quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
296s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (12) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral14/memory/2616-1-0x00000000001A0000-0x000000000020C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1928	Client.exe
1736	Client.exe
2236	Client.exe
1192	Client.exe
2292	Client.exe
4540	Client.exe
2200	Client.exe
4880	Client.exe
4544	Client.exe
2464	Client.exe
3260	Client.exe
2188	Client.exe
4504	Client.exe
3976	Client.exe
4812	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
30	ip-api.com
34	ip-api.com
26	ip-api.com
28	ip-api.com
18	ip-api.com
20	ip-api.com
32	ip-api.com
11	api.ipify.org
24	ip-api.com
22	ip-api.com
36	ip-api.com
3	ip-api.com
16	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3976	1928	WerFault.exe	Client.exe
2988	1736	WerFault.exe	Client.exe
1232	2236	WerFault.exe	Client.exe
1180	1192	WerFault.exe	Client.exe
2348	2292	WerFault.exe	Client.exe
3496	4540	WerFault.exe	Client.exe
460	2200	WerFault.exe	Client.exe
4280	4880	WerFault.exe	Client.exe
2832	4544	WerFault.exe	Client.exe
5004	2464	WerFault.exe	Client.exe
4768	3260	WerFault.exe	Client.exe
1152	2188	WerFault.exe	Client.exe
4576	4504	WerFault.exe	Client.exe
3752	3976	WerFault.exe	Client.exe
1260	4812	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3100	schtasks.exe
4344	schtasks.exe
1000	schtasks.exe
2504	schtasks.exe
4672	schtasks.exe
3480	schtasks.exe
2996	schtasks.exe
4740	schtasks.exe
2008	schtasks.exe
1972	schtasks.exe
2720	schtasks.exe
1864	SCHTASKS.exe
4812	schtasks.exe
4768	schtasks.exe
3212	schtasks.exe
2228	schtasks.exe
32	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1356	PING.EXE
1260	PING.EXE
4100	PING.EXE
1192	PING.EXE
460	PING.EXE
4404	PING.EXE
5064	PING.EXE
5072	PING.EXE
1364	PING.EXE
1424	PING.EXE
4876	PING.EXE
2584	PING.EXE
3164	PING.EXE
1864	PING.EXE
3972	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Uni - Copy (12) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2616	Uni - Copy (12) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	1928	Client.exe
Token: SeDebugPrivilege	1736	Client.exe
Token: SeDebugPrivilege	2236	Client.exe
Token: SeDebugPrivilege	1192	Client.exe
Token: SeDebugPrivilege	2292	Client.exe
Token: SeDebugPrivilege	4540	Client.exe
Token: SeDebugPrivilege	2200	Client.exe
Token: SeDebugPrivilege	4880	Client.exe
Token: SeDebugPrivilege	4544	Client.exe
Token: SeDebugPrivilege	2464	Client.exe
Token: SeDebugPrivilege	3260	Client.exe
Token: SeDebugPrivilege	2188	Client.exe
Token: SeDebugPrivilege	4504	Client.exe
Token: SeDebugPrivilege	3976	Client.exe
Token: SeDebugPrivilege	4812	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1928	Client.exe
1736	Client.exe
2236	Client.exe
1192	Client.exe
2292	Client.exe
4540	Client.exe
2200	Client.exe
4880	Client.exe
4544	Client.exe
2464	Client.exe
3260	Client.exe
2188	Client.exe
4504	Client.exe
3976	Client.exe
4812	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (12) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 2616 wrote to memory of 2720	2616	Uni - Copy (12) - Copy - Copy - Copy.exe	schtasks.exe
PID 2616 wrote to memory of 2720	2616	Uni - Copy (12) - Copy - Copy - Copy.exe	schtasks.exe
PID 2616 wrote to memory of 2720	2616	Uni - Copy (12) - Copy - Copy - Copy.exe	schtasks.exe
PID 2616 wrote to memory of 1928	2616	Uni - Copy (12) - Copy - Copy - Copy.exe	Client.exe
PID 2616 wrote to memory of 1928	2616	Uni - Copy (12) - Copy - Copy - Copy.exe	Client.exe
PID 2616 wrote to memory of 1928	2616	Uni - Copy (12) - Copy - Copy - Copy.exe	Client.exe
PID 2616 wrote to memory of 1864	2616	Uni - Copy (12) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 2616 wrote to memory of 1864	2616	Uni - Copy (12) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 2616 wrote to memory of 1864	2616	Uni - Copy (12) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 1928 wrote to memory of 2504	1928	Client.exe	schtasks.exe
PID 1928 wrote to memory of 2504	1928	Client.exe	schtasks.exe
PID 1928 wrote to memory of 2504	1928	Client.exe	schtasks.exe
PID 1928 wrote to memory of 3540	1928	Client.exe	cmd.exe
PID 1928 wrote to memory of 3540	1928	Client.exe	cmd.exe
PID 1928 wrote to memory of 3540	1928	Client.exe	cmd.exe
PID 3540 wrote to memory of 4732	3540	cmd.exe	chcp.com
PID 3540 wrote to memory of 4732	3540	cmd.exe	chcp.com
PID 3540 wrote to memory of 4732	3540	cmd.exe	chcp.com
PID 3540 wrote to memory of 5072	3540	cmd.exe	PING.EXE
PID 3540 wrote to memory of 5072	3540	cmd.exe	PING.EXE
PID 3540 wrote to memory of 5072	3540	cmd.exe	PING.EXE
PID 3540 wrote to memory of 1736	3540	cmd.exe	Client.exe
PID 3540 wrote to memory of 1736	3540	cmd.exe	Client.exe
PID 3540 wrote to memory of 1736	3540	cmd.exe	Client.exe
PID 1736 wrote to memory of 4812	1736	Client.exe	schtasks.exe
PID 1736 wrote to memory of 4812	1736	Client.exe	schtasks.exe
PID 1736 wrote to memory of 4812	1736	Client.exe	schtasks.exe
PID 1736 wrote to memory of 4352	1736	Client.exe	cmd.exe
PID 1736 wrote to memory of 4352	1736	Client.exe	cmd.exe
PID 1736 wrote to memory of 4352	1736	Client.exe	cmd.exe
PID 4352 wrote to memory of 3864	4352	cmd.exe	chcp.com
PID 4352 wrote to memory of 3864	4352	cmd.exe	chcp.com
PID 4352 wrote to memory of 3864	4352	cmd.exe	chcp.com
PID 4352 wrote to memory of 1260	4352	cmd.exe	PING.EXE
PID 4352 wrote to memory of 1260	4352	cmd.exe	PING.EXE
PID 4352 wrote to memory of 1260	4352	cmd.exe	PING.EXE
PID 4352 wrote to memory of 2236	4352	cmd.exe	Client.exe
PID 4352 wrote to memory of 2236	4352	cmd.exe	Client.exe
PID 4352 wrote to memory of 2236	4352	cmd.exe	Client.exe
PID 2236 wrote to memory of 4768	2236	Client.exe	schtasks.exe
PID 2236 wrote to memory of 4768	2236	Client.exe	schtasks.exe
PID 2236 wrote to memory of 4768	2236	Client.exe	schtasks.exe
PID 2236 wrote to memory of 2204	2236	Client.exe	cmd.exe
PID 2236 wrote to memory of 2204	2236	Client.exe	cmd.exe
PID 2236 wrote to memory of 2204	2236	Client.exe	cmd.exe
PID 2204 wrote to memory of 4264	2204	cmd.exe	chcp.com
PID 2204 wrote to memory of 4264	2204	cmd.exe	chcp.com
PID 2204 wrote to memory of 4264	2204	cmd.exe	chcp.com
PID 2204 wrote to memory of 4100	2204	cmd.exe	PING.EXE
PID 2204 wrote to memory of 4100	2204	cmd.exe	PING.EXE
PID 2204 wrote to memory of 4100	2204	cmd.exe	PING.EXE
PID 2204 wrote to memory of 1192	2204	cmd.exe	Client.exe
PID 2204 wrote to memory of 1192	2204	cmd.exe	Client.exe
PID 2204 wrote to memory of 1192	2204	cmd.exe	Client.exe
PID 1192 wrote to memory of 3212	1192	Client.exe	schtasks.exe
PID 1192 wrote to memory of 3212	1192	Client.exe	schtasks.exe
PID 1192 wrote to memory of 3212	1192	Client.exe	schtasks.exe
PID 1192 wrote to memory of 2012	1192	Client.exe	cmd.exe
PID 1192 wrote to memory of 2012	1192	Client.exe	cmd.exe
PID 1192 wrote to memory of 2012	1192	Client.exe	cmd.exe
PID 2012 wrote to memory of 3304	2012	cmd.exe	chcp.com
PID 2012 wrote to memory of 3304	2012	cmd.exe	chcp.com
PID 2012 wrote to memory of 3304	2012	cmd.exe	chcp.com
PID 2012 wrote to memory of 4876	2012	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2720

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ev46vwCSl3OZ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4732

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:5072

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QdEOrpPV0orO.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:3864

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1260

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xYPHFVAVYVEn.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4264

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4100

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fZGmdGo3vdQP.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:3304

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4876

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2292

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DnG4ExQhiJZH.bat" "
11⤵
PID:3976

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:2020

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:2584

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4540

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q1J7RgXZMJDr.bat" "
13⤵
PID:3684

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:1012

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:1356

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2200

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:2228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rPlIWhskGdNE.bat" "
15⤵
PID:772

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:4724

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:1364

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4880

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m1BABNKgrRbn.bat" "
17⤵
PID:668

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:4520

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:1192

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4544

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lCUNUSiSa5Nq.bat" "
19⤵
PID:3932

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2696

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1424

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2464

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:32

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CawYZT4dUQXC.bat" "
21⤵
PID:3016

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:4744

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:3164

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3260

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PM5Cdqx2jT2M.bat" "
23⤵
PID:1476

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:4936

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:460

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2188

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W4AhIcIWBh68.bat" "
25⤵
PID:2380

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:2888

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1864

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4504

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J9nIbcoj4v3z.bat" "
27⤵
PID:632

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:5032

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:3972

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3976

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Pn8HMBnR5GRB.bat" "
29⤵
PID:4988

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:3116

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:4404

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4812

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FtacSvTyTI5w.bat" "
31⤵
PID:3016

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:1796

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 2224
31⤵
- Program crash
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1096
29⤵
- Program crash
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 2236
27⤵
- Program crash
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1092
25⤵
- Program crash
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1096
23⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1672
21⤵
- Program crash
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 2248
19⤵
- Program crash
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 2252
17⤵
- Program crash
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1708
15⤵
- Program crash
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1716
13⤵
- Program crash
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1644
11⤵
- Program crash
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 1076
9⤵
- Program crash
PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1640
7⤵
- Program crash
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 1640
5⤵
- Program crash
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1928
3⤵
- Program crash
PID:3976

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1928 -ip 1928
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1736 -ip 1736
1⤵
PID:684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2236 -ip 2236
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1192 -ip 1192
1⤵
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2292 -ip 2292
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4540 -ip 4540
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2200 -ip 2200
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4880 -ip 4880
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4544 -ip 4544
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2464 -ip 2464
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3260 -ip 3260
1⤵
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2188 -ip 2188
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4504 -ip 4504
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3976 -ip 3976
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4812 -ip 4812
1⤵
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CawYZT4dUQXC.bat
Filesize
207B

MD5
01d206178c10ea3b670c019a8b3c63aa

SHA1
ba22695981a2cc9478c0c2d90a1b92b11e1740dd

SHA256
e095382c15771182e5fd6b7e9a19b041f97e9a8d198072e2301f040f85e8da7d

SHA512
2bf0e363a66c688adf17ebc909bb8643f2aaa767b572933275ff300382d26e4d4fcd2333d4d55e4f01207a49488b181bbd7048eaeb415ed3cfc4bf2e26daf6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DnG4ExQhiJZH.bat
Filesize
207B

MD5
d6b078e9ae4f8898f171f186144713d5

SHA1
ec55e1801112c66b7c3ab2794c252b431c85424b

SHA256
e1144fd6cf611281e27ce2e4a4383d3013ca1901d7f97dad2b54d49b40cf09f2

SHA512
f656c1d4ae18f56e1b36e020b78a88d40eba8d57fa76c013a371b95fda96f6a11ae02c6702f282ceb2ee1937ee101f61b7b382c194ad9953fb3e55792252497e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ev46vwCSl3OZ.bat
Filesize
207B

MD5
c9cb59bae10332471b4979ea1d918eb9

SHA1
562d0b341e0ce2a04880470f6d6c7b4f185b45d5

SHA256
27f809a1b96389b5f847f40eea7c6a2ee8d8d7b06ebb3f5db10097f6f53be179

SHA512
e8dff31712495f191ae56c9bca7b5517bd232e7b0dfa38bf2130aaf968fb5a51fdfd14251ea6abdb2ea9dfabe39316e9dd178bb9a67ca9c81b14bdb16cde98a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FtacSvTyTI5w.bat
Filesize
207B

MD5
6db644f4ac26c29c58ee7ea7cfb6f0de

SHA1
645c5e813976e8a98597159d5cbed85d7a0843ff

SHA256
95975dd7655dab8683a4525ede1a11f7390a2950480dd8281e335e9ab9436fd1

SHA512
30342b5956292ed802d48ea33a273845f7329eedb751dc2b6bfd86432a4aa2fb02f1136aa36979a4983d15aa82350b7913c66c8206081da458a1beee1337cd4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\J9nIbcoj4v3z.bat
Filesize
207B

MD5
cc7fe1c309a129e4698255253383083f

SHA1
b5138673bb64bcfbfbb3ed2cb183656ee94bf166

SHA256
20fdc4841c869b0e796b7f9369892e9a8935316ca8a9e9cb37e0afc292ff69f1

SHA512
cbed1aa4040f1f8633ec4fc67f53d9d66362e938d77e58c5680150ba27b018ef02c52c06ff8b9130c51e0daf665fefab037530bfe9f4e649491985f16e8cc4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PM5Cdqx2jT2M.bat
Filesize
207B

MD5
2a5f51d481ba0dfc8ec117ed4f0f7036

SHA1
8b24c10cc983f6cde9d1c5f8f23ee84d35c690ce

SHA256
9862e64f2653028db887b3a9d32675cf02f8b4a34abccb3129a6a82e56c3dd9e

SHA512
8cc7165b8207568ea84a6bbfb71dfba2bd1ab114742ccf17eca5593def755cce0fde3643c407f3d035ee09e61e3f5078e14820ae4456f17b6631a49dfb19dd01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pn8HMBnR5GRB.bat
Filesize
207B

MD5
f154e1494add1d24961c5b54532c17a0

SHA1
149b9d060efaaac7d3db2efd4c07ed9691847b20

SHA256
51755a661788314019e36f575e4ee74758f203c947cf67f548806422f7eda542

SHA512
885c50c846763b23f77c1393e6ec91beed2bdfcbc2fc71e20b001b9d3fcd9aad8bc29e1811426bc555f8e9c260c0380115589c960a123cf26a80cf92c29163ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q1J7RgXZMJDr.bat
Filesize
207B

MD5
c1c1ecb166582202faf6e6702bf6b5a8

SHA1
37575731bc74eba804dbecb5d0eb56dc451e6fbc

SHA256
724435cfe57985168799112d513ec3d3da9a9759df24afb3cda7df2e1873ce60

SHA512
f93c902989dd649203612f790df933ac181b32ff96aeeaec1606364bdcf84fbc0d876a9ddd79e97df6fb5e0f09eb9f42a7ab7010d45e5883632c334fe84817bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QdEOrpPV0orO.bat
Filesize
207B

MD5
b9ee43e0f6e5ac38e81e8ee9ef5c20d1

SHA1
f2036222e8bc3c927f5dd075fae78abbf40f055f

SHA256
bfbb808af6e0d0e51b9b83828c4683b8cd9f9013fe22687b9603da6ad30ef356

SHA512
dde5c2c1ae68bb96b72a9c28ccc9ea61a275a885e7e5dea4b5c217a02ef0b3c49c69eea263d822b60fd98b738e345a02e346dcab828a27a8b9f46df54f2e68f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\W4AhIcIWBh68.bat
Filesize
207B

MD5
a4d7c53f5732ed171f73a597280c7810

SHA1
9e77fb5752d6b749e62572898b031dd96f8dd456

SHA256
7d59f3ccd0bb6f7ea8f7b9e9ce1490fe6aee4310a9022c63524d80f6aeb95c61

SHA512
d00732f5eed5f419f2dd378f3828634b3a3674fd076bca667d94eb4eb52b9310d2ac08ca33942d8ab085a3a0582dd22f2aa03c344d41bce026271a51bbea8f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fZGmdGo3vdQP.bat
Filesize
207B

MD5
cf42879132fd22b5eb6bd13c8523c901

SHA1
4d6963da376f5bfe24ea965668c66e6bea0311f7

SHA256
155717a6496a3018aab4809116cedf79067dcd0f229c4a41f45d7eafa337ee31

SHA512
c661c660130e242c8986c532580d7b1e31bab81ecc363abe3e7d5729239f1f001a41b8225c3575f46645a7a6d6316f721bbfa18a7ed60072a79c64a378d096f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\lCUNUSiSa5Nq.bat
Filesize
207B

MD5
3975a5882b85420e716039a753db1457

SHA1
45bfcd37869206fbfd6fe6a83a483ba987d60be1

SHA256
32cc6c617c5472db698bfeb7d4bd96547628fc41f6dc71f58ec163248bfe3873

SHA512
531b49ca8ff95ef9948e4d3138e95293921c1e6a9e43782b83cb9ae779dd129a80eadea86113b4259e22d19dea97d1d8a890e3d659e3e12f41506e9263142621

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1BABNKgrRbn.bat
Filesize
207B

MD5
4d37a097aa19f57ad7f93189ce0b6aa2

SHA1
8226d0de61fa86a0ade6dcaae95128d3dcf271b8

SHA256
5a557c1f645e5b7ac0745b22de4546371cc5305e9ae6d0a8597806b6dc05987e

SHA512
3e1687df06562e9ec0936b50064fd664a9917e7e94a6f6c589ad23040755bf125864bd664cc33f322da2ceebad83d5616801fb09cc36462eb7e5401560bfebf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rPlIWhskGdNE.bat
Filesize
207B

MD5
502bae9de742a0d47d3accc85b438492

SHA1
652a51d9dccf8c0161f484755055e838b6f7d4b2

SHA256
bf6400fb959f04c7dcd4449807d31c0d8e7997e2e4cc410101021e8af3a44be5

SHA512
b2bedb267ce2ca28549c85b54363eb366c1869cbc92b3a86812db0c53ebdf29ad8848df92457ad109b49301addfd2e6862b6d95671afe84f0510764561fa2746

Download Submit
C:\Users\Admin\AppData\Local\Temp\xYPHFVAVYVEn.bat
Filesize
207B

MD5
b6358184aa81836da7ddcc4527bc458f

SHA1
9ab5662a4bd9977052567fc2a664182460597074

SHA256
0c2ba669c0ff9d9eb5d2b85c9f02f882448273357bb755d187cdc09a8771c8cb

SHA512
50ef66befbf5880af0c60af34f3b0cf126c83463435e85cc54b50adc2830e2f3e8032b25ed5f49e0cd4e877f61b6eafa6212d1f98373e0c7421fa25a1b9008b2

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
db6f9dce3b9798aa090b17311729bb1d

SHA1
36e4398eaff7fd93d60c85b3eaa034d5a7edb294

SHA256
e6c911203e14576638b6a365273000c64fabd97ac36d6cf65e8e693ccafbbaba

SHA512
9e4a84adfa8fc2e8042c8ed5c10dbeecf0f1ac002766cf51729c5a67beec2ea5da5953aaffc25f4fd31400481d6b9c1b4ab06977a0d87ab7980c03f78c0cda55

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
e2e998f3f4ecb012188b4edeb78ba7e4

SHA1
558120fd8a7ca5693e5c8135e4eb2081e913ca4c

SHA256
ab1c77febb7777e2492ec0ed35e70c14b5d14bd6def435565a4287bbd863e53b

SHA512
16e9d23288bec7825b4e89adf4402cfbfe8b1d94c05332c52d5dd51c9e8e1cc24d3190658ff948e16566586bee4fa717c9ab66e7c1ced3cea8e577ed0e138d3c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
120d5fde54e149594f42ff5f2370f7ae

SHA1
e2d9ecbf125ff126f112c56075ad94fa682d0480

SHA256
b27c5cc683d2d1ba1060df93eacb29526282f469781e9492518ba12033d74186

SHA512
60b721c2e00dfc1417865014bc1b11ea10958f2e2ee25630b5f1e9921666da9079621a56bb392f503a12b621d2865e2100f5f733d5ca522daa031bdf17dbde41

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
551b5f302c872094cab3a4637219ad55

SHA1
4b007859d44a1702fc03f75b57db827aa0f738ef

SHA256
008d6ca6013ffd3f4fbc2b3df343776d78b4075f05dc56a3ffc4c9a90e7fca54

SHA512
0092b9c7404e7496b6ee1ddce8633f31e245bfd5b9a193f3f9e3fb57f0022bfcf70597f3f290f1e0bcf95ac6aaa534ecdd635034de931117f9af3cc4d39a16ae

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
c9e549f42d62e470d224592062ab9c51

SHA1
2d84340c6b23dd4789da1ee94556331437326222

SHA256
e830545c508fe69a34668f86346767ddb2916079b324d24fb271a0f2403e5547

SHA512
07d71f7b25d6bd8b0c62cd5e99034d7616d260e26faac266cbd781d4059774128c8fe6242513027d3073eded86993fab61c62629bbe508246017516e098e97a4

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
225965326676f1783638bdde79753be4

SHA1
c01960dd97e0ae5bb3800bf97c848f3766fe2729

SHA256
7e981fdd454bd4f06e19ddea85b7f7bbe03a56be87fe57b3bb5ad1c0206ea322

SHA512
f3adeec676fd0f730a656f7a85814079905434a6099a5f94dedc6a6e5c79d27fc4de4598f52b549385b818e235d78aad76f8f3f48aebddc74b253a9f0da10c67

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
026056fd0bd47573aee601cacbfdfe74

SHA1
e85a48ea7573bb31571c9f6a5b36ae28217d5d33

SHA256
cc3f0487f7a0fab2ecc817004f836aa6a9db172252d79ace10a2a7952fa63d5c

SHA512
04c5842468cf90b2c499f2f17504ed1d79f9edced048c0bf1dd931ad133eb07d7bec6d577162e30004c626f515874bfd3e125ebfb3a3fd742285b91e3cda1cd9

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
50065001e97aa54fb1bfa955479487a8

SHA1
edf90d2635533f5dbd3507e0e0171f9afd4be6ac

SHA256
d9b32d99fb1299f11e6e7000099efc510ce4848796d631a5deb3237263923e06

SHA512
eb5db5f0ff41d006efe3ab8a30edca20d10d5b87621af4daf8fa019f84d5d6f6b09b25ea2045687dbab24d21bc4c394849d291156cf963b94d84f8af49d9adea

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
a0fb150283a74650df3c6a68ac1cf6b5

SHA1
726b9332d297c9038552bcfed15ff1fb1d04b8f5

SHA256
8ba6ffade9affe693775acaeb05687c04cfdbd33b5d8663e63862022c2a5206e

SHA512
127747721be8a323cc31449ce2cb75e08f3e00fee2da94be02a4c6daee9b3aad50eacd71640dc7452faef029b3f1896948819f99737bddfca78e12e3431a5599

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
05e521909ee37deea2260670fb9ee719

SHA1
1b04116fd1af18c07cc13c0ef391e5ca340d07c5

SHA256
b15149859c842b8a55c29234e9cd440958585c77b6f1e1795a601367ddf58872

SHA512
358010b8e292405b54e03d7ffac9edb4a6a20f6200c836427f0ee8ec8d60bedbc74aee17fca931c3ba10cf1517350f91d3c85d06a1edb0088c81f2eea11d145e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
0f5ac7803705d9a9c68749172864a3b3

SHA1
3aa01302f5d55b7d323aeec7c970b0253fd7f6cd

SHA256
435f3ab715dfa59f99e001f7d648436639d51a64dbd53a933cd75dd094401ec1

SHA512
ccacd25a34a0affaa75c432fbceded2f4780f344169ab1aa866e2afa2ce2a0c8e6802d23d8913811550df36e2249f871afb2da5605c0d63e17d05a1475eaa326

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1928-19-0x0000000006530000-0x000000000653A000-memory.dmp

Filesize
40KB

Download
memory/1928-24-0x00000000753C0000-0x0000000075B70000-memory.dmp

Filesize
7.7MB

Download
memory/1928-15-0x00000000753C0000-0x0000000075B70000-memory.dmp

Filesize
7.7MB

Download
memory/1928-17-0x00000000753C0000-0x0000000075B70000-memory.dmp

Filesize
7.7MB

Download
memory/2616-7-0x00000000753CE000-0x00000000753CF000-memory.dmp

Filesize
4KB

Download
memory/2616-8-0x00000000753C0000-0x0000000075B70000-memory.dmp

Filesize
7.7MB

Download
memory/2616-0-0x00000000753CE000-0x00000000753CF000-memory.dmp

Filesize
4KB

Download
memory/2616-16-0x00000000753C0000-0x0000000075B70000-memory.dmp

Filesize
7.7MB

Download
memory/2616-6-0x0000000005A30000-0x0000000005A42000-memory.dmp

Filesize
72KB

Download
memory/2616-5-0x0000000004CD0000-0x0000000004D36000-memory.dmp

Filesize
408KB

Download
memory/2616-4-0x00000000753C0000-0x0000000075B70000-memory.dmp

Filesize
7.7MB

Download
memory/2616-3-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/2616-2-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/2616-1-0x00000000001A0000-0x000000000020C000-memory.dmp

Filesize
432KB

Download