quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
297s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (11) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral8/memory/3188-1-0x0000000000BC0000-0x0000000000C2C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1524	Client.exe
1748	Client.exe
1400	Client.exe
2892	Client.exe
2420	Client.exe
1992	Client.exe
224	Client.exe
4020	Client.exe
4284	Client.exe
2392	Client.exe
2564	Client.exe
3488	Client.exe
2488	Client.exe
1492	Client.exe
1992	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
22	ip-api.com
12	api.ipify.org
20	ip-api.com
30	ip-api.com
34	ip-api.com
26	ip-api.com
28	ip-api.com
32	ip-api.com
36	ip-api.com
16	ip-api.com
24	ip-api.com
3	ip-api.com
18	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1516	1524	WerFault.exe	Client.exe
1868	1748	WerFault.exe	Client.exe
1676	1400	WerFault.exe	Client.exe
4464	2892	WerFault.exe	Client.exe
1888	2420	WerFault.exe	Client.exe
1104	1992	WerFault.exe	Client.exe
3252	224	WerFault.exe	Client.exe
2892	4020	WerFault.exe	Client.exe
3780	4284	WerFault.exe	Client.exe
3344	2392	WerFault.exe	Client.exe
2616	2564	WerFault.exe	Client.exe
5016	3488	WerFault.exe	Client.exe
4412	2488	WerFault.exe	Client.exe
3196	1492	WerFault.exe	Client.exe
4920	1992	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
396	schtasks.exe
1104	schtasks.exe
3536	schtasks.exe
2636	schtasks.exe
764	SCHTASKS.exe
4960	schtasks.exe
4404	schtasks.exe
4664	schtasks.exe
4108	schtasks.exe
3024	schtasks.exe
4484	schtasks.exe
2776	schtasks.exe
1240	schtasks.exe
2004	schtasks.exe
1392	schtasks.exe
1256	schtasks.exe
3292	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1476	PING.EXE
3720	PING.EXE
4084	PING.EXE
2080	PING.EXE
4892	PING.EXE
2600	PING.EXE
396	PING.EXE
1480	PING.EXE
4468	PING.EXE
2560	PING.EXE
2380	PING.EXE
1764	PING.EXE
1980	PING.EXE
5012	PING.EXE
4332	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Uni - Copy (11) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3188	Uni - Copy (11) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	1524	Client.exe
Token: SeDebugPrivilege	1748	Client.exe
Token: SeDebugPrivilege	1400	Client.exe
Token: SeDebugPrivilege	2892	Client.exe
Token: SeDebugPrivilege	2420	Client.exe
Token: SeDebugPrivilege	1992	Client.exe
Token: SeDebugPrivilege	224	Client.exe
Token: SeDebugPrivilege	4020	Client.exe
Token: SeDebugPrivilege	4284	Client.exe
Token: SeDebugPrivilege	2392	Client.exe
Token: SeDebugPrivilege	2564	Client.exe
Token: SeDebugPrivilege	3488	Client.exe
Token: SeDebugPrivilege	2488	Client.exe
Token: SeDebugPrivilege	1492	Client.exe
Token: SeDebugPrivilege	1992	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1524	Client.exe
1748	Client.exe
1400	Client.exe
2892	Client.exe
2420	Client.exe
1992	Client.exe
224	Client.exe
4020	Client.exe
4284	Client.exe
2392	Client.exe
2564	Client.exe
3488	Client.exe
2488	Client.exe
1492	Client.exe
1992	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (11) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 3188 wrote to memory of 1392	3188	Uni - Copy (11) - Copy - Copy - Copy.exe	schtasks.exe
PID 3188 wrote to memory of 1392	3188	Uni - Copy (11) - Copy - Copy - Copy.exe	schtasks.exe
PID 3188 wrote to memory of 1392	3188	Uni - Copy (11) - Copy - Copy - Copy.exe	schtasks.exe
PID 3188 wrote to memory of 1524	3188	Uni - Copy (11) - Copy - Copy - Copy.exe	Client.exe
PID 3188 wrote to memory of 1524	3188	Uni - Copy (11) - Copy - Copy - Copy.exe	Client.exe
PID 3188 wrote to memory of 1524	3188	Uni - Copy (11) - Copy - Copy - Copy.exe	Client.exe
PID 3188 wrote to memory of 764	3188	Uni - Copy (11) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 3188 wrote to memory of 764	3188	Uni - Copy (11) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 3188 wrote to memory of 764	3188	Uni - Copy (11) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 1524 wrote to memory of 1256	1524	Client.exe	schtasks.exe
PID 1524 wrote to memory of 1256	1524	Client.exe	schtasks.exe
PID 1524 wrote to memory of 1256	1524	Client.exe	schtasks.exe
PID 1524 wrote to memory of 1712	1524	Client.exe	cmd.exe
PID 1524 wrote to memory of 1712	1524	Client.exe	cmd.exe
PID 1524 wrote to memory of 1712	1524	Client.exe	cmd.exe
PID 1712 wrote to memory of 1736	1712	cmd.exe	chcp.com
PID 1712 wrote to memory of 1736	1712	cmd.exe	chcp.com
PID 1712 wrote to memory of 1736	1712	cmd.exe	chcp.com
PID 1712 wrote to memory of 4468	1712	cmd.exe	PING.EXE
PID 1712 wrote to memory of 4468	1712	cmd.exe	PING.EXE
PID 1712 wrote to memory of 4468	1712	cmd.exe	PING.EXE
PID 1712 wrote to memory of 1748	1712	cmd.exe	Client.exe
PID 1712 wrote to memory of 1748	1712	cmd.exe	Client.exe
PID 1712 wrote to memory of 1748	1712	cmd.exe	Client.exe
PID 1748 wrote to memory of 1104	1748	Client.exe	schtasks.exe
PID 1748 wrote to memory of 1104	1748	Client.exe	schtasks.exe
PID 1748 wrote to memory of 1104	1748	Client.exe	schtasks.exe
PID 1748 wrote to memory of 3884	1748	Client.exe	cmd.exe
PID 1748 wrote to memory of 3884	1748	Client.exe	cmd.exe
PID 1748 wrote to memory of 3884	1748	Client.exe	cmd.exe
PID 3884 wrote to memory of 4448	3884	cmd.exe	chcp.com
PID 3884 wrote to memory of 4448	3884	cmd.exe	chcp.com
PID 3884 wrote to memory of 4448	3884	cmd.exe	chcp.com
PID 3884 wrote to memory of 2560	3884	cmd.exe	PING.EXE
PID 3884 wrote to memory of 2560	3884	cmd.exe	PING.EXE
PID 3884 wrote to memory of 2560	3884	cmd.exe	PING.EXE
PID 3884 wrote to memory of 1400	3884	cmd.exe	Client.exe
PID 3884 wrote to memory of 1400	3884	cmd.exe	Client.exe
PID 3884 wrote to memory of 1400	3884	cmd.exe	Client.exe
PID 1400 wrote to memory of 4108	1400	Client.exe	schtasks.exe
PID 1400 wrote to memory of 4108	1400	Client.exe	schtasks.exe
PID 1400 wrote to memory of 4108	1400	Client.exe	schtasks.exe
PID 1400 wrote to memory of 2436	1400	Client.exe	cmd.exe
PID 1400 wrote to memory of 2436	1400	Client.exe	cmd.exe
PID 1400 wrote to memory of 2436	1400	Client.exe	cmd.exe
PID 2436 wrote to memory of 5040	2436	cmd.exe	chcp.com
PID 2436 wrote to memory of 5040	2436	cmd.exe	chcp.com
PID 2436 wrote to memory of 5040	2436	cmd.exe	chcp.com
PID 2436 wrote to memory of 4084	2436	cmd.exe	PING.EXE
PID 2436 wrote to memory of 4084	2436	cmd.exe	PING.EXE
PID 2436 wrote to memory of 4084	2436	cmd.exe	PING.EXE
PID 2436 wrote to memory of 2892	2436	cmd.exe	Client.exe
PID 2436 wrote to memory of 2892	2436	cmd.exe	Client.exe
PID 2436 wrote to memory of 2892	2436	cmd.exe	Client.exe
PID 2892 wrote to memory of 3536	2892	Client.exe	schtasks.exe
PID 2892 wrote to memory of 3536	2892	Client.exe	schtasks.exe
PID 2892 wrote to memory of 3536	2892	Client.exe	schtasks.exe
PID 2892 wrote to memory of 4620	2892	Client.exe	cmd.exe
PID 2892 wrote to memory of 4620	2892	Client.exe	cmd.exe
PID 2892 wrote to memory of 4620	2892	Client.exe	cmd.exe
PID 4620 wrote to memory of 3932	4620	cmd.exe	chcp.com
PID 4620 wrote to memory of 3932	4620	cmd.exe	chcp.com
PID 4620 wrote to memory of 3932	4620	cmd.exe	chcp.com
PID 4620 wrote to memory of 2380	4620	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1392

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sbdr1R5VvELE.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1736

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:4468

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g7Svx9VSV88e.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4448

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2560

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JcLrmyNcgUlR.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:5040

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4084

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KJZ3by2sWh3d.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:3932

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2380

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2420

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NlX2mLlF0rGi.bat" "
11⤵
PID:2492

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:864

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1980

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIOfl4h5gx7o.bat" "
13⤵
PID:2564

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:5000

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2080

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:224

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7xkKVDKTBqJ3.bat" "
15⤵
PID:3028

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:3560

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2600

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4020

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pxpg9GKb8NtQ.bat" "
17⤵
PID:4464

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:1056

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:5012

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4284

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYQp1CbDEMQ5.bat" "
19⤵
PID:1548

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:3796

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4892

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGWKfywgfaUr.bat" "
21⤵
PID:1104

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:2128

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1476

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:2776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MEgYB8P2Catb.bat" "
23⤵
PID:1900

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:4232

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:4332

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3488

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:1240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zinMGEdmwLtA.bat" "
25⤵
PID:1740

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:2088

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1764

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2488

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fDjt851pCtac.bat" "
27⤵
PID:1876

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:5052

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:396

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HhrgDBGZweZB.bat" "
29⤵
PID:4492

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:1584

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:1480

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1lgXjQbTJ4o8.bat" "
31⤵
PID:5072

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:1020

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 2232
31⤵
- Program crash
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1092
29⤵
- Program crash
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 2236
27⤵
- Program crash
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1092
25⤵
- Program crash
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 2224
23⤵
- Program crash
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 2224
21⤵
- Program crash
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 2232
19⤵
- Program crash
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1960
17⤵
- Program crash
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1084
15⤵
- Program crash
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 2232
13⤵
- Program crash
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 2196
11⤵
- Program crash
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 2180
9⤵
- Program crash
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1896
7⤵
- Program crash
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 1092
5⤵
- Program crash
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 2148
3⤵
- Program crash
PID:1516

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1524 -ip 1524
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1748 -ip 1748
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1400 -ip 1400
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2892 -ip 2892
1⤵
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2420 -ip 2420
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1992 -ip 1992
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 224 -ip 224
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4020 -ip 4020
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4284 -ip 4284
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2392 -ip 2392
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2564 -ip 2564
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3488 -ip 3488
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2488 -ip 2488
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1492 -ip 1492
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1992 -ip 1992
1⤵
PID:2968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1lgXjQbTJ4o8.bat
Filesize
207B

MD5
153ac77b8945aae3509321a510e4d2c4

SHA1
2487a1cc6e01af086abd2e50183bdd5b8e69b48b

SHA256
2af735bf8529a062eea70658978829d40d6342f86cd554c705186292a62e5f9b

SHA512
a6d95a3cb725f12c34116de9082d3a73fe56bf7e93941833f8715399e541a03f0b09cdda68c51c71dd67406e88326a6ac893a8889d99e23a5b8dde1ffa934f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7xkKVDKTBqJ3.bat
Filesize
207B

MD5
aa0e059344a57ab8cce79b3cd9d6d38a

SHA1
90d7345170bd6725eb4c34d034d18ae017520eb3

SHA256
57e0da20508cf5f3c3de7838f4690570e3e675fb7cbc3e5d06a2d11db4b0e3fd

SHA512
65dd35aaf19a0017b4a3fc808004a8618b0a7bebf08f50570348c875df5b85cbd82797212b6328797b7a8008f8fff032faa74ca5573f4fcfc0458ef269773440

Download Submit
C:\Users\Admin\AppData\Local\Temp\EIOfl4h5gx7o.bat
Filesize
207B

MD5
5cdb6a5010a78c429a6f3b204f7c2028

SHA1
038e3e972455adfa46de71e4c18bcf344fd475c9

SHA256
dcf342b151111d05f27e69e9d57c62549d80e763aba68c7eb317e220f1c45789

SHA512
2fac4ab98fc0be3cfe0844113b5b8678b8592ab107aa08a63e271a0ae536a1611cf4024c9cd664e78138fff1502a605678247059fa833e0b16224f1181d2f2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HhrgDBGZweZB.bat
Filesize
207B

MD5
1639f27f95fe882996f5c3c21cc6faa7

SHA1
f6b2984fad3b04e1a8cc1665e9eb0bf0feb41d6d

SHA256
58c5d8fadc058664b225e947b5a2e4d152b9e0d0147eed46934a02eb36e1c129

SHA512
6fbbd96ff1800bb84eff806910bd8b5eae3fb667824aba7d3021a8599db0ec50c97698638d52f63c1a81b8c650d6fee83f52504b43b05472533201176a3be3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\JcLrmyNcgUlR.bat
Filesize
207B

MD5
bf05528658be0bb71a7b4bb89dc53abf

SHA1
953d6fdbfe3830ae8f1e119fc3db2e44bfa40640

SHA256
d2057f860d2c9ba85e79287b304ee2a6f61620c0d60d93cda20c862c8db45916

SHA512
bcc619f5d68dde3349d7198617d34d3d623b95376bff7a169149b53b46d52ab0db33c1b8d2c2bac0635fb7b2a2248c3e975536ba1b3a30de470463ca6d2f8a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KJZ3by2sWh3d.bat
Filesize
207B

MD5
8bdb157c2698d491a7cb796ef3f6afd0

SHA1
5036f21125ab89f823140c23dfb11b6ace999671

SHA256
e5250cc3fb17a43370bba9823042ff42abe80de92b61a3d87387ef68b91ad3db

SHA512
52ef84922025f942db43bd551bfe1bb400e988d65a2b700494f88edb4167a00453d8e4280e2637ee4f18c02609fb7d3e9b3202e7f700f77a823046aeb99b97c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEgYB8P2Catb.bat
Filesize
207B

MD5
3f5569309104da13c2f399f222be5f4e

SHA1
fd8c16b550f6cb126e2536a4299f55a1d366527e

SHA256
c6e80bed18a18f4312f5c8854851ab1a205134b1f13a1c580e2a61214b66c86b

SHA512
016a17bd96d4fedc01ba679c592e35cafb24d898ae30567ec01b671637e7895c7b28403dae1a82f78ca58aa50da31d6428debdb61df3f0acd508c2c3846d2f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NlX2mLlF0rGi.bat
Filesize
207B

MD5
70aa95d433b6f7dc9ac03c79c57d5f07

SHA1
efaf9e613d0095c17976a37dcedb457fb224b739

SHA256
858cd7d4f8ff44f3433e571ec4e04c75b3fae044b36b9bcbfe02162acad02d16

SHA512
731e50c35f6ed5736a33b65fe1bfdc988ad488979084e23e2973b046ae043ae08951b81c1d8665b37b0c7532c05f23ad14ebf660bbc497202ef2b214ab8f7a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fDjt851pCtac.bat
Filesize
207B

MD5
52040b2ef943ee13518b529587e84638

SHA1
ef114536fedaa9493e579f23a217f493b8301c35

SHA256
d0e896e141c10499887bbfb2856927b4f0aea361fbbda1b2c5b86e4f18dc8d39

SHA512
44802adcc226c97215b677e350409328c860f0a45a0281dc4284775b2841f2eb77713d2f4f0b26b18111673e8b7989c7f17f39239e1f07f9114c5b0fab9b87f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\g7Svx9VSV88e.bat
Filesize
207B

MD5
f8442aa0947a0d413c86b6c1a52c3865

SHA1
822c6c092f0f8af904c49c98ee65094a5aa52d80

SHA256
f06edfc05921791f54d4bb7a145938b1c085d3e6fd467d7a730c5f8200460460

SHA512
9987886cc96aa33d822834ef9e2432e7d2fbffd88afe4ff04466fe6659bf98639274ccd95baada75907a0c1b6a1f367c8ca6bf804a9b572131fb25fa89fb5804

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYQp1CbDEMQ5.bat
Filesize
207B

MD5
8565e824d9afd62e88df4f9531d3431d

SHA1
119e78ebcdae6218698b65355d0281f9b119d3da

SHA256
3fb8ae4f491cbe1ace755368d07efe4feec88db0df2b9b8346159216c7174b7e

SHA512
36b2b705d2f289ceea8fd1baa62372a2e8b9804175b704d48f6bb8d271e29383c375bf52115cdfadda8df40c9738577ce9f418671f510c4ad367b4a5ae5f7060

Download Submit
C:\Users\Admin\AppData\Local\Temp\pGWKfywgfaUr.bat
Filesize
207B

MD5
d25e7dae1c99de50a1ebd80af735c51a

SHA1
d8f1bc56945b518baa5944af9f57db62b70aa965

SHA256
465ef29b6eacefed032314da8895da93497314b9404ac637145b0d5eaa167a64

SHA512
fe5708f71ebee054d2d306ba37203861896f49a64066e4eeaad4575356f08e3141dc93cb793ae9c587fb59798fcffe240a77d3b0d02a5de04dee46569a97c038

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxpg9GKb8NtQ.bat
Filesize
207B

MD5
003691e3f678049a887cd0fd2750cff3

SHA1
52d46d8c42ddc725af2962e95487147b7bd3823c

SHA256
6a9672cbec7f49dd9812f025cd61d781f6605126eed124047ca22c4404e76478

SHA512
3c5d0ab859ac44f57f08200d579eaa001595c8c403aa0e48ab376ba41ee58ec4544a0b6089529e239dfcef394ec5ebe82f0794deb9496aa0b418b4dcb3ee371e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbdr1R5VvELE.bat
Filesize
207B

MD5
09f3bd834ffe0f8e4a3018fca0d3b203

SHA1
f8efb3665ec2d8b3c8042a46741998ef4a1636e4

SHA256
f548789a769993b1a5d3ac5ee9beaa700c9862f434ab7681b9240fc46f71cd34

SHA512
6361e5a691d20aebe95cb5a1ea006a30974018286a6857303fe23ffb9a3913ad713cf883f4384ca505620380380f42e843bdfef741e9f5921e5282bf139eb99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zinMGEdmwLtA.bat
Filesize
207B

MD5
357d20be713ca753382cd6d984e3022f

SHA1
c507ad5ddb0bfe351d342c8d8322c09f89449b1d

SHA256
b77d189fde48c3098823b993e2c05f4fb664485ef4e9c9fb16bae4ae3d9eeb83

SHA512
38f8f5fb6757e1e742db6d2230dc28746c75762932132352c34b128f0a26626c983720fa945bd4f1863c121edc495cdba283e2ba1c21580aa83b0f621382ac13

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
e9fbe8f101fb77db7b0fcdc71634f8a1

SHA1
3ad7831f996662e5db92c6f4559ac6cc688550f0

SHA256
d7bcbe28397f9de1bd8ce19c00314f97c2cc0457c190a1a5e05c08e58b479938

SHA512
6ed817c4856220d1a3c4f24922e4f49a2451e64bfb2302ab0f63e821051c1e7decc3b72d50044331c72d67da070e6916119409705c9eee7bf60411a2fee0391f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
b482aa903d43cbef57611d5a7ccd5afb

SHA1
add889e9c9dd87dfb70b37cc6ae2890196cc3683

SHA256
b7bb02996d208a900e650d3587fae3ef65537e70995e97812aaa2a2e257b4d64

SHA512
7bb3f84911d52d90ff7053a2fc77d1ba174e0e321e833cda787565d51a0cb984e40b94811324f8c2fb4304a2a7f6ccf9f65a2f029b64951d0fd5050c874c58cb

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
773e9bcaef75e037f821acc01a9b7bed

SHA1
681ade43a4318580fd065d3c09e29f7d2219654e

SHA256
a1c10c6f8d71247e50df886d51a860d5e7ec0184999601cc28897622a1e7b82b

SHA512
b08af075c4d83ccd23fcafde8cfe865aef178c36c6a1195643e0afbc2d7c1506ab7c0523a3a40cb9be7d37fb0ada9cf109fe9a74db9b869fb9b8f92ab77cefdc

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
eb5f3a8917b0ee99adfbe18a1588b1a8

SHA1
941f55fbba6f221594c10a324e27caf724d4e68f

SHA256
6a11bd46c7f9189552596cbd3f78aaf77858344d81312ae5471874a575d5a539

SHA512
578988ec897038f4fd023aea67c7a4610e0bce024a0dae7a21578d06f33a8f09a8d33cf394a0607971cedd3b3ca6b42203282a533d254826c096cf5da5128d8c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
34e994829da78e1eaade1112ef74b9f8

SHA1
925f5a67b360fa59cd7f22f2fbbd7a8df62e0c49

SHA256
1018c6044178aee59d8dd066afe90f91ba79a6636661ef9a0d96851cb6a463c0

SHA512
263b6cade35ee9034d6b060ae56dd7c01566ee1d0fd19b3eac1d8a1530a68537cf05f3b049ae2d9a085c377e2d19fd937110f3fb3bd1c31b0769598d54f4e672

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
4200f51b458f2521ad6e457783c2510e

SHA1
2d1885b68698f44ca13c70fa201ee2dae06b5ac6

SHA256
cd1b545968108e5d3642277e7ff4d1a46cbd4ab8e4bd9c71af8ee06efa6d4698

SHA512
9b30b19ac8ce058ce2c27a4d136202c4e94b6def31b83b5d2a1ffdd1348b6d63dc602998f740f090dab4ed668d2522a014f0965bcb5862ea4d754bc804670c33

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
3cf1790a88f94d921aa689c99c8928ec

SHA1
5b847c3cd69118450c9e456fa1172e979b81480a

SHA256
0c72b1e45ab520cd26992e7311f005cea6a27ecec792c8ae1f2469b156e5d371

SHA512
e883a2fcc5f19df9376f7e077e16054593e2d4a270e2664a3d5767ca06f7cdd2dbe76e6336690e85c6333defca74705241181f86313f0e5a94280636dfd3cb9a

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
65d096e6ed5279155a9aa3db6b8b7212

SHA1
d7ac5a7ae0a8fa9f1ec2fe5c39ea6c7c157b1d08

SHA256
7e2d27afcfda8772eb86d3d6a99f78cb1d47a4af3ac854897756b72b0e27910a

SHA512
4101c4b69b41d372a0e176f9be995e2ee5226d9d5a3c516ea1d81dcd9623b290b385dfce034153bc2f5e37494b0e0ffda0e41beaee0916a5bbaef606c52e8f00

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
c8549f7e762d24d35e72caffd904ca9f

SHA1
a74bed0bf0fa98f1eba89183e9d9b511ad01c294

SHA256
85b213b1225815805fa786eee0ffa1738ddc7f52f9832b47d907a0c65f3a9ab4

SHA512
506f4837f7bf0be885749bce4097894827f09fc42827f918a6906ace02bb78b08eb4bedc4a78677ab6c23d8b062d4b2fd273c473a9c34f5f7349c7f4693d338e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1524-24-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1524-15-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1524-19-0x0000000006CC0000-0x0000000006CCA000-memory.dmp

Filesize
40KB

Download
memory/1524-17-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/3188-6-0x0000000006320000-0x0000000006332000-memory.dmp

Filesize
72KB

Download
memory/3188-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/3188-7-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/3188-8-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/3188-16-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/3188-5-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/3188-4-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/3188-3-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/3188-2-0x0000000005990000-0x0000000005F34000-memory.dmp

Filesize
5.6MB

Download
memory/3188-1-0x0000000000BC0000-0x0000000000C2C000-memory.dmp

Filesize
432KB

Download