quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
296s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (13) - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral22/memory/3692-1-0x00000000007C0000-0x000000000082C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
5012	Client.exe
1444	Client.exe
5084	Client.exe
4912	Client.exe
2292	Client.exe
3300	Client.exe
1616	Client.exe
2252	Client.exe
5032	Client.exe
4584	Client.exe
4488	Client.exe
920	Client.exe
4896	Client.exe
528	Client.exe
3912	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
27	ip-api.com
2	ip-api.com
9	api.ipify.org
15	ip-api.com
17	ip-api.com
23	ip-api.com
31	ip-api.com
19	ip-api.com
21	ip-api.com
33	ip-api.com
13	ip-api.com
25	ip-api.com
29	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3020	5012	WerFault.exe	Client.exe
4064	1444	WerFault.exe	Client.exe
4276	5084	WerFault.exe	Client.exe
3348	4912	WerFault.exe	Client.exe
4508	2292	WerFault.exe	Client.exe
2420	3300	WerFault.exe	Client.exe
3756	1616	WerFault.exe	Client.exe
3988	2252	WerFault.exe	Client.exe
2196	5032	WerFault.exe	Client.exe
1128	4584	WerFault.exe	Client.exe
2948	4488	WerFault.exe	Client.exe
652	920	WerFault.exe	Client.exe
3996	4896	WerFault.exe	Client.exe
3592	528	WerFault.exe	Client.exe
3748	3912	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2928	schtasks.exe
2836	schtasks.exe
3932	schtasks.exe
3524	schtasks.exe
4616	schtasks.exe
1448	schtasks.exe
3768	SCHTASKS.exe
3196	schtasks.exe
4140	schtasks.exe
3056	schtasks.exe
376	schtasks.exe
4936	schtasks.exe
384	schtasks.exe
184	schtasks.exe
2124	schtasks.exe
4364	schtasks.exe
1692	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3572	PING.EXE
3624	PING.EXE
1764	PING.EXE
2932	PING.EXE
2580	PING.EXE
4048	PING.EXE
4480	PING.EXE
2320	PING.EXE
4900	PING.EXE
1392	PING.EXE
3096	PING.EXE
4892	PING.EXE
4820	PING.EXE
3960	PING.EXE
4368	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Uni - Copy (13) - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3692	Uni - Copy (13) - Copy - Copy.exe
Token: SeDebugPrivilege	5012	Client.exe
Token: SeDebugPrivilege	1444	Client.exe
Token: SeDebugPrivilege	5084	Client.exe
Token: SeDebugPrivilege	4912	Client.exe
Token: SeDebugPrivilege	2292	Client.exe
Token: SeDebugPrivilege	3300	Client.exe
Token: SeDebugPrivilege	1616	Client.exe
Token: SeDebugPrivilege	2252	Client.exe
Token: SeDebugPrivilege	5032	Client.exe
Token: SeDebugPrivilege	4584	Client.exe
Token: SeDebugPrivilege	4488	Client.exe
Token: SeDebugPrivilege	920	Client.exe
Token: SeDebugPrivilege	4896	Client.exe
Token: SeDebugPrivilege	528	Client.exe
Token: SeDebugPrivilege	3912	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
5012	Client.exe
1444	Client.exe
5084	Client.exe
4912	Client.exe
2292	Client.exe
3300	Client.exe
1616	Client.exe
2252	Client.exe
5032	Client.exe
4584	Client.exe
4488	Client.exe
920	Client.exe
4896	Client.exe
528	Client.exe
3912	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (13) - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 3692 wrote to memory of 1448	3692	Uni - Copy (13) - Copy - Copy.exe	schtasks.exe
PID 3692 wrote to memory of 1448	3692	Uni - Copy (13) - Copy - Copy.exe	schtasks.exe
PID 3692 wrote to memory of 1448	3692	Uni - Copy (13) - Copy - Copy.exe	schtasks.exe
PID 3692 wrote to memory of 5012	3692	Uni - Copy (13) - Copy - Copy.exe	Client.exe
PID 3692 wrote to memory of 5012	3692	Uni - Copy (13) - Copy - Copy.exe	Client.exe
PID 3692 wrote to memory of 5012	3692	Uni - Copy (13) - Copy - Copy.exe	Client.exe
PID 3692 wrote to memory of 3768	3692	Uni - Copy (13) - Copy - Copy.exe	SCHTASKS.exe
PID 3692 wrote to memory of 3768	3692	Uni - Copy (13) - Copy - Copy.exe	SCHTASKS.exe
PID 3692 wrote to memory of 3768	3692	Uni - Copy (13) - Copy - Copy.exe	SCHTASKS.exe
PID 5012 wrote to memory of 4936	5012	Client.exe	schtasks.exe
PID 5012 wrote to memory of 4936	5012	Client.exe	schtasks.exe
PID 5012 wrote to memory of 4936	5012	Client.exe	schtasks.exe
PID 5012 wrote to memory of 4604	5012	Client.exe	cmd.exe
PID 5012 wrote to memory of 4604	5012	Client.exe	cmd.exe
PID 5012 wrote to memory of 4604	5012	Client.exe	cmd.exe
PID 4604 wrote to memory of 1900	4604	cmd.exe	chcp.com
PID 4604 wrote to memory of 1900	4604	cmd.exe	chcp.com
PID 4604 wrote to memory of 1900	4604	cmd.exe	chcp.com
PID 4604 wrote to memory of 2580	4604	cmd.exe	PING.EXE
PID 4604 wrote to memory of 2580	4604	cmd.exe	PING.EXE
PID 4604 wrote to memory of 2580	4604	cmd.exe	PING.EXE
PID 4604 wrote to memory of 1444	4604	cmd.exe	Client.exe
PID 4604 wrote to memory of 1444	4604	cmd.exe	Client.exe
PID 4604 wrote to memory of 1444	4604	cmd.exe	Client.exe
PID 1444 wrote to memory of 3196	1444	Client.exe	schtasks.exe
PID 1444 wrote to memory of 3196	1444	Client.exe	schtasks.exe
PID 1444 wrote to memory of 3196	1444	Client.exe	schtasks.exe
PID 1444 wrote to memory of 3552	1444	Client.exe	cmd.exe
PID 1444 wrote to memory of 3552	1444	Client.exe	cmd.exe
PID 1444 wrote to memory of 3552	1444	Client.exe	cmd.exe
PID 3552 wrote to memory of 1284	3552	cmd.exe	chcp.com
PID 3552 wrote to memory of 1284	3552	cmd.exe	chcp.com
PID 3552 wrote to memory of 1284	3552	cmd.exe	chcp.com
PID 3552 wrote to memory of 4820	3552	cmd.exe	PING.EXE
PID 3552 wrote to memory of 4820	3552	cmd.exe	PING.EXE
PID 3552 wrote to memory of 4820	3552	cmd.exe	PING.EXE
PID 3552 wrote to memory of 5084	3552	cmd.exe	Client.exe
PID 3552 wrote to memory of 5084	3552	cmd.exe	Client.exe
PID 3552 wrote to memory of 5084	3552	cmd.exe	Client.exe
PID 5084 wrote to memory of 384	5084	Client.exe	schtasks.exe
PID 5084 wrote to memory of 384	5084	Client.exe	schtasks.exe
PID 5084 wrote to memory of 384	5084	Client.exe	schtasks.exe
PID 5084 wrote to memory of 4544	5084	Client.exe	cmd.exe
PID 5084 wrote to memory of 4544	5084	Client.exe	cmd.exe
PID 5084 wrote to memory of 4544	5084	Client.exe	cmd.exe
PID 4544 wrote to memory of 4284	4544	cmd.exe	chcp.com
PID 4544 wrote to memory of 4284	4544	cmd.exe	chcp.com
PID 4544 wrote to memory of 4284	4544	cmd.exe	chcp.com
PID 4544 wrote to memory of 3096	4544	cmd.exe	PING.EXE
PID 4544 wrote to memory of 3096	4544	cmd.exe	PING.EXE
PID 4544 wrote to memory of 3096	4544	cmd.exe	PING.EXE
PID 4544 wrote to memory of 4912	4544	cmd.exe	Client.exe
PID 4544 wrote to memory of 4912	4544	cmd.exe	Client.exe
PID 4544 wrote to memory of 4912	4544	cmd.exe	Client.exe
PID 4912 wrote to memory of 3932	4912	Client.exe	schtasks.exe
PID 4912 wrote to memory of 3932	4912	Client.exe	schtasks.exe
PID 4912 wrote to memory of 3932	4912	Client.exe	schtasks.exe
PID 4912 wrote to memory of 4772	4912	Client.exe	cmd.exe
PID 4912 wrote to memory of 4772	4912	Client.exe	cmd.exe
PID 4912 wrote to memory of 4772	4912	Client.exe	cmd.exe
PID 4772 wrote to memory of 1764	4772	cmd.exe	chcp.com
PID 4772 wrote to memory of 1764	4772	cmd.exe	chcp.com
PID 4772 wrote to memory of 1764	4772	cmd.exe	chcp.com
PID 4772 wrote to memory of 4368	4772	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1448

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j4rZfk9nDf4V.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1900

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2580

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0sZ6HarvP7to.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:1284

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4820

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeTu5gOk4l2C.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4284

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:3096

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USARhW6sGDrV.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:1764

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4368

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2292

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v6Tfr4bMQEkz.bat" "
11⤵
PID:1404

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:2296

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3572

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3300

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pe92dYiWb9Jz.bat" "
13⤵
PID:4488

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:3136

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:3624

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZAtII9GtNVhM.bat" "
15⤵
PID:4276

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:3688

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4892

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2252

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WHSzi1JtfHop.bat" "
17⤵
PID:1740

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:4628

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:3960

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5032

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lZFYnwlWkA7z.bat" "
19⤵
PID:1464

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:528

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4048

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4584

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sHK3Si60BOBl.bat" "
21⤵
PID:3360

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:1904

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4480

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4488

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCYWsQNuoIcp.bat" "
23⤵
PID:4520

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:2532

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2320

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:920

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bPnqIOKSwUZW.bat" "
25⤵
PID:2536

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:3932

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1764

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4896

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U0OzAKb41U6B.bat" "
27⤵
PID:3868

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:1016

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:2932

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:528

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K6qJG4HbQWkv.bat" "
29⤵
PID:700

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:2256

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:4900

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3912

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TJ5dg2EAYihc.bat" "
31⤵
PID:4632

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:3416

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1704
31⤵
- Program crash
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 1088
29⤵
- Program crash
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1096
27⤵
- Program crash
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 2224
25⤵
- Program crash
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1092
23⤵
- Program crash
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 2248
21⤵
- Program crash
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1712
19⤵
- Program crash
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 2248
17⤵
- Program crash
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 2224
15⤵
- Program crash
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 2248
13⤵
- Program crash
PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 1648
11⤵
- Program crash
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1092
9⤵
- Program crash
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 2200
7⤵
- Program crash
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1648
5⤵
- Program crash
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 1632
3⤵
- Program crash
PID:3020

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5012 -ip 5012
1⤵
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1444 -ip 1444
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5084 -ip 5084
1⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4912 -ip 4912
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2292 -ip 2292
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3300 -ip 3300
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1616 -ip 1616
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2252 -ip 2252
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5032 -ip 5032
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4584 -ip 4584
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4488 -ip 4488
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 920 -ip 920
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4896 -ip 4896
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 528 -ip 528
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3912 -ip 3912
1⤵
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0sZ6HarvP7to.bat
Filesize
207B

MD5
1dd5edff41a3df02e8fdb88cab4c175b

SHA1
b88695ce5870c92b157b3bef4a022826a543d0a1

SHA256
1afcaadd3cd04a91e31f36eede4357891a72ee02aa283d4839ea628394a10d16

SHA512
ec6921bbdc92ca75c277c02f696114fce2a5d9880d7014678e8678f5b3da26abb6d9ec4e7b27eb1c8c29bf1cc0fab01294530898e5a853c65c9eefb138ee7c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeTu5gOk4l2C.bat
Filesize
207B

MD5
3124e18e2cf0cd2857925a3f16853495

SHA1
3debcbe665a682773a26ffbc4501f5f692d39f4c

SHA256
352409969554e03e2c942f1f3491351dc940a787dbe3274d0b00f72eb0ce9a90

SHA512
1c1cc30c0d5006161a70a056232bda65dd24ccedfbacc37e1e396b981175028ba4227e0b38d3404b3ebb02851f727d3988485e03534438eb6e0b2f596320f9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\K6qJG4HbQWkv.bat
Filesize
207B

MD5
f1cb578283fecdf46338492fe3dbd295

SHA1
66ddc80062e1ec9a225d2bfbee0e603d57498f6d

SHA256
13c5346ae1caea145df5d2a9f1ba26c49c9d637ecefe68229d25418d8e9b2b5e

SHA512
e49696e41704936a71e04e0012c50c671a3820d2f329e90dbcfa5b7cc24965f9242eb2a644ac47aa851fe212d056bc374b380565af06a5ceeb83bc436a9b153e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SCYWsQNuoIcp.bat
Filesize
207B

MD5
f630836f6b995ea60c396f862c626618

SHA1
c016ec893c05db15c52eab58290604308f410097

SHA256
fcb38f4f5a41bad24631a63ffe44328806b215199bb3ff133dcae7d041e48de0

SHA512
9618dbe6a11d36bcc7d02f0adbcd27189e55ea26f7f87c8579cb55464901f41deb9e2b5ecaa9f0adf5aa1fc5d700552bbe77d08ea9fb11e6a8e422c2631ac42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TJ5dg2EAYihc.bat
Filesize
207B

MD5
fb0fef4348ab4f64b1b771076725ee3a

SHA1
ab8752b3e79d581d681c056752110c67f246634e

SHA256
27606f454b63deea5d048ea0498f7b6e6a105d97e4f5cc3ecd86a0e57796e7aa

SHA512
81e86a3ba8d6d1b2d11bac362eedc7a28081c44bb061325f6e9821db230b3288858ccfce5579ffa50064521098c6828eef8cf6b09fc093ffb16034a029d5d6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\U0OzAKb41U6B.bat
Filesize
207B

MD5
a6e08ac5cba91dfb22a78bb90fb85792

SHA1
cb341b74128c204c80d366fc5025d809f28451c4

SHA256
074dd37beb285db07889a74f6adae5fef7011f44716c1b45582c1146a4bd515e

SHA512
5b713941b3d07a7c37725ca2dffca147daec1bf2b6d0f628d4a6a7bb0613e7e3ac31ec770ac0bbed6581203c115a295dd29eda3687f3e97800f403ece7fa2026

Download Submit
C:\Users\Admin\AppData\Local\Temp\USARhW6sGDrV.bat
Filesize
207B

MD5
201263f33b92bcf190bcbf62237375c4

SHA1
6307d1dc699287d9598131374513e32fcd11c80b

SHA256
87e9f560ed4b1f34814131213fdc026a6c36bf4be4875a1a967205992c88f7b3

SHA512
3550c0350f466ff3c65c7fe78158001c1f712bbb23a2fb154cdf6aec575a4bd5ea77841ea23920cbe85a468161fc8c527e7f3742e06a29ed1104dbd0e10b077e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WHSzi1JtfHop.bat
Filesize
207B

MD5
5557825dfe3e51089fd2d4f0f241982d

SHA1
11f082b6d72e13f428f7f8672acc7cff139d63d5

SHA256
83a2f129790dca87e855cb4343cd077aa58e4dc792040db01ff55f660386ad35

SHA512
a8b7b382651233216da518a1b9fe7704a3b77da3b75407b82e207339740423c283e54a9feff2908c3921c8d47bc2578eb8c6eca6cf8ed601dd41ae1725140cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAtII9GtNVhM.bat
Filesize
207B

MD5
f1587153fbcd6204feaf95e60c12aafd

SHA1
584cb2eb7153f2821b6452263f696023c481e2ef

SHA256
733699f6b6bb6c0390c4a4332416a41ab9782bf632c4d225ac30b87b1c694779

SHA512
b3c95ceb31e298054e851f4433d975b81eabf4576ecefa78be0359f866ee5deeed08773a29f3efc27f72c2e552866e085cc90a5cfd7ff72cca4fea6d110f826b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bPnqIOKSwUZW.bat
Filesize
207B

MD5
f80f0106acb916b95f1b3b621b6d7a0b

SHA1
7e16a63923f780be39c06011c9e142a5ce286d29

SHA256
de901407aa268e907c213b65b4f3025d459c5ef632f1162de951f580d7d305a0

SHA512
d5c631692179fbc3335bbd5736b46483162e2c542408a3c2128d809168be9dd01329c7119c6285107a019a91b55c94e7d7c234b1b25d743e29c0e8b86185c2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\j4rZfk9nDf4V.bat
Filesize
207B

MD5
6db1230155c759452255cdcde5def3b2

SHA1
a1bf060824973c67f2c84c34e032db3af52941d5

SHA256
3bb9767dbcc8d6a7b7fc5b067ef3f8cfee5f0aeb40de03df233b317386fa6734

SHA512
e219a144e7aa9f4b790c73dfbc1a5cb4edfabd26a717c032627a79a3ad97eef70a9791ea50ff08b51dfb663c06c1b027f02a29a6b89c701f046fc05c54bc1997

Download Submit
C:\Users\Admin\AppData\Local\Temp\lZFYnwlWkA7z.bat
Filesize
207B

MD5
31e12c1470c26ea735c8f549a795ed8b

SHA1
1ba55229150e37c1a5129e3dff839b7afff3fbf9

SHA256
fd67a2bd405078c50c27fafcb01fb67766ef6c2f930da621587b8b899123e0dd

SHA512
bc78b710e0e3fd7a989c1eb19d4c6d2d288d4666ac4f1a5c709f8b7f03a086f2fae06c11a14474d32caae92216e9419048c4c05d358661545a4083c6cb90e2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pe92dYiWb9Jz.bat
Filesize
207B

MD5
34898a6e6e9c16f93bbb24b72ca3018c

SHA1
99b01308bf18d0efbbbf56078a9e7c979ecaf041

SHA256
a047f7d6f8f3e90f0d16fb527421037fd75f3e2a98e6a18169068f655ccdbc64

SHA512
791fe14e75c213dca75428161bbe7f38a19396ae0be792756f0df8ffd7498afac66d39d14d768b3c79568f44f7de99d4e0e16c723641d13df6e4d4eb1ecae03c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sHK3Si60BOBl.bat
Filesize
207B

MD5
553237468e711496dd50c8652a1edbc5

SHA1
b5d188231ec40b37d549ec50825fc40f3f3e49c5

SHA256
7756eedf55c40888d1e2eaeee81ebd9bb5ef731ba6a45860bfa5b9cd2c244c4c

SHA512
7272e8d8504e907ee7cc63d36625c4595e208715fcd5f1d4409c91bb00b79052f906f518ce268cec501010a27737d35fca3d96105608efba844308e035efe8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\v6Tfr4bMQEkz.bat
Filesize
207B

MD5
e4c6f084e072ce605a354e2175a83947

SHA1
76d203fb63c8d0302517233d5ef3d9643a486a37

SHA256
1f8fb06f599887f6cb6be6dfb849a99b1d9c310b9f8960043a787c1d8c11b831

SHA512
15dace867cc129e3186ccb450c7923fd10fc6ffc90b6e4f8956886c41eceeeb4da770f2cd47957eefd01deade9ec4c3390c0ccfebd7c39a17cb3728ceaae0f22

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
5a583eb94dcbc0fe0bf8cb64d8238bf8

SHA1
b459e19c6ce862b645661cfb7833e73ff4fc4bb7

SHA256
2b521d0cfd1ac3214cef0f2e7dd2875f8096fd869466f1984686350f094392e2

SHA512
9577aa2cf6cd67431b31a0762763b9c3d4eee7a7a9ee701381c74434c561a8643d1545d1de55e9c003688308ec85f67843358eb704512021e9081090da8d22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
3d5895da8987e1391a517c9a243e0d9f

SHA1
4bb3e9c513f4aa7ffc210a4b60a65a5d4e5a5534

SHA256
1a22c976d068349baaae91f0fefe9e9bc802aa97cb1e7feb539512ab99ac4614

SHA512
159a0bd1b6071d92be7dc3fe3493a0e8c08ae7c30ad6ef621e67986d4dd0c57b38453c00f32fa274d2c92d6064762662d1f1b2f51c4e0107afa3e0473cb5d421

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
e431b7b8d825d1d0236913492657f95c

SHA1
43f2580cfb34eb0ed9199e59b5868d60f4792fb9

SHA256
8c5bc7f7041976c7dc6ce0915b72721b5a5801ce0daa53fe8cf5e4138053556c

SHA512
b6a64f7c9a9e2caa7207916a030d84503541e60d395d7c8041af5ae6d7024d4082a2d8e3d14172d46bcbc10ac94958f0f2823edaded27d244e434df64f5fef66

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
566f50d0bb2a20685280268dd4fdc848

SHA1
1ea9d0ab06b28a6ca07b7de29165f13c870cedc4

SHA256
eb0d28be737b40d56f86865213e5c2e767a662bae893be7713833d6eb30a35dd

SHA512
4759cb5cc2463783289a1d3ea1964555b5312d472622fd429f46e2ef054f379bb53d95b8842059b7ff0407c08330cd4b2fcb20394dfaae4dbd157cb5d57a4461

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
23f9ea9da0915528a2b79c52018de00b

SHA1
2d6ed46a5d1381da6345e68d7f0ec9df7607a3e0

SHA256
5301bddd4f3afaf52e456bb0aa7e783e06cde93d76973127b35e0e9de3e84af2

SHA512
50739f59c1d4ddbf486cb6e7d9152acad86af3b53a1a465588fe6720272174ac90f282941536dace7b9a09fcba4e87f040f1eb1e103560bf1c1a044791076319

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
2a09211c0eb539f201016fade56326bd

SHA1
7cf161f429ef63839934116885d010f4763b8c86

SHA256
5dbe37cdb3acce345995d39b2dc1b36daf44605776502c4aa8164a8ad9a14cf5

SHA512
e00f5654418a06ee2d71ac0e61cfb92a470252cf15cd77f197063ef591238491ce98f3ebab192cdb009f9bdf67e88b6f26ffd74eb09dae3c2c52da221ef6fe47

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/3692-3-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/3692-6-0x0000000005F40000-0x0000000005F52000-memory.dmp

Filesize
72KB

Download
memory/3692-7-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/3692-5-0x00000000052F0000-0x0000000005356000-memory.dmp

Filesize
408KB

Download
memory/3692-1-0x00000000007C0000-0x000000000082C000-memory.dmp

Filesize
432KB

Download
memory/3692-0-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/3692-2-0x0000000005710000-0x0000000005CB4000-memory.dmp

Filesize
5.6MB

Download
memory/3692-8-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3692-16-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3692-4-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/5012-24-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/5012-15-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/5012-17-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/5012-19-0x0000000006AF0000-0x0000000006AFA000-memory.dmp

Filesize
40KB

Download