quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
297s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (10) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4484-1-0x0000000000F30000-0x0000000000F9C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
3660	Client.exe
2248	Client.exe
4012	Client.exe
1408	Client.exe
2412	Client.exe
4340	Client.exe
3388	Client.exe
1464	Client.exe
4144	Client.exe
2588	Client.exe
4924	Client.exe
4248	Client.exe
2904	Client.exe
2948	Client.exe
2252	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ip-api.com
15	ip-api.com
18	ip-api.com
22	ip-api.com
24	ip-api.com
30	ip-api.com
8	api.ipify.org
16	ip-api.com
20	ip-api.com
26	ip-api.com
32	ip-api.com
13	ip-api.com
28	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4952	3660	WerFault.exe	Client.exe
2376	2248	WerFault.exe	Client.exe
4844	4012	WerFault.exe	Client.exe
2928	1408	WerFault.exe	Client.exe
4284	2412	WerFault.exe	Client.exe
1284	4340	WerFault.exe	Client.exe
912	3388	WerFault.exe	Client.exe
4616	1464	WerFault.exe	Client.exe
2148	4144	WerFault.exe	Client.exe
3960	2588	WerFault.exe	Client.exe
1932	4924	WerFault.exe	Client.exe
2648	4248	WerFault.exe	Client.exe
3804	2904	WerFault.exe	Client.exe
436	2948	WerFault.exe	Client.exe
3544	2252	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exe

pid	process
3516	schtasks.exe
1160	schtasks.exe
3652	schtasks.exe
4216	schtasks.exe
1776	schtasks.exe
3428	schtasks.exe
2852	schtasks.exe
4752	schtasks.exe
3092	schtasks.exe
4200	schtasks.exe
2908	schtasks.exe
3980	schtasks.exe
60	schtasks.exe
3492	schtasks.exe
5020	SCHTASKS.exe
212	schtasks.exe
3124	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2640	PING.EXE
1592	PING.EXE
4012	PING.EXE
1668	PING.EXE
2188	PING.EXE
5092	PING.EXE
4908	PING.EXE
2688	PING.EXE
2616	PING.EXE
4900	PING.EXE
1996	PING.EXE
4444	PING.EXE
4864	PING.EXE
4588	PING.EXE
2900	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Uni - Copy (10) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	4484	Uni - Copy (10) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	3660	Client.exe
Token: SeDebugPrivilege	2248	Client.exe
Token: SeDebugPrivilege	4012	Client.exe
Token: SeDebugPrivilege	1408	Client.exe
Token: SeDebugPrivilege	2412	Client.exe
Token: SeDebugPrivilege	4340	Client.exe
Token: SeDebugPrivilege	3388	Client.exe
Token: SeDebugPrivilege	1464	Client.exe
Token: SeDebugPrivilege	4144	Client.exe
Token: SeDebugPrivilege	2588	Client.exe
Token: SeDebugPrivilege	4924	Client.exe
Token: SeDebugPrivilege	4248	Client.exe
Token: SeDebugPrivilege	2904	Client.exe
Token: SeDebugPrivilege	2948	Client.exe
Token: SeDebugPrivilege	2252	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
3660	Client.exe
2248	Client.exe
4012	Client.exe
1408	Client.exe
2412	Client.exe
4340	Client.exe
3388	Client.exe
1464	Client.exe
4144	Client.exe
2588	Client.exe
4924	Client.exe
4248	Client.exe
2904	Client.exe
2948	Client.exe
2252	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (10) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 4484 wrote to memory of 3492	4484	Uni - Copy (10) - Copy - Copy - Copy.exe	schtasks.exe
PID 4484 wrote to memory of 3492	4484	Uni - Copy (10) - Copy - Copy - Copy.exe	schtasks.exe
PID 4484 wrote to memory of 3492	4484	Uni - Copy (10) - Copy - Copy - Copy.exe	schtasks.exe
PID 4484 wrote to memory of 3660	4484	Uni - Copy (10) - Copy - Copy - Copy.exe	Client.exe
PID 4484 wrote to memory of 3660	4484	Uni - Copy (10) - Copy - Copy - Copy.exe	Client.exe
PID 4484 wrote to memory of 3660	4484	Uni - Copy (10) - Copy - Copy - Copy.exe	Client.exe
PID 4484 wrote to memory of 5020	4484	Uni - Copy (10) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 4484 wrote to memory of 5020	4484	Uni - Copy (10) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 4484 wrote to memory of 5020	4484	Uni - Copy (10) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 3660 wrote to memory of 4200	3660	Client.exe	schtasks.exe
PID 3660 wrote to memory of 4200	3660	Client.exe	schtasks.exe
PID 3660 wrote to memory of 4200	3660	Client.exe	schtasks.exe
PID 3660 wrote to memory of 2740	3660	Client.exe	cmd.exe
PID 3660 wrote to memory of 2740	3660	Client.exe	cmd.exe
PID 3660 wrote to memory of 2740	3660	Client.exe	cmd.exe
PID 2740 wrote to memory of 2196	2740	cmd.exe	chcp.com
PID 2740 wrote to memory of 2196	2740	cmd.exe	chcp.com
PID 2740 wrote to memory of 2196	2740	cmd.exe	chcp.com
PID 2740 wrote to memory of 2640	2740	cmd.exe	PING.EXE
PID 2740 wrote to memory of 2640	2740	cmd.exe	PING.EXE
PID 2740 wrote to memory of 2640	2740	cmd.exe	PING.EXE
PID 2740 wrote to memory of 2248	2740	cmd.exe	Client.exe
PID 2740 wrote to memory of 2248	2740	cmd.exe	Client.exe
PID 2740 wrote to memory of 2248	2740	cmd.exe	Client.exe
PID 2248 wrote to memory of 1160	2248	Client.exe	schtasks.exe
PID 2248 wrote to memory of 1160	2248	Client.exe	schtasks.exe
PID 2248 wrote to memory of 1160	2248	Client.exe	schtasks.exe
PID 2248 wrote to memory of 4332	2248	Client.exe	cmd.exe
PID 2248 wrote to memory of 4332	2248	Client.exe	cmd.exe
PID 2248 wrote to memory of 4332	2248	Client.exe	cmd.exe
PID 4332 wrote to memory of 4896	4332	cmd.exe	chcp.com
PID 4332 wrote to memory of 4896	4332	cmd.exe	chcp.com
PID 4332 wrote to memory of 4896	4332	cmd.exe	chcp.com
PID 4332 wrote to memory of 5092	4332	cmd.exe	PING.EXE
PID 4332 wrote to memory of 5092	4332	cmd.exe	PING.EXE
PID 4332 wrote to memory of 5092	4332	cmd.exe	PING.EXE
PID 4332 wrote to memory of 4012	4332	cmd.exe	Client.exe
PID 4332 wrote to memory of 4012	4332	cmd.exe	Client.exe
PID 4332 wrote to memory of 4012	4332	cmd.exe	Client.exe
PID 4012 wrote to memory of 2908	4012	Client.exe	schtasks.exe
PID 4012 wrote to memory of 2908	4012	Client.exe	schtasks.exe
PID 4012 wrote to memory of 2908	4012	Client.exe	schtasks.exe
PID 4012 wrote to memory of 2108	4012	Client.exe	cmd.exe
PID 4012 wrote to memory of 2108	4012	Client.exe	cmd.exe
PID 4012 wrote to memory of 2108	4012	Client.exe	cmd.exe
PID 2108 wrote to memory of 4556	2108	cmd.exe	chcp.com
PID 2108 wrote to memory of 4556	2108	cmd.exe	chcp.com
PID 2108 wrote to memory of 4556	2108	cmd.exe	chcp.com
PID 2108 wrote to memory of 4908	2108	cmd.exe	PING.EXE
PID 2108 wrote to memory of 4908	2108	cmd.exe	PING.EXE
PID 2108 wrote to memory of 4908	2108	cmd.exe	PING.EXE
PID 2108 wrote to memory of 1408	2108	cmd.exe	Client.exe
PID 2108 wrote to memory of 1408	2108	cmd.exe	Client.exe
PID 2108 wrote to memory of 1408	2108	cmd.exe	Client.exe
PID 1408 wrote to memory of 3652	1408	Client.exe	schtasks.exe
PID 1408 wrote to memory of 3652	1408	Client.exe	schtasks.exe
PID 1408 wrote to memory of 3652	1408	Client.exe	schtasks.exe
PID 1408 wrote to memory of 3008	1408	Client.exe	cmd.exe
PID 1408 wrote to memory of 3008	1408	Client.exe	cmd.exe
PID 1408 wrote to memory of 3008	1408	Client.exe	cmd.exe
PID 3008 wrote to memory of 1540	3008	cmd.exe	chcp.com
PID 3008 wrote to memory of 1540	3008	cmd.exe	chcp.com
PID 3008 wrote to memory of 1540	3008	cmd.exe	chcp.com
PID 3008 wrote to memory of 2688	3008	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3492

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KFHWz3Qlhs8F.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2196

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2640

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hYxb9qtI56YM.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4896

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:5092

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S8hRC0Vha5JS.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4556

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4908

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oRMWMmyDyIjZ.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:1540

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2688

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZtSBeYzPkKL.bat" "
11⤵
PID:4016

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:4484

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:2616

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4340

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2BJKpKzu1YYu.bat" "
13⤵
PID:3760

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4848

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:1592

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3388

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c6XnG2GoeRzz.bat" "
15⤵
PID:1900

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:2892

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4012

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wuHuutUqv6tx.bat" "
17⤵
PID:4984

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:3560

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4900

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DlyneDtJ6rlb.bat" "
19⤵
PID:2428

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2732

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1996

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2588

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:4216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LT3IIzEnX5pM.bat" "
21⤵
PID:4848

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:712

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4588

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4924

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SB8nwlZHzKt8.bat" "
23⤵
PID:968

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:4384

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2900

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4248

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:3092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cOM7MjVp7Wqo.bat" "
25⤵
PID:1644

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:644

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1668

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2904

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:3516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uhxPEP7mhDrs.bat" "
27⤵
PID:2284

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:3068

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:2188

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roX7fHBmzyyM.bat" "
29⤵
PID:3200

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:3376

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:4444

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2252

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fd5x5tZ8mRZE.bat" "
31⤵
PID:4340

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:3408

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 2248
31⤵
- Program crash
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 1092
29⤵
- Program crash
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 2232
27⤵
- Program crash
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1092
25⤵
- Program crash
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 1708
23⤵
- Program crash
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 2228
21⤵
- Program crash
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 1708
19⤵
- Program crash
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 2228
17⤵
- Program crash
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 2196
15⤵
- Program crash
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 2252
13⤵
- Program crash
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 2196
11⤵
- Program crash
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 1636
9⤵
- Program crash
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1616
7⤵
- Program crash
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1672
5⤵
- Program crash
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 1824
3⤵
- Program crash
PID:4952

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3660 -ip 3660
1⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2248 -ip 2248
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4012 -ip 4012
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1408 -ip 1408
1⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2412 -ip 2412
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4340 -ip 4340
1⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3388 -ip 3388
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1464 -ip 1464
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4144 -ip 4144
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2588 -ip 2588
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4924 -ip 4924
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4248 -ip 4248
1⤵
PID:1196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2904 -ip 2904
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2948 -ip 2948
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2252 -ip 2252
1⤵
PID:3468

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2BJKpKzu1YYu.bat
Filesize
207B

MD5
c099f2c9942d1cccc4e8dc096de7ae51

SHA1
ebd41d40b54be58bffa2b26db9e0c16d98b73a79

SHA256
b1b9705a5a9e4562882ad261647e5bb653254becc248a6603a6c46b4c4e9ad06

SHA512
97c506b845a3b0f41e90869dc9478034189dd0ab01113159a4bb25eb9d5a86b85b380f29381e51dddab41c24651fdb03bf23f9303fe37a101f20c5014ce5321f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZtSBeYzPkKL.bat
Filesize
207B

MD5
d3f643e3bed9665a58eb72ba167cfe7c

SHA1
f09518f10b8bba2cadc5bd9b966177af72c35391

SHA256
55f0e95adca748a2b04d316e50c0e885fb209b9b3b5e2f1ba5244a40c16c17e3

SHA512
f5d6581b585e1c62c9ca93ab35572d70ee2269e42193664f66abc71a1b83430d98ee216be1e5af2fcdf73032ec195f1ce66032f84bc76b73125eb585b83420a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DlyneDtJ6rlb.bat
Filesize
207B

MD5
d9546c47621e7bbb2ab2efaf620ff7a3

SHA1
40678431b317e9b5cc5407fffe6637e6e35bceb6

SHA256
a5dbfb0b3185405832f6ff479caec0f6b105813d198d5bce5e7c41322e977e97

SHA512
2a1be6eec75e7842fa038ee30af217a1df291bfb6efe62fd82e0161c4a97ef9e5bd3a50e3006eceeb4c6a3b33c5dd323bde4bff3270a15eb0e43d76faa74cf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fd5x5tZ8mRZE.bat
Filesize
207B

MD5
fff35a67ef4c790ade824acbed0e2ba7

SHA1
a9bed9601397004394d424c4c4c12361cb564090

SHA256
ad0cc1135254f96d2b9e77a6c0e123a91e5c39b3f5113ede0fbd286c1c9d0e49

SHA512
28ca5f1981e9b57819751f402b6b4d5fc3f1492fd6ff6bf00830da800d0ec84f62c4a6a54ffc50d65dacd7211494c4da6288c12c4d897b704419323943c1e8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KFHWz3Qlhs8F.bat
Filesize
207B

MD5
c4772cc9683c87e363874a75a698c5aa

SHA1
8fd935ae693a4f63ce3a1ee371653f580592241c

SHA256
a076d43631ce26f7fae54a5e6e877c8758a3c7dbb1ef8a130d09181decfca2c0

SHA512
7ecebf9974710dec476e3efe79e1d5e9eea16b03a13744534b3c94b4a2d3b8a048027afaecaae7b1ff13e3d8c18b914d892213f20c2d448fbc68f2c86a700827

Download Submit
C:\Users\Admin\AppData\Local\Temp\LT3IIzEnX5pM.bat
Filesize
207B

MD5
07f379467975a53e3a95e811e19da9b5

SHA1
49ee779673e6514d378c45b6512006de2cf1b8bf

SHA256
91c8515f8f894631b724b9733a911da2ed43b92c2da7e48e9b2d2be799722df2

SHA512
cc4dd8a1edd817c752d04d991d2a95ab4a337c758d876b9acff9bd6e1d62f6a9b0bd71aec52e717dbae3b2bdb32782f67f27641c6242aa521f5b0a487daa54b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\S8hRC0Vha5JS.bat
Filesize
207B

MD5
071c192192db10a5c4d059b5fb93549a

SHA1
e6ac6d22ac7246f1b5edd7985d20d1fde5baad5a

SHA256
b4d9c4d7673b4882b5f81084fe8d5807b2afa063a2394640f4873854e2434e9f

SHA512
5688c44df291e30460d0cbf4524e93d6859f8814d962c75168bd205a7542853f4751e751acec61923d0ec60197892e4d3c2e61813a251d91cf777e83ce5cab23

Download Submit
C:\Users\Admin\AppData\Local\Temp\SB8nwlZHzKt8.bat
Filesize
207B

MD5
5932e07d8ecc0520c0ec4c90762a9eda

SHA1
a041fb2ad30db20a329dbfed2c30e888827012e3

SHA256
d24ac44f7b2832c49e63897c809522909831d405682e9b94fe77869a8e32f11f

SHA512
e9ccf8a3d5d137ccd1e0db818f563e599519fb0488e76b499b842726b19bcc1df5f71f8d03fa4596a1db73d10bff71cbc912d844804bb2ef86d622f2424ae735

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6XnG2GoeRzz.bat
Filesize
207B

MD5
4cac880fe961ac3aafea3db729cf593e

SHA1
e92f99bf5184207bf5357e59479c95246463f6bd

SHA256
f974cc92ee3543937fac08d4fe26c849961f7712b874358b66de9e9a2582d9ff

SHA512
ceb94334cb2058a41522d5a999c0772c1380e89719295bb82e9995d03c4f9fce4158e7fd3e26b5790f5eeba71067e7abbc95fd16bce0eb632e03155365085669

Download Submit
C:\Users\Admin\AppData\Local\Temp\cOM7MjVp7Wqo.bat
Filesize
207B

MD5
1456c62bf5c44c20d4de5706090a9d9d

SHA1
d943f38044c3da606056b1255f4047f22399333e

SHA256
97fd236371659559e78663e283f08a32b24f6f3a85e4937a4453f29017a4183d

SHA512
c68e73bb978b5f2abf3fcf265367c56aded8711c90311174d92eec1b8f5e204c5fbf5253232e7ef64d48a59f2123c31bea0f1c84d180fb3e945a8211f8113d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYxb9qtI56YM.bat
Filesize
207B

MD5
fc69700d5a40c2361e9cbed9c95f91a3

SHA1
eb3b4bb2763fcfb9f004f1824aea7e1df6a33604

SHA256
0a876253005ba7920699101938c9c2114e507f13bfb9339e988289b15f9648fa

SHA512
743f7c9023cbffed6709d0818dbbf3ed5ec7e3199f20651d7965e2d97cc1416ba8e147827943ff62c3c47b18e731267afdfa09cfb1ba192e953c2548cac7a76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oRMWMmyDyIjZ.bat
Filesize
207B

MD5
b7189eb0999d6d4f69d85f0d55b64cc9

SHA1
9e80a18a4e6d921be2b3c683d2b15f2b2fc7c665

SHA256
206b1572f9d9cf087ed81d8f6637b83f6b352fb6ec4386a602b192149d4ff7d0

SHA512
66f5161708b71b25da9a0b0fbfa28f05ce6cf2ee432202ff314d73b95c8770b3f2c0d4615e85d18e615422865b966be3742f0ae0352f46ebe9ee99b3fe4232dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\roX7fHBmzyyM.bat
Filesize
207B

MD5
f9c7f60c57fdba0d4bb984bc35e148c3

SHA1
046ff970246865e8716e8762e4eaf1e93705c78c

SHA256
96fbad0dd39fce4121401b5e32587a42b9e055387a26dc82ac18d351d293b5cc

SHA512
5c17204a04935bcfef5459c78c7708d659ff9192396f38be16de6f06b9fbb1bfec57742e18a8aeaafcde598341867391f746b08be0161ecba1050717b1f9fc5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uhxPEP7mhDrs.bat
Filesize
207B

MD5
21e9d274f80206aa4fc898cb54a35434

SHA1
f14344bf1e243265913796eb94c0c90fd5e9713b

SHA256
ab1daef8d03dbacbcf150f1389f2ec6cbc8ad5bc162051af0b4ce8b80aafafdd

SHA512
eb74126327045cfdd2f99f5a4d3061f5a62be3699698c140dd8da914c11bb7ff0fed1c40dbe73a18023a827f372d103ee5bcf5caa5e7d98fb25c71f072fdf4ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuHuutUqv6tx.bat
Filesize
207B

MD5
2524a16e36ba47db4552261a4f01ea4d

SHA1
ddc95de4ec0306e2f5ae4456be1ac7072d9ccbb0

SHA256
ed18e6b7a398c27073d03975da40f83f6009095bade03ffe8f30a73b37539e3b

SHA512
8fcb0b972c4fcf67293d9f4f6c1b99bddb14f2689aa9b44e025a904e5e8560a75d326f7ba384a57650d1e8f16a4d4047a79f7bf3274c6b29db5637428f104688

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
cedfd0c855e2c3240d4e8d6f3d2bbd5e

SHA1
f549d795c72ce0c162583b76737e3c49212e7b28

SHA256
e9461dd0c001f0f7b001be469982fe1137fdb54ce341a62b56004c8378b6be98

SHA512
39017324ce6a29988e7bc9de4b8dbca83d4ffc75f61c771a1c1c8299b35d4681f41aa3331735b54b2e8ec3afd5611ad7d04da729ca2b5a9ae2e08c6149fa51b9

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
51d8ac1788afd91c058ddff318c3a2d4

SHA1
87a49e39b206774ca4195e79225e7ae3db92cb15

SHA256
4b7f02fdb9ecb98fe97f6e789fcf3fff000326243c62d44db5b113b8db035e24

SHA512
ceb3b60481ebe5f6ef13a1dccd557c45a21534982348fd759c0798d1bfb14202f66cc3348223f32fd4f1911f9650a3345daddad59dfd3fdb6cbbf1cf9da43097

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
cf6e3173d32096809abf349b74603fee

SHA1
195af5bd0e00282a230436b82a3677a9e9ca44cd

SHA256
bd603b8f1536981a0bc7d2dccfd0c0d03ec4315b4fd891852cfb1f9e2212654f

SHA512
36b039b7b85e50425ad7eea19db1378948563cca842197cadb8a8b4631bfff5090160b91b70a483af44aef1e120261cf806dd08e7f1696abd1b0bec63373a584

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
7bd0e152fe349970636b45aa73f5b0f1

SHA1
b33c983c82a65f263085d88ae5db58b008546916

SHA256
22289da02501dc221d401ad0ef01a6f82ff9d8ff091898763a81fff02b7f2c27

SHA512
f4cc70cf68fb086aa1f09fca5ddc0591508c2f2943bd3cf40572837f905397b01f8ed6ea7864b813cf9bd6643b9779225b2c6391b7f2933671143b0d7a1a4e2e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
d03b489aa2ff6ba1ca0f92f293a63c25

SHA1
fe90a564827605242e0d9685dce0c9115e7b8a8f

SHA256
de7da9c5f7247b6be82de9368d237122bfac94939da1a0f561d0a47a50351c92

SHA512
60a3ce0482706aaa6aee8b810b02f7f286f1413b9f1301df7d750b3fec6df2dd395a2a1ac79f74da1953570626192f93747def7eaf6522ff2413299f077a8f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
cba84d2fe070e15bc4204a936593a744

SHA1
cb6272bec6c0bf3fa5ca964d5c4ad4c2ab49c298

SHA256
103351739f25fa218baea0e44a5d161ad0f038547054ebcfa10ed0526821b26a

SHA512
50cccfcc4921a24b456a9ef054fc70f597de02ca5500ed92a795764ab97834dac1867be270b17d16d72a0b1116fff8d492cbda3e7eefa9940df8ede1d77f93db

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
93db40510a99d7148b1dcf250b8a7417

SHA1
8d30f4563c17659a45f93b9c1e098db5efaa4433

SHA256
2080277e23b06aed5e6cc66156b749e675b8b12231f0535b881b4f4828d2b7a0

SHA512
bd2be174250da7ed6454963f1c7d8c51184b6c3c13524bafb2f305f7fa89d9228087e956c66ab22153d9535d1cd8fbd1e13b43da9020e11190e21ad7cd4642a7

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
d546a4199fec1645b2c7f156479093bf

SHA1
5beb1d76ebecc86ca42047abd53ff90a37948930

SHA256
29e4ab50303564a3be39263c1cfc3e949d995469821b79490a78736112b20546

SHA512
a9370f9c2ac0d24487cfe8939d1d24838a22b29891e7706a2eba3ec161a0bfe129fe8175286f50b6fd1d2f1027bc42207b68fb13572ae73812e5dbc60bf29107

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/3660-19-0x0000000006170000-0x000000000617A000-memory.dmp

Filesize
40KB

Download
memory/3660-15-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/3660-24-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/3660-17-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4484-8-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4484-7-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/4484-16-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4484-6-0x0000000005DD0000-0x0000000005DE2000-memory.dmp

Filesize
72KB

Download
memory/4484-4-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4484-5-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/4484-0-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/4484-3-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/4484-2-0x0000000005E50000-0x00000000063F4000-memory.dmp

Filesize
5.6MB

Download
memory/4484-1-0x0000000000F30000-0x0000000000F9C000-memory.dmp

Filesize
432KB

Download