	Client.exe
4136	Client.exe
4864	Client.exe
3456	Client.exe
2560	Client.exe
1204	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (10) - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 1660 wrote to memory of 1412	1660	Uni - Copy (10) - Copy - Copy.exe	schtasks.exe
PID 1660 wrote to memory of 1412	1660	Uni - Copy (10) - Copy - Copy.exe	schtasks.exe
PID 1660 wrote to memory of 1412	1660	Uni - Copy (10) - Copy - Copy.exe	schtasks.exe
PID 1660 wrote to memory of 4380	1660	Uni - Copy (10) - Copy - Copy.exe	Client.exe
PID 1660 wrote to memory of 4380	1660	Uni - Copy (10) - Copy - Copy.exe	Client.exe
PID 1660 wrote to memory of 4380	1660	Uni - Copy (10) - Copy - Copy.exe	Client.exe
PID 1660 wrote to memory of 1512	1660	Uni - Copy (10) - Copy - Copy.exe	SCHTASKS.exe
PID 1660 wrote to memory of 1512	1660	Uni - Copy (10) - Copy - Copy.exe	SCHTASKS.exe
PID 1660 wrote to memory of 1512	1660	Uni - Copy (10) - Copy - Copy.exe	SCHTASKS.exe
PID 4380 wrote to memory of 4576	4380	Client.exe	schtasks.exe
PID 4380 wrote to memory of 4576	4380	Client.exe	schtasks.exe
PID 4380 wrote to memory of 4576	4380	Client.exe	schtasks.exe
PID 4380 wrote to memory of 4928	4380	Client.exe	cmd.exe
PID 4380 wrote to memory of 4928	4380	Client.exe	cmd.exe
PID 4380 wrote to memory of 4928	4380	Client.exe	cmd.exe
PID 4928 wrote to memory of 3296	4928	cmd.exe	chcp.com
PID 4928 wrote to memory of 3296	4928	cmd.exe	chcp.com
PID 4928 wrote to memory of 3296	4928	cmd.exe	chcp.com
PID 4928 wrote to memory of 5084	4928	cmd.exe	PING.EXE
PID 4928 wrote to memory of 5084	4928	cmd.exe	PING.EXE
PID 4928 wrote to memory of 5084	4928	cmd.exe	PING.EXE
PID 4928 wrote to memory of 5052	4928	cmd.exe	Client.exe
PID 4928 wrote to memory of 5052	4928	cmd.exe	Client.exe
PID 4928 wrote to memory of 5052	4928	cmd.exe	Client.exe
PID 5052 wrote to memory of 2828	5052	Client.exe	schtasks.exe
PID 5052 wrote to memory of 2828	5052	Client.exe	schtasks.exe
PID 5052 wrote to memory of 2828	5052	Client.exe	schtasks.exe
PID 5052 wrote to memory of 3056	5052	Client.exe	cmd.exe
PID 5052 wrote to memory of 3056	5052	Client.exe	cmd.exe
PID 5052 wrote to memory of 3056	5052	Client.exe	cmd.exe
PID 3056 wrote to memory of 716	3056	cmd.exe	chcp.com
PID 3056 wrote to memory of 716	3056	cmd.exe	chcp.com
PID 3056 wrote to memory of 716	3056	cmd.exe	chcp.com
PID 3056 wrote to memory of 2588	3056	cmd.exe	PING.EXE
PID 3056 wrote to memory of 2588	3056	cmd.exe	PING.EXE
PID 3056 wrote to memory of 2588	3056	cmd.exe	PING.EXE
PID 3056 wrote to memory of 1976	3056	cmd.exe	Client.exe
PID 3056 wrote to memory of 1976	3056	cmd.exe	Client.exe
PID 3056 wrote to memory of 1976	3056	cmd.exe	Client.exe
PID 1976 wrote to memory of 3612	1976	Client.exe	schtasks.exe
PID 1976 wrote to memory of 3612	1976	Client.exe	schtasks.exe
PID 1976 wrote to memory of 3612	1976	Client.exe	schtasks.exe
PID 1976 wrote to memory of 2296	1976	Client.exe	cmd.exe
PID 1976 wrote to memory of 2296	1976	Client.exe	cmd.exe
PID 1976 wrote to memory of 2296	1976	Client.exe	cmd.exe
PID 2296 wrote to memory of 4416	2296	cmd.exe	chcp.com
PID 2296 wrote to memory of 4416	2296	cmd.exe	chcp.com
PID 2296 wrote to memory of 4416	2296	cmd.exe	chcp.com
PID 2296 wrote to memory of 2252	2296	cmd.exe	PING.EXE
PID 2296 wrote to memory of 2252	2296	cmd.exe	PING.EXE
PID 2296 wrote to memory of 2252	2296	cmd.exe	PING.EXE
PID 2296 wrote to memory of 4228	2296	cmd.exe	Client.exe
PID 2296 wrote to memory of 4228	2296	cmd.exe	Client.exe
PID 2296 wrote to memory of 4228	2296	cmd.exe	Client.exe
PID 4228 wrote to memory of 2928	4228	Client.exe	schtasks.exe
PID 4228 wrote to memory of 2928	4228	Client.exe	schtasks.exe
PID 4228 wrote to memory of 2928	4228	Client.exe	schtasks.exe
PID 4228 wrote to memory of 1516	4228	Client.exe	cmd.exe
PID 4228 wrote to memory of 1516	4228	Client.exe	cmd.exe
PID 4228 wrote to memory of 1516	4228	Client.exe	cmd.exe
PID 1516 wrote to memory of 1572	1516	cmd.exe	chcp.com
PID 1516 wrote to memory of 1572	1516	cmd.exe	chcp.com
PID 1516 wrote to memory of 1572	1516	cmd.exe	chcp.com
PID 1516 wrote to memory of 3392	1516	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1412

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lUHveIzSWVxx.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:3296

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:5084

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rhTf1FP6ZUqx.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:716

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2588

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3yDe48LqYA5R.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4416

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2252

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gl6RtEtfEpEq.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:1572

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:3392

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:3076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x4ybiGFXL8V1.bat" "
11⤵
PID:5064

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:4656

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4792

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zG5Yn6ncZazy.bat" "
13⤵
PID:3984

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:2428

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:1668

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:928

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AX3N6H5w7gbE.bat" "
15⤵
PID:1960

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:540

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3904

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1872

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nl6QJzComgFo.bat" "
17⤵
PID:4324

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:4316

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:548

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:512

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgLtjhTiOaht.bat" "
19⤵
PID:4376

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:3964

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1508

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:912

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q5bobSyDoiX9.bat" "
21⤵
PID:936

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:1564

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:2368

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQ8Db08xowjq.bat" "
23⤵
PID:1488

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:4176

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:4100

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zv4kTqW14VPI.bat" "
25⤵
PID:916

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:1236

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4620

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3456

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:2932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hv956tX912zg.bat" "
27⤵
PID:1384

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:1436

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:3820

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J7G2Cj6EFUTd.bat" "
29⤵
PID:2400

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:3624

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:4996

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1204

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jVjDHjRQ9pdz.bat" "
31⤵
PID:4816

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:1344

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 2248
31⤵
- Program crash
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 2224
29⤵
- Program crash
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 2232
27⤵
- Program crash
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1092
25⤵
- Program crash
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1708
23⤵
- Program crash
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 1092
21⤵
- Program crash
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 2224
19⤵
- Program crash
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 1692
17⤵
- Program crash
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 1708
15⤵
- Program crash
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 1708
13⤵
- Program crash
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1092
11⤵
- Program crash
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 2196
9⤵
- Program crash
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 1632
7⤵
- Program crash
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 1620
5⤵
- Program crash
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1896
3⤵
- Program crash
PID:4924

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4380 -ip 4380
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5052 -ip 5052
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1976 -ip 1976
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4228 -ip 4228
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2144 -ip 2144
1⤵
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1608 -ip 1608
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 928 -ip 928
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1872 -ip 1872
1⤵
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 512 -ip 512
1⤵
PID:568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 912 -ip 912
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4136 -ip 4136
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4864 -ip 4864
1⤵
PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3456 -ip 3456
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2560 -ip 2560
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1204 -ip 1204
1⤵
PID:716

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3yDe48LqYA5R.bat
Filesize
207B

MD5
e834e4a0a112bd4616c039317fc29813

SHA1
3e2d3cd4ece4eb132b2268c486cd219023e08178

SHA256
d9448c070fc333fa3dd8126574f1d721a6e44dbef262fc81443f7202b1a702d6

SHA512
15eb6e7679200ace1147216337d8d4443d00ef338834bd967fc460d58ffd0053e0be563d68fee9489f1ad9fa969788f208cceb73d7491676a4abbd2f518491fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\AX3N6H5w7gbE.bat
Filesize
207B

MD5
0eafcd275c430ed3b893ee7ec7a98ca1

SHA1
2103c06dbac3beb26654e65ac798c0b9a3f3297a

SHA256
beba39e9c206cdec7658f48fe01e9fd4024a1f45f55b56f2801888881babf0eb

SHA512
d01da5beb16239aacd8cd8834d829e62ab6c75e74e3d35b5ac58cd042e8e0e851ecb94d645d653d244b08590676dc95489c0ee6fae72d2db2402078688b4ca6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gl6RtEtfEpEq.bat
Filesize
207B

MD5
8f0d905b348d8d9238d1978cfcb58404

SHA1
91d9d03a9b5e48a03c240543a3c6728b4c07fc05

SHA256
97a03b99a161ddeba7b54bc054d802a8b76de4e6c4b95f20261b0ae2b6ebdb85

SHA512
92d9069bcc47c954b7b08dc2fb6c49c95fee2b8e8e9b980eaebfcf74f6b0c4673b4d342d40f7453021b2bba00c448b7e0d22642965769d8c252b5e081e4b0a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hv956tX912zg.bat
Filesize
207B

MD5
1dbbdd51870908a64ddef12ab5eca127

SHA1
33eedf8ba9523219ec40fc3de232e3bb6246e8f5

SHA256
ba5b8648aed458137f71935e68f84a68e07116e16d40d609343a528a6299dfa3

SHA512
6811bad1f851784930a22e4a657771b0bfc5eb974f6e8bb996fa3e140acf9417d8bb82b59fd342253d16cff4fc350fcea32c14a9126cb96dcb9058b71d09c63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\J7G2Cj6EFUTd.bat
Filesize
207B

MD5
58422cab926749e2b4e5f9b27e09754e

SHA1
1a77d6d6236f322b3084221c2795a432e58b32e7

SHA256
72ac0ad88ef12f3ca11b3a435bdc47a551b34758a5afd421710768988c2eabbd

SHA512
20ec31569453f0407317668d43bbaf80a048ee830806f6f3e9c3b38f28aee46a17a51cf3272210085003a8b6338a9c1a85f6a46cdc6daebe890363b7f8b4eb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nl6QJzComgFo.bat
Filesize
207B

MD5
fca918401b9f049ba5b5d4539bbb417f

SHA1
2cdeb9d54acc29a51a98f4bc859673c5ec786879

SHA256
684e02e766fa1f723388f802c7f5a15df9258467c5abcab7a483457f681220ad

SHA512
29acf29a6cccda64ce38f2d6dab7697d765cc14306c46e54e2f79f1a12f7def33d7fc192c12a684e1619872334adab6e93840c5b05e6a66279e65138a1b829e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q5bobSyDoiX9.bat
Filesize
207B

MD5
4f835b7450e47fb7d7ac0c6eff0ee543

SHA1
de621a585af218745de10cd8531fba2e3af12ab9

SHA256
d696f0e15f19fa5b45f6bf77a9661466724a48f184efe5c7398ae51deaeb943c

SHA512
49f640dde2b38229189d142e4e9c4eeb2e707c0060df6eef3053f2403c1ad32bbdaffaaf53d9b960e51ac9d6683adff1f1782b1fa92a457bbfc1823a1875e232

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zv4kTqW14VPI.bat
Filesize
207B

MD5
a159dfaf591050682dbc4994139c0df4

SHA1
957f7ffcbf88795ea0c629bcfa9df08da597e755

SHA256
224d12f1a2dad13e59100c47cb32bf868e1575a1ee886283d5f21c19e0047721

SHA512
4b87a5b8afe9a6ef809bd9fbbbcd288f4129e3b21f3a8dea7b1ac905119d4366108d5b6a5c5dba8c62ff7877e783b8714019da78329f58e9ef804147dce69038

Download Submit
C:\Users\Admin\AppData\Local\Temp\jVjDHjRQ9pdz.bat
Filesize
207B

MD5
b2fe1152f864b5511b146dd252778e2f

SHA1
e7f94d25a81fb26f6d0a8a1508d3f195cf2b0795

SHA256
4e74d8210fa052254e142541094191e801be528aa18446f954105700d52887f7

SHA512
034bf4921b4beb588c81e0f6be35e3e560bf7705e3d681487519331ffe5a7b279389cb55f8be2499a6e387c9e82b4a85e67600353d9222398daa146e04cce366

Download Submit
C:\Users\Admin\AppData\Local\Temp\lUHveIzSWVxx.bat
Filesize
207B

MD5
556e2c9bc653231c5e40dd3972b43230

SHA1
8177e60b4efc1b7fc79fbb3c6003643b0fa36d42

SHA256
3c81eb2679c45bc94baf95b9ae03946b34e5ddef1b2c9a50240366daed565281

SHA512
9531d814c20f94857491bdafbbb1b574abddfd95457b4c6e7dd4d52de36b980fa2b4275c655fdea6dafcd6f4fe42f4ed390c3eea737cd0e29ee4550843a389f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhTf1FP6ZUqx.bat
Filesize
207B

MD5
8d3d6a8245533f2b0acad2d315b73f1c

SHA1
e09a8809d717ab53bfe9868efe50e0eb03132df0

SHA256
69c90c0ad720df82e1a40dc100c30b72a1b3eefcd53a86e37aee0566faf09be4

SHA512
20f4665c900b64bde216f8100efc2bfbcc69df113f3265cfe224ccd9db3da13e2522e4453d5b4facb982b4dad083a9fa36b3840abb0f7fa443722910b85da02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQ8Db08xowjq.bat
Filesize
207B

MD5
6e82a7bc30afe439114ff69e76e59e4a

SHA1
9e14c777b99b293d0160afcfdd618afea6629bcf

SHA256
a04a946b3db7963ed59da825dddc7e657f2fe7d72a79dca7d31f210815d97fb7

SHA512
3d57acf757f766e0accfa16ac5ec94110507f3d8b2ad0f3af8e33181f51defc0b7a040d501cd298d5178c4a5222c7a92710049148c639dabad3bacd9d932b3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgLtjhTiOaht.bat
Filesize
207B

MD5
69431b528e343ee12f9e3bf9d1fd4e24

SHA1
01c68cb49e1ca97b312218926679a4ceeea3b107

SHA256
9d1a1557d6fe82ffb39288b3247aac6d101c71e09f674a47764d59db2c5851f4

SHA512
26e1525c1f8cd96171109d7f4e53e432cb07bde1c3c0e5ca07b597a0d3395f7e18d65b6b3361df1aa7c2e9d18c86d1759c23959a169c2f1b85d525d4907cf923

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4ybiGFXL8V1.bat
Filesize
207B

MD5
2201105f24203c67bce2905735269eb3

SHA1
251b17bd742dabe46b4f4e244e4157e43b7b93bb

SHA256
9357ac4051e007c3205a8742ceb3783c4f6503eee6a948421687b0bd0831d6f6

SHA512
22282bbc170361c194226a457715adf16030a5c19bd846957a1c8f14d0c4ae6558ca09e999c66269ddf8922cf29d787584ecb048e1637f285eab31a62042fa29

Download Submit
C:\Users\Admin\AppData\Local\Temp\zG5Yn6ncZazy.bat
Filesize
207B

MD5
ce01692f5ba1c879c2a722d4fa4ae823

SHA1
b194206d2383be31de1d0977fc8755b7bc5eb1e5

SHA256
19ccba77ecc47cbeda9e067c6bfbc205dedb829d9e9eb18f12d2d45f3be23825

SHA512
6351d5d4da841b708bbc366a8c0ea46b6f4b22f4bfde28b7091be6fc6274218ce69ef9d83d1f38f63bce2400994fa126452081d35c310ce44d57aa5f0af4ba87

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
a8c6ea3eb0e6805e0e4d71b0a7320e2a

SHA1
abdb5b423bec19f4bc809a7bdada2a73a11138e8

SHA256
a70eef9c00ec8e4824dcb5414bf3e3a464de1f1a129b3b9dddb5e914968bb87e

SHA512
4e006ac87df5ae7e0f5a14e2083efc495aeab4628aaef4bb1d95694c87b4c1184fbc5594ccc2a43c1b0dd91b88caeea37501bcc5d7552271f69e7d08752c2868

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
5ccbbbf7c851a90f28820db847ebd5f9

SHA1
8388e22cb44bde3b229079ee20550eff53c96ab6

SHA256
cd52550ce4a3e00871d4cc6c45fe1ef788aaf530b0f5ac4d0b807567ca4f88e4

SHA512
71bf084165c269a62603db2e92343a0522a372651394744eb86ab0dc77543ac4376a2dac1ae73afd5d315fd1c1ad51e12e65d535b7bb03b13fe14a354aa5fe4d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
75462e0c666cd029b69cb5939fd2b785

SHA1
df25b4117e718668d842c3f924f7651eda82c679

SHA256
c286319b49c7f37c776e18b81192960bea7580884bff79ea1fd4eca93c9559c7

SHA512
28847965b971b5e938784ded048b8706eaa215c5c7f5e1c7fae076bf41a6557707580e537f0f20374e6c3f0537fd8387849435e4d41a573c636306e1fa89afbc

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
0f6a4685066bd0ee19b849d38a8a5e75

SHA1
171f9fc7493f87c29522d4ccffed09e7707986ce

SHA256
d4292463b7d83ad47a8fe63517698afe9350290b1e29ec785dbc117837b9ce91

SHA512
cd9b8636c593c07970a2454f4bebd4dfa92ae22a59445fca5effaa2500613e800b89d96c44beabe52b41153591388990e97e5b5aa2c882f406ccfa7afd20bb71

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
153a86bf0ad8e4b2eecf731307f6ed95

SHA1
8d1f77418545271bdcdddcc2542a1119b8922448

SHA256
6981ea92f616b613fe72e9b7764eac9d008b0d434ba4a17af27128b303a0aef4

SHA512
b23ddaf087196345c52d068b6dc7a4d65c30ca7f02bb0436f6ddceb9e193aca27caa1a124d3067412c697c5c1391b02ab7a240718ca6679c0a9f609d7a60e044

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
f603cd155fe536e2d2085a3b29b336ba

SHA1
fd6943aa937b48fe11d5ee9371b97bd585d118c9

SHA256
459496c21bc7eaae8fcb27f0586a56ff1707930275e0f68b97f62e9ac741f3f7

SHA512
e0f958ac8015426901ce5d190ad945e93d813321de3569ce5718579f3e4e374ddc24d5d840cba89d4d0c2e5dc5000086a7a72c5185d329b55e5a032da368b99e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
8a0e0a7c2d1c9fd91c9df10d9d5d2c75

SHA1
0898e1f2bb59c3832be49c396cba6e72e20b0c4e

SHA256
78bc98facf7bd6fdf7d1f849520f618800aa04cd8fd84319a76d76c415c961ae

SHA512
23495347759103359ffa6d30af9c994f9ff4c96077660e8ea6851e0983c6103b75c45cb0f8af552333915f6a9df6339fdfa2206b28697fd5a2ea578f298f705f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
52a6d89f06a317fe6248971d396632e2

SHA1
8fa3e37d39aa4c9382ba9f4c408fd6944acad655

SHA256
8cb41ed4bdab738cb52aa2035de4bddef5f01125a3a854a61dbf46781103791f

SHA512
1781ee822a23dbd6446e8799417827356f97a1e11388d88fe9bcb35544c289386a1cede4e039585bb4d77055f1a2fa44554d091f9df7de912690979a1c319d6a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1660-5-0x00000000051B0000-0x0000000005216000-memory.dmp

Filesize
408KB

Download
memory/1660-0-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

Filesize
4KB

Download
memory/1660-1-0x0000000000860000-0x00000000008CC000-memory.dmp

Filesize
432KB

Download
memory/1660-16-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1660-8-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1660-7-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

Filesize
4KB

Download
memory/1660-2-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download
memory/1660-3-0x0000000005230000-0x00000000052C2000-memory.dmp

Filesize
584KB

Download
memory/1660-4-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/1660-6-0x0000000005EB0000-0x0000000005EC2000-memory.dmp

Filesize
72KB

Download
memory/4380-15-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/4380-19-0x0000000006010000-0x000000000601A000-memory.dmp

Filesize
40KB

Download
memory/4380-17-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download
memory/4380-24-0x0000000074D10000-0x00000000754C0000-memory.dmp

Filesize
7.7MB

Download