quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
298s
max time network
307s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (11) - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral10/memory/3652-1-0x0000000000520000-0x000000000058C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2996	Client.exe
1300	Client.exe
4736	Client.exe
2540	Client.exe
2668	Client.exe
4868	Client.exe
4856	Client.exe
4336	Client.exe
3900	Client.exe
3224	Client.exe
4684	Client.exe
1096	Client.exe
3032	Client.exe
3316	Client.exe
2716	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	ip-api.com
12	api.ipify.org
24	ip-api.com
28	ip-api.com
32	ip-api.com
36	ip-api.com
34	ip-api.com
20	ip-api.com
22	ip-api.com
30	ip-api.com
16	ip-api.com
18	ip-api.com
26	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4388	2996	WerFault.exe	Client.exe
2004	1300	WerFault.exe	Client.exe
4692	4736	WerFault.exe	Client.exe
5036	2540	WerFault.exe	Client.exe
4804	2668	WerFault.exe	Client.exe
1908	4868	WerFault.exe	Client.exe
4860	4856	WerFault.exe	Client.exe
3324	4336	WerFault.exe	Client.exe
1804	3900	WerFault.exe	Client.exe
2780	3224	WerFault.exe	Client.exe
3048	4684	WerFault.exe	Client.exe
4916	1096	WerFault.exe	Client.exe
4600	3032	WerFault.exe	Client.exe
3124	3316	WerFault.exe	Client.exe
4880	2716	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
372	schtasks.exe
4412	schtasks.exe
3736	schtasks.exe
1796	schtasks.exe
1664	schtasks.exe
1624	schtasks.exe
4804	schtasks.exe
4472	schtasks.exe
2896	schtasks.exe
408	schtasks.exe
848	schtasks.exe
2616	SCHTASKS.exe
856	schtasks.exe
3832	schtasks.exe
1724	schtasks.exe
3568	schtasks.exe
4692	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
5000	PING.EXE
684	PING.EXE
2792	PING.EXE
4636	PING.EXE
2804	PING.EXE
4404	PING.EXE
3608	PING.EXE
4512	PING.EXE
668	PING.EXE
2988	PING.EXE
1368	PING.EXE
1720	PING.EXE
1892	PING.EXE
764	PING.EXE
4016	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Uni - Copy (11) - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3652	Uni - Copy (11) - Copy - Copy.exe
Token: SeDebugPrivilege	2996	Client.exe
Token: SeDebugPrivilege	1300	Client.exe
Token: SeDebugPrivilege	4736	Client.exe
Token: SeDebugPrivilege	2540	Client.exe
Token: SeDebugPrivilege	2668	Client.exe
Token: SeDebugPrivilege	4868	Client.exe
Token: SeDebugPrivilege	4856	Client.exe
Token: SeDebugPrivilege	4336	Client.exe
Token: SeDebugPrivilege	3900	Client.exe
Token: SeDebugPrivilege	3224	Client.exe
Token: SeDebugPrivilege	4684	Client.exe
Token: SeDebugPrivilege	1096	Client.exe
Token: SeDebugPrivilege	3032	Client.exe
Token: SeDebugPrivilege	3316	Client.exe
Token: SeDebugPrivilege	2716	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2996	Client.exe
1300	Client.exe
4736	Client.exe
2540	Client.exe
2668	Client.exe
4868	Client.exe
4856	Client.exe
4336	Client.exe
3900	Client.exe
3224	Client.exe
4684	Client.exe
1096	Client.exe
3032	Client.exe
3316	Client.exe
2716	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (11) - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 3652 wrote to memory of 848	3652	Uni - Copy (11) - Copy - Copy.exe	schtasks.exe
PID 3652 wrote to memory of 848	3652	Uni - Copy (11) - Copy - Copy.exe	schtasks.exe
PID 3652 wrote to memory of 848	3652	Uni - Copy (11) - Copy - Copy.exe	schtasks.exe
PID 3652 wrote to memory of 2996	3652	Uni - Copy (11) - Copy - Copy.exe	Client.exe
PID 3652 wrote to memory of 2996	3652	Uni - Copy (11) - Copy - Copy.exe	Client.exe
PID 3652 wrote to memory of 2996	3652	Uni - Copy (11) - Copy - Copy.exe	Client.exe
PID 3652 wrote to memory of 2616	3652	Uni - Copy (11) - Copy - Copy.exe	SCHTASKS.exe
PID 3652 wrote to memory of 2616	3652	Uni - Copy (11) - Copy - Copy.exe	SCHTASKS.exe
PID 3652 wrote to memory of 2616	3652	Uni - Copy (11) - Copy - Copy.exe	SCHTASKS.exe
PID 2996 wrote to memory of 4804	2996	Client.exe	schtasks.exe
PID 2996 wrote to memory of 4804	2996	Client.exe	schtasks.exe
PID 2996 wrote to memory of 4804	2996	Client.exe	schtasks.exe
PID 2996 wrote to memory of 2860	2996	Client.exe	cmd.exe
PID 2996 wrote to memory of 2860	2996	Client.exe	cmd.exe
PID 2996 wrote to memory of 2860	2996	Client.exe	cmd.exe
PID 2860 wrote to memory of 756	2860	cmd.exe	chcp.com
PID 2860 wrote to memory of 756	2860	cmd.exe	chcp.com
PID 2860 wrote to memory of 756	2860	cmd.exe	chcp.com
PID 2860 wrote to memory of 4404	2860	cmd.exe	PING.EXE
PID 2860 wrote to memory of 4404	2860	cmd.exe	PING.EXE
PID 2860 wrote to memory of 4404	2860	cmd.exe	PING.EXE
PID 2860 wrote to memory of 1300	2860	cmd.exe	Client.exe
PID 2860 wrote to memory of 1300	2860	cmd.exe	Client.exe
PID 2860 wrote to memory of 1300	2860	cmd.exe	Client.exe
PID 1300 wrote to memory of 4472	1300	Client.exe	schtasks.exe
PID 1300 wrote to memory of 4472	1300	Client.exe	schtasks.exe
PID 1300 wrote to memory of 4472	1300	Client.exe	schtasks.exe
PID 1300 wrote to memory of 3668	1300	Client.exe	cmd.exe
PID 1300 wrote to memory of 3668	1300	Client.exe	cmd.exe
PID 1300 wrote to memory of 3668	1300	Client.exe	cmd.exe
PID 3668 wrote to memory of 2960	3668	cmd.exe	chcp.com
PID 3668 wrote to memory of 2960	3668	cmd.exe	chcp.com
PID 3668 wrote to memory of 2960	3668	cmd.exe	chcp.com
PID 3668 wrote to memory of 5000	3668	cmd.exe	PING.EXE
PID 3668 wrote to memory of 5000	3668	cmd.exe	PING.EXE
PID 3668 wrote to memory of 5000	3668	cmd.exe	PING.EXE
PID 3668 wrote to memory of 4736	3668	cmd.exe	Client.exe
PID 3668 wrote to memory of 4736	3668	cmd.exe	Client.exe
PID 3668 wrote to memory of 4736	3668	cmd.exe	Client.exe
PID 4736 wrote to memory of 2896	4736	Client.exe	schtasks.exe
PID 4736 wrote to memory of 2896	4736	Client.exe	schtasks.exe
PID 4736 wrote to memory of 2896	4736	Client.exe	schtasks.exe
PID 4736 wrote to memory of 220	4736	Client.exe	cmd.exe
PID 4736 wrote to memory of 220	4736	Client.exe	cmd.exe
PID 4736 wrote to memory of 220	4736	Client.exe	cmd.exe
PID 220 wrote to memory of 4824	220	cmd.exe	chcp.com
PID 220 wrote to memory of 4824	220	cmd.exe	chcp.com
PID 220 wrote to memory of 4824	220	cmd.exe	chcp.com
PID 220 wrote to memory of 668	220	cmd.exe	PING.EXE
PID 220 wrote to memory of 668	220	cmd.exe	PING.EXE
PID 220 wrote to memory of 668	220	cmd.exe	PING.EXE
PID 220 wrote to memory of 2540	220	cmd.exe	Client.exe
PID 220 wrote to memory of 2540	220	cmd.exe	Client.exe
PID 220 wrote to memory of 2540	220	cmd.exe	Client.exe
PID 2540 wrote to memory of 408	2540	Client.exe	schtasks.exe
PID 2540 wrote to memory of 408	2540	Client.exe	schtasks.exe
PID 2540 wrote to memory of 408	2540	Client.exe	schtasks.exe
PID 2540 wrote to memory of 3164	2540	Client.exe	cmd.exe
PID 2540 wrote to memory of 3164	2540	Client.exe	cmd.exe
PID 2540 wrote to memory of 3164	2540	Client.exe	cmd.exe
PID 3164 wrote to memory of 848	3164	cmd.exe	chcp.com
PID 3164 wrote to memory of 848	3164	cmd.exe	chcp.com
PID 3164 wrote to memory of 848	3164	cmd.exe	chcp.com
PID 3164 wrote to memory of 2988	3164	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:848

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQo0CU2Yqv6k.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:756

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:4404

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Iuhx1Jui1HjX.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:2960

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:5000

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jbv9qJZyrV1j.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4824

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:668

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmI9RVpKOgDq.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:848

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2988

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2668

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCWIiFqaxVYP.bat" "
11⤵
PID:3708

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:1788

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:684

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JubnM1B4OjcA.bat" "
13⤵
PID:5052

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4372

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:1368

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ka4oRJCunLI8.bat" "
15⤵
PID:1480

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:924

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2792

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4336

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JlN1kOagW04B.bat" "
17⤵
PID:2388

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:3164

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:3608

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3900

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7LARoaiy6Ctw.bat" "
19⤵
PID:3028

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2204

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1720

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3224

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uQo27ZECyPqn.bat" "
21⤵
PID:4596

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:5088

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4636

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4684

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQtNlcEKvwQA.bat" "
23⤵
PID:3076

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:1668

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:1892

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:3736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ec1KrSnPAPt7.bat" "
25⤵
PID:2012

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:4608

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4512

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ptz99d5jiUWN.bat" "
27⤵
PID:1536

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:1784

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:764

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3316

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:4412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yxp0gsQd5ulK.bat" "
29⤵
PID:1360

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:4364

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:2804

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2716

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:1796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jEnqy3ixdzNa.bat" "
31⤵
PID:4072

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:4208

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 2224
31⤵
- Program crash
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 2232
29⤵
- Program crash
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 2224
27⤵
- Program crash
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1092
25⤵
- Program crash
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 1708
23⤵
- Program crash
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 2248
21⤵
- Program crash
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1688
19⤵
- Program crash
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 1092
17⤵
- Program crash
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1712
15⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 2232
13⤵
- Program crash
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1652
11⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 1664
9⤵
- Program crash
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 2200
7⤵
- Program crash
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 1628
5⤵
- Program crash
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 1656
3⤵
- Program crash
PID:4388

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2996 -ip 2996
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1300 -ip 1300
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4736 -ip 4736
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2540 -ip 2540
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2668 -ip 2668
1⤵
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4868 -ip 4868
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4856 -ip 4856
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4336 -ip 4336
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3900 -ip 3900
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3224 -ip 3224
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4684 -ip 4684
1⤵
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1096 -ip 1096
1⤵
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3032 -ip 3032
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3316 -ip 3316
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2716 -ip 2716
1⤵
PID:4596

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7LARoaiy6Ctw.bat
Filesize
207B

MD5
fd1a87581a0ebf086515d4f028135bfe

SHA1
028959796b33652bca736adb22140cfee470e007

SHA256
477f73b9d4a2fb9e63cb3d66b6d9b0f3899a9da29054c319b4799bcdc7fc7d58

SHA512
91fe2eabecee0343065c0fb50536543cf4ea5a587b1db2aa06565303dc5013e74954845a3417e4d2fd8fc3f3d7c7d8a801db2326dbd3178f1e0120122383f480

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCWIiFqaxVYP.bat
Filesize
207B

MD5
f735f0b2b62ad8115a70b3ee8b718d65

SHA1
40a1263641f0e8c827c5c61b1cde3313bf8dfbb7

SHA256
87641ad833f79cbe6a727812393329ba171e03f2de8a8fa1deb2082ef891f147

SHA512
fb23e197c76da43d4023d2d487da3652b5f5f92bd86e042dd88babb9b8af883ece37e75608db6dcef417e14715bd7797b0912d7ae8248e57102e6a03a0d9bb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iuhx1Jui1HjX.bat
Filesize
207B

MD5
eed92844f6d17270d647db181ef167e5

SHA1
5e673a2976ddf2d3bd7def72f536c98926f653c1

SHA256
ca7c97b6fa5f3531d6ad8d0cbdce693a1810357deeae23d130c2d134faae25b8

SHA512
cd3098e5dd68d3eb46242c5890d6ca20796122773403491405908b3e1efe1c3a3b2bbc4095cb6b13887887c6033864f9030f2d80efa3c56cf4109dd22ea987df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jbv9qJZyrV1j.bat
Filesize
207B

MD5
c3915fc86d7af7c16e92b10c6e77a8de

SHA1
743b56a88c9dc291a7d8359f9ab6b65ea756a1c9

SHA256
2ab9cf89475db6060a1f14c9bdc242e8d0cb36f71129e1fbbda1972730dd2b27

SHA512
171f5ec351ea6b6bb9e864182be02bf338e16370165e4bd3d20591c053973f05908b1acd390e831bc9d5156993c1fe95057fbe8b5617406f2fbe76046fcf59aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\JlN1kOagW04B.bat
Filesize
207B

MD5
7952d11a6fcb0d2d8ba132ffab96d625

SHA1
abab38dc57a04b64c54d59b4b5852d29a8deba91

SHA256
d5b7ec5368e5a5f340bdbaee40957b3f23f032c1c927335b420337838aa6a14c

SHA512
a7896eb5e7b51ef7843f6f12aa9995bf7bc64421938506e2947d5ea750b0a1fbb6f449638b29b053ecc8f368b23919ebbe9ba2b26f45ff110ef490c970176c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\JubnM1B4OjcA.bat
Filesize
207B

MD5
c737724353bddeb014df1f99cdb54952

SHA1
977ada055801d7fe16ddce12941358021d4f75b0

SHA256
68e175c8c3fea624a271ab38359d448896b219b0654335b66a4601320f593637

SHA512
897fd53393d59e1a7b9c1da4819decae5a6ad732af7c2c1f43e0d7a68b0395dfc2913ac6a22c91b85d8d157e0ad5dbbdc57312fc4dca349aeafe5c82909d1588

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ka4oRJCunLI8.bat
Filesize
207B

MD5
3080c05fe615658d7d7f63f173ff450b

SHA1
88e93e4e561aac953b7b08d46d34694e439b82a4

SHA256
f6d9f1dd69aa4b2cacd7675115e4b48f34013684c1f291402ca8da0590363096

SHA512
1dea602a407d3519997667a94c21433742494e879a012cdf456e03f488831ca671ea4fcc1c96a91f65b6e7a101cd806c82bae1a17f070610de7b4f06477aa6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\NmI9RVpKOgDq.bat
Filesize
207B

MD5
e3624711081051da2284010b72d00426

SHA1
16960b911b64c749f8bd30a172b42af2c069cc72

SHA256
e18201428bd2eb602637d87fd5ec1803f9350040c713e44a7c4cc4f65b59b613

SHA512
e274edf2390c07c07b46c3bf5bd64094f4e034e005a44a2ed75865421bea5682e416afb1e3f4ea77cef38559975f7cd99e4fa9b0ca37ecf0f68a621a42b0fd27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yxp0gsQd5ulK.bat
Filesize
207B

MD5
78d1f0ff56aaeaaf5928d52d679ed7ce

SHA1
7d909852ba90f5aaac3aa48c7d7405171087246b

SHA256
ecd2e0fdb245c841f3ec746508bb45065f91b8b2a659eda71d4cf904ffa5386e

SHA512
ccd1a15405dad3c265e6427243642796b420f3e16fc3abd64b57cb1d6853846906772eb348fe3a31cebbae10cdd73bc8b2afa633a781c0ab728127746099cf4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQtNlcEKvwQA.bat
Filesize
207B

MD5
6bd29cada855e5d856f5847bcbed620d

SHA1
74a11510d0857c609086f31f31603f98a1c2b4d8

SHA256
72193f8023522be5918db17e02902ddd3e15f5050739dfd4cfced4ecc3a05a07

SHA512
f97e1f022e29f8341c6461a0b41cf91a3e49452ea473542f2e764e3d239e27d0c2700a1009b6eb8f4394d706a653693f25348ef0026bb99f33638c77dfc8b7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec1KrSnPAPt7.bat
Filesize
207B

MD5
af0ed9833949bd2c7fe6280dab98e1b5

SHA1
0d3b39c67c8b2c9305cad702bb10f69f5399bf89

SHA256
6235e51ba397129f56cb893b6ba1e1395b8a4337ebf875ad1132e58ca5cb97ce

SHA512
d4d79a6a555d066ecd93d064bb989e0f689a80fddf72a21dd49038b9bdf076b5d9bb30a374c6dfd6b198aa0cc6b2cfc748076b7096ef0fff98dd14ebc01e64e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fQo0CU2Yqv6k.bat
Filesize
207B

MD5
8e625eff4db10bc5ef2c25b04074176a

SHA1
638cf3492ce1480b3c160a238cc02585207cfb59

SHA256
4dd9e2df51a02cfb1c2c60e2654e2569d7942a8cac9138416e37b2323ea8af58

SHA512
8cc2e3f554347728913483ef8a4063f356e5b314b0e40b25fdab4dcf19be0ebf6808e1a72533d5d5f9de5e3a3f105ec33f0f823925ee3ce035051982f24c5473

Download Submit
C:\Users\Admin\AppData\Local\Temp\jEnqy3ixdzNa.bat
Filesize
207B

MD5
8c7b6149bae2b3f5fbd59126fa50b3b1

SHA1
b7fb2b1e3f6034de6ed4861e1fd7b68c2a4cf40e

SHA256
22900737fff821b80b9ce7665adf62864b19e4efd6fc2294e5a93063edfdecd5

SHA512
2de1980e29139814b353b94a5843764c4797f6a31ca81f747bc10394560716282731c45ce0ecfccaccc5324c3c2c5445775adeb2a4c214d914d678bec5f1b238

Download Submit
C:\Users\Admin\AppData\Local\Temp\ptz99d5jiUWN.bat
Filesize
207B

MD5
17eda3994ea830a72c6bb5e7be869fe8

SHA1
cfd4816654c8648b03b086a707e874613eb710b0

SHA256
093665282be7618fb199ae9f752a17f9bafebea161eef373482cc39c60b3869c

SHA512
40b7f26e07c8a5bccfeff3d0759ac3986a6eeb32ba30420902aa41ada61cc4171efc05e2e93d480379446bce09fcea288170f7055d76b88244e2aa927cb235b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQo27ZECyPqn.bat
Filesize
207B

MD5
4db88161ff2c134958727aea27019272

SHA1
cfba5a62fc78e1ebde0b93dfadf787334d934fe5

SHA256
29894da49495260b220316db2410b5e9927518eb86c0c5944aadce732ee209bb

SHA512
24287c25b0cb00f2197102a78e5d1289d0139d8831dcc2ec5b54aaab432577b20d45ffcd3c902939ad7d602dae2da78538a7bc61006d54ef3fd4cf33eb5e37f5

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
757a1d896064f0fdf4331315d7f23d90

SHA1
eff563f28d22a148d938d6f58d1d282a6e7587e0

SHA256
8d9752c01c34d81cedc40c1aee899a5bee0ef560bcc613193599517a8327126f

SHA512
51264186c0eb17b4b75ae1b452d71fb55cd04fe09ceb8377408c83e61bf4824e64a3a62f415b6dadd0ccd9ffbca7b81e25b7b1549266ace358d0421234c71c9d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
3bc045b949dab398b8831d881db0812c

SHA1
abd3e78031d827c75560e134d995c6ae29d81a8d

SHA256
1de304d59d1408a0f3ffea378a36861e488c610b71ce1b357bc01393be6a3e6e

SHA512
b52186738666a38f3484b0ee65b9829e37c76d213c70593e2cdf584dab5afc903d25ba008f2c0570f18194733891bae0318fea7b376cc92a9c6026bd669474b7

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
f10315954164e33ff28ac1e6e503dd6a

SHA1
21a7f4af58aacc1ba34629c948031ba20f0f6512

SHA256
3761441c8f225218945f1c52d3b7d95663b495bf5d87485f1d5ca3931ad63d9d

SHA512
b692ee64e511bc7d647ed1e31dd31008cfa24a32c6992b8309ea5e61f8d265d4aeba2393070b83947457a8f1fde87829ce5f15987ae9561572db91f3a7c67177

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
ba8fbbd90179ba34058c17d0ea6eb031

SHA1
705658e7f0d86268d593b2ef43d9c40eed1d6768

SHA256
e8e309aba71b66c6561ba5ea144c45af56e7e9e473494ca1c3f58d88db594449

SHA512
3970c166639366e06b7c3df13266e26c109ff3fe4eea932ad2b2b02e28ac2aa57d837338ae6821a218c5ce0b3e756b0a9b46bc8670d0913040861cee903965b7

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
af71ebc475e1db6c12039d7631f53963

SHA1
832eb3588303c619a9ae51004aa1ae49f00d7b9a

SHA256
30747aa6d6315cd3079ab5f665dc985ba5869defd8dcc2f9181d45a8e573a708

SHA512
9c9b9077da744baaaa203663b2ec462b67602723a5dd584401d1d9507589703791bc3bc02a0c407e978316d714fbe210eb28b3cd77e912aa17b64f79b23c15cb

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
4d7a7e4d18a1c727f0e257b9c12ba20f

SHA1
87b04d885cafd73f6112d6be8d6c226e83ece535

SHA256
c46281ad6076eb3e04341982b606bae1db25c5b9535cefe314c59acb172cc511

SHA512
400faab1e6efeec138ef766f0e3ea4ac5638161469f2101a723abce2df14a904d697943a07cc201c0d29eba9f1e7a1840e2a3ec9c611735813df932e2fc6068f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
ea0531e6508211236284b98997fd5185

SHA1
4d3e67d079339f8168184b547a14cf604e96c295

SHA256
aec28d9e01aacc535034706dd2b16daa11f82026333794a09dec01c5e492aad0

SHA512
e6ca8cc62dc13592343c216d73a253d4d3bee924f6bd33bbd72fb3ac6105b250ef902f7f943b7c6d59f9f27e706c3591547a1e4321c495aa2820e934efd3d76a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/2996-19-0x0000000006DC0000-0x0000000006DCA000-memory.dmp

Filesize
40KB

Download
memory/2996-15-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/2996-17-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/2996-24-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/3652-1-0x0000000000520000-0x000000000058C000-memory.dmp

Filesize
432KB

Download
memory/3652-3-0x0000000004FA0000-0x0000000005032000-memory.dmp

Filesize
584KB

Download
memory/3652-0-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/3652-4-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/3652-16-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/3652-2-0x0000000005440000-0x00000000059E4000-memory.dmp

Filesize
5.6MB

Download
memory/3652-5-0x0000000005040000-0x00000000050A6000-memory.dmp

Filesize
408KB

Download
memory/3652-8-0x00000000747B0000-0x0000000074F60000-memory.dmp

Filesize
7.7MB

Download
memory/3652-7-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/3652-6-0x0000000005DB0000-0x0000000005DC2000-memory.dmp

Filesize
72KB

Download