quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
298s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (13) - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral24/memory/2408-1-0x0000000000600000-0x000000000066C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1756	Client.exe
1276	Client.exe
412	Client.exe
1236	Client.exe
2472	Client.exe
5056	Client.exe
1340	Client.exe
1960	Client.exe
2020	Client.exe
936	Client.exe
3192	Client.exe
3404	Client.exe
3084	Client.exe
1688	Client.exe
4216	Client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
20	ip-api.com
32	ip-api.com
16	ip-api.com
39	ip-api.com
27	ip-api.com
35	ip-api.com
3	ip-api.com
11	api.ipify.org
22	ip-api.com
37	ip-api.com
18	ip-api.com
25	ip-api.com
30	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1932	1756	WerFault.exe	Client.exe
2740	1276	WerFault.exe	Client.exe
4872	412	WerFault.exe	Client.exe
1116	1236	WerFault.exe	Client.exe
2696	2472	WerFault.exe	Client.exe
2256	5056	WerFault.exe	Client.exe
2844	1340	WerFault.exe	Client.exe
5064	1960	WerFault.exe	Client.exe
3320	2020	WerFault.exe	Client.exe
3952	936	WerFault.exe	Client.exe
4720	3192	WerFault.exe	Client.exe
2060	3404	WerFault.exe	Client.exe
3100	3084	WerFault.exe	Client.exe
4556	1688	WerFault.exe	Client.exe
3016	4216	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3020	schtasks.exe
2900	schtasks.exe
3208	schtasks.exe
4676	schtasks.exe
3920	schtasks.exe
2760	schtasks.exe
2968	schtasks.exe
3652	schtasks.exe
4460	SCHTASKS.exe
548	schtasks.exe
4848	schtasks.exe
5084	schtasks.exe
3696	schtasks.exe
1384	schtasks.exe
3380	schtasks.exe
1668	schtasks.exe
1668	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4024	PING.EXE
468	PING.EXE
2356	PING.EXE
3568	PING.EXE
512	PING.EXE
3368	PING.EXE
1076	PING.EXE
4156	PING.EXE
4248	PING.EXE
4496	PING.EXE
3192	PING.EXE
1580	PING.EXE
3176	PING.EXE
1516	PING.EXE
1508	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Uni - Copy (13) - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2408	Uni - Copy (13) - Copy.exe
Token: SeDebugPrivilege	1756	Client.exe
Token: SeDebugPrivilege	1276	Client.exe
Token: SeDebugPrivilege	412	Client.exe
Token: SeDebugPrivilege	1236	Client.exe
Token: SeDebugPrivilege	2472	Client.exe
Token: SeDebugPrivilege	5056	Client.exe
Token: SeDebugPrivilege	1340	Client.exe
Token: SeDebugPrivilege	1960	Client.exe
Token: SeDebugPrivilege	2020	Client.exe
Token: SeDebugPrivilege	936	Client.exe
Token: SeDebugPrivilege	3192	Client.exe
Token: SeDebugPrivilege	3404	Client.exe
Token: SeDebugPrivilege	3084	Client.exe
Token: SeDebugPrivilege	1688	Client.exe
Token: SeDebugPrivilege	4216	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1756	Client.exe
1276	Client.exe
412	Client.exe
1236	Client.exe
2472	Client.exe
5056	Client.exe
1340	Client.exe
1960	Client.exe
2020	Client.exe
936	Client.exe
3192	Client.exe
3404	Client.exe
3084	Client.exe
1688	Client.exe
4216	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (13) - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 2408 wrote to memory of 1384	2408	Uni - Copy (13) - Copy.exe	schtasks.exe
PID 2408 wrote to memory of 1384	2408	Uni - Copy (13) - Copy.exe	schtasks.exe
PID 2408 wrote to memory of 1384	2408	Uni - Copy (13) - Copy.exe	schtasks.exe
PID 2408 wrote to memory of 1756	2408	Uni - Copy (13) - Copy.exe	Client.exe
PID 2408 wrote to memory of 1756	2408	Uni - Copy (13) - Copy.exe	Client.exe
PID 2408 wrote to memory of 1756	2408	Uni - Copy (13) - Copy.exe	Client.exe
PID 2408 wrote to memory of 4460	2408	Uni - Copy (13) - Copy.exe	SCHTASKS.exe
PID 2408 wrote to memory of 4460	2408	Uni - Copy (13) - Copy.exe	SCHTASKS.exe
PID 2408 wrote to memory of 4460	2408	Uni - Copy (13) - Copy.exe	SCHTASKS.exe
PID 1756 wrote to memory of 548	1756	Client.exe	schtasks.exe
PID 1756 wrote to memory of 548	1756	Client.exe	schtasks.exe
PID 1756 wrote to memory of 548	1756	Client.exe	schtasks.exe
PID 1756 wrote to memory of 1344	1756	Client.exe	cmd.exe
PID 1756 wrote to memory of 1344	1756	Client.exe	cmd.exe
PID 1756 wrote to memory of 1344	1756	Client.exe	cmd.exe
PID 1344 wrote to memory of 4004	1344	cmd.exe	chcp.com
PID 1344 wrote to memory of 4004	1344	cmd.exe	chcp.com
PID 1344 wrote to memory of 4004	1344	cmd.exe	chcp.com
PID 1344 wrote to memory of 1516	1344	cmd.exe	PING.EXE
PID 1344 wrote to memory of 1516	1344	cmd.exe	PING.EXE
PID 1344 wrote to memory of 1516	1344	cmd.exe	PING.EXE
PID 1344 wrote to memory of 1276	1344	cmd.exe	Client.exe
PID 1344 wrote to memory of 1276	1344	cmd.exe	Client.exe
PID 1344 wrote to memory of 1276	1344	cmd.exe	Client.exe
PID 1276 wrote to memory of 3920	1276	Client.exe	schtasks.exe
PID 1276 wrote to memory of 3920	1276	Client.exe	schtasks.exe
PID 1276 wrote to memory of 3920	1276	Client.exe	schtasks.exe
PID 1276 wrote to memory of 5016	1276	Client.exe	cmd.exe
PID 1276 wrote to memory of 5016	1276	Client.exe	cmd.exe
PID 1276 wrote to memory of 5016	1276	Client.exe	cmd.exe
PID 5016 wrote to memory of 5088	5016	cmd.exe	chcp.com
PID 5016 wrote to memory of 5088	5016	cmd.exe	chcp.com
PID 5016 wrote to memory of 5088	5016	cmd.exe	chcp.com
PID 5016 wrote to memory of 4024	5016	cmd.exe	PING.EXE
PID 5016 wrote to memory of 4024	5016	cmd.exe	PING.EXE
PID 5016 wrote to memory of 4024	5016	cmd.exe	PING.EXE
PID 5016 wrote to memory of 412	5016	cmd.exe	Client.exe
PID 5016 wrote to memory of 412	5016	cmd.exe	Client.exe
PID 5016 wrote to memory of 412	5016	cmd.exe	Client.exe
PID 412 wrote to memory of 3020	412	Client.exe	schtasks.exe
PID 412 wrote to memory of 3020	412	Client.exe	schtasks.exe
PID 412 wrote to memory of 3020	412	Client.exe	schtasks.exe
PID 412 wrote to memory of 4916	412	Client.exe	cmd.exe
PID 412 wrote to memory of 4916	412	Client.exe	cmd.exe
PID 412 wrote to memory of 4916	412	Client.exe	cmd.exe
PID 4916 wrote to memory of 716	4916	cmd.exe	chcp.com
PID 4916 wrote to memory of 716	4916	cmd.exe	chcp.com
PID 4916 wrote to memory of 716	4916	cmd.exe	chcp.com
PID 4916 wrote to memory of 4496	4916	cmd.exe	PING.EXE
PID 4916 wrote to memory of 4496	4916	cmd.exe	PING.EXE
PID 4916 wrote to memory of 4496	4916	cmd.exe	PING.EXE
PID 4916 wrote to memory of 1236	4916	cmd.exe	Client.exe
PID 4916 wrote to memory of 1236	4916	cmd.exe	Client.exe
PID 4916 wrote to memory of 1236	4916	cmd.exe	Client.exe
PID 1236 wrote to memory of 2900	1236	Client.exe	schtasks.exe
PID 1236 wrote to memory of 2900	1236	Client.exe	schtasks.exe
PID 1236 wrote to memory of 2900	1236	Client.exe	schtasks.exe
PID 1236 wrote to memory of 452	1236	Client.exe	cmd.exe
PID 1236 wrote to memory of 452	1236	Client.exe	cmd.exe
PID 1236 wrote to memory of 452	1236	Client.exe	cmd.exe
PID 452 wrote to memory of 4724	452	cmd.exe	chcp.com
PID 452 wrote to memory of 4724	452	cmd.exe	chcp.com
PID 452 wrote to memory of 4724	452	cmd.exe	chcp.com
PID 452 wrote to memory of 468	452	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1384

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V03PYytV1Bgh.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4004

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1516

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\olpA3MPBIYXK.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:5088

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4024

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C8El6LET7fd1.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:716

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4496

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MMEEG1pSgSDv.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:452

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:4724

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:468

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rZQm5zHmxLeu.bat" "
11⤵
PID:4448

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:548

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:2356

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5056

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caKrWmREPfvB.bat" "
13⤵
PID:1440

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:3292

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:3192

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1340

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:5084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PfxSplxRIts2.bat" "
15⤵
PID:4836

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:860

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:512

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1960

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5AtyhcLUYSYV.bat" "
17⤵
PID:4572

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:1236

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:3368

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5qM0ltMLx4ES.bat" "
19⤵
PID:2408

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:4132

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1580

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:936

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYRVPfhpPJIE.bat" "
21⤵
PID:2168

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:2528

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1076

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3192

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:3380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KTMTlP9ZNciP.bat" "
23⤵
PID:2036

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:4476

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3176

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3404

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dH7bPHNaeHcN.bat" "
25⤵
PID:4724

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:928

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4156

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3084

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOgIpAQbx3jr.bat" "
27⤵
PID:816

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:3592

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:3568

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U31xaI3ySwv5.bat" "
29⤵
PID:1516

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:64

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:1508

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4216

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwdwRW0E3DyM.bat" "
31⤵
PID:2256

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:1956

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 2232
31⤵
- Program crash
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1524
29⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1672
27⤵
- Program crash
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 1712
25⤵
- Program crash
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1092
23⤵
- Program crash
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 1720
21⤵
- Program crash
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 2248
19⤵
- Program crash
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 1516
17⤵
- Program crash
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 1092
15⤵
- Program crash
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 1092
13⤵
- Program crash
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1644
11⤵
- Program crash
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 1656
9⤵
- Program crash
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 2196
7⤵
- Program crash
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 1644
5⤵
- Program crash
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 2164
3⤵
- Program crash
PID:1932

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1756 -ip 1756
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1276 -ip 1276
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 412 -ip 412
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1236 -ip 1236
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2472 -ip 2472
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5056 -ip 5056
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1340 -ip 1340
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1960 -ip 1960
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2020 -ip 2020
1⤵
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 936 -ip 936
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3192 -ip 3192
1⤵
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3404 -ip 3404
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3084 -ip 3084
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1688 -ip 1688
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4216 -ip 4216
1⤵
PID:868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5AtyhcLUYSYV.bat
Filesize
207B

MD5
dc8847e6a864c4d67a68c47d4c093a72

SHA1
de85882294445d1e829dda604c271b833b411b92

SHA256
2abbf0f2491123498a07773c39826bcee91fabf04b7a37c876045c58ab220ecc

SHA512
354a4367c3ec3ea95a28a749e96bfd0f56121ba345ca87276ab5fcfa6cdd92cbe3a8e669536816067795765c8d4a047aea98e339f4b98e0668efe9b029c7e4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\5qM0ltMLx4ES.bat
Filesize
207B

MD5
9e58f0f30994a2af762784fe3558c2e9

SHA1
6bd4d6211b1149c40a97b65e730751f3b84e55d6

SHA256
0fe1973d0dbf0479821d9b3400aa445ecb730f2e47ad4933906598a3fc1725ff

SHA512
f09df30a22c71b2345726e1dc487d7d202cce3d13418468ad4f6660e326883c7a287ef93c6aa0a2a9a075bf9bda2e852a102678de799e9ebb74df5c6670ab1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\C8El6LET7fd1.bat
Filesize
207B

MD5
f4fa4265425039619f2987b9323e5e04

SHA1
4e1961a2092d5864a4e7ee11397a252a0200fd10

SHA256
e85014b624f217edc74ce8f12a8de931cf7de7f6784596d875fc5d9c220558a7

SHA512
b6bd97748849d48d550bcf1db0f2a5f4e67ebaf9f2ff1b801fe9278184b67838362c80ef70414d31fb3e8027c3d14dae618c6fc5a2ef954f61e215097bab36b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DYRVPfhpPJIE.bat
Filesize
207B

MD5
fa3c37023f3725a647a8aaf44ca89314

SHA1
1ed0e4c6bf9d71ceb8f8e73a1a95effa77784356

SHA256
f02a42ca43a9e509f1e023b5acfc3350b451d3c88160209d4a8972481cbf7a74

SHA512
9a7cc2bb54a27f16371545c3f33e1be3ddbcf21574ca62ce3088af6d4861d1c1b63ad2e5b8d220f15f01955ff30d3295c882a56980827eec7b14e066d1d115e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KTMTlP9ZNciP.bat
Filesize
207B

MD5
7c61bcef213ba755c641f5c7eb59ea65

SHA1
3c1b3a98af68a24ab1d86f761540b942a98a494d

SHA256
acdc8e0234272127d1b7ddb7c7e2a8722bc24442317690166334ea06536b9961

SHA512
4274ead6bbbf76cd52412b1a322fe2bcbabd030041a15058c4eb192d7dbd4a071f74a38f32700e1456478e4c2021a088d7642f01a2c4c538594456c56461d667

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMEEG1pSgSDv.bat
Filesize
207B

MD5
4c02ddba076d2401f34a6db7b4b6207a

SHA1
2b16c0f8f08ce6d675753d440104d2efff8269a2

SHA256
b4e5f2c395ef678509cf0f06827e1ed0d9a2667db9a1bd0b65512f3a99803b64

SHA512
f388d06086b5ac4450f29725d5825aebcbc0a4873bea9c23ac2ecface24e3ed8e9e000ff0cc80cb85880772484ebb558af85b458fb57616a607b7858cee575ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\PfxSplxRIts2.bat
Filesize
207B

MD5
018ce2b4a7a2846fe65cf73810e53114

SHA1
a86afd2e4fc083ab9ce28414759597225d80d8ee

SHA256
e11f22089452897b32e3e7f207d39b744de1db9054c1a97051a582fc2124e78f

SHA512
c9de8f9de08fe26330ec792a5ca214c795cc47b8f618dabf44972ec0855f4678145c9d95b8c053da91cca85734c736cb6f75cbaa9c4b64a257c71089acf4da35

Download Submit
C:\Users\Admin\AppData\Local\Temp\U31xaI3ySwv5.bat
Filesize
207B

MD5
2a089019478fa6a198cefafbc8288977

SHA1
20121165c3f6367cd58170ea045b2f2a59714908

SHA256
6cd96653a4e9e45d5a704638ad231ce77601b25032a1c8287b12d09019d5eb60

SHA512
bcfff96929bad4ae585928060d90e80a29b4b8f207674e035fc30da7f99caf7787cf9cf00264d9fd2c729882bfb6769ccf691bf0f725d333b157182553bd18b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\V03PYytV1Bgh.bat
Filesize
207B

MD5
8665d218226c5250e1a4d4ba4251e1b4

SHA1
82a7a4697e3d69f48320a8ce317a53c9c4e0047a

SHA256
721bbd953356c5391b22c0fd75335201eeec0f43d5bc6ddbf4f048b66aff10bb

SHA512
10854cda698849c41cf7579ac2af585229a135a19fd544b4bf4f814f30859e935b6b56127fe8d0b877f160f02ab4b2b436d3575eeb0fb8b2952c1a822b6924d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bOgIpAQbx3jr.bat
Filesize
207B

MD5
feb02e337e00e6d1eb7acde8d5c4eefd

SHA1
d5b78548325bbfc6661c29f8c207f770ba46cee2

SHA256
82ac3c5a439a7cc08ef16a28845480975778ad4b59768990f546c707602d37a8

SHA512
de531c5cba13aa8093d40135e9c5ac95a904036871d11c4a7f84308498b22153bfa51b114240dfba63a3c483800295761889512b6645b27359af9a9ef020afb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\caKrWmREPfvB.bat
Filesize
207B

MD5
b99ca64307f9664e9e53aa5dfa56f8a7

SHA1
003d93c8d21a4c68e539b54514294518cec9b025

SHA256
1c19a54d41127fba3738417e7d61ae93a564e8f8972258f5929fe3a77fb1fe6e

SHA512
4bb021d304e0c7375a7abcec24b5aeb733ff300a892b0c8e76f8b2af9017e0b2bd4033d3707fb5b8ca7f913ca46eb4aa0fd0d7af379e9f632f88550c8e5488bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dH7bPHNaeHcN.bat
Filesize
207B

MD5
6300365b2fc09f5c81eaa7d00d967831

SHA1
06973bc23c1b07ddb09e90f9e9c5422fa4f28ab4

SHA256
63cefc549fec60f0afb6acc2b294b3435e82b00a0de48ef4c7d2ef59734d84b7

SHA512
ef2077f433acca0b0c4568c18eb16d35b8b6167c77b7be926f4648580afda7484913f7fa4fc881a0507268ef86971dd86d58cbd7b8b9e949ab07daa4ca970753

Download Submit
C:\Users\Admin\AppData\Local\Temp\olpA3MPBIYXK.bat
Filesize
207B

MD5
217899969d00cbbd3e263eab786163cf

SHA1
01919fac7e22f7d6899b09793b1c1794b5f5b535

SHA256
428cdc160a0b8e1d164a6ab5435d74e91f06abfb4a707a73e55450b8ce9ec479

SHA512
b78b1e07e8080a7347e49ee18d8f993c22637b514765d393179442254708bdd9be15a41dfeee93cf863b12e98e01ac7840bc56ec889be50c57e30a4a2fc4d9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rZQm5zHmxLeu.bat
Filesize
207B

MD5
eabb42b9b3a1920be3520b5dc8072791

SHA1
06b7968419c5934e2d019881e3e9dd65b3d175e4

SHA256
621458dac7301d3c30b6045441e98dddec2a49a6fbe063e76c750f00e0bb148c

SHA512
164d947a3bc4d463c62748484b82b380d9c29a8971dbf1475171d3536320e7d805b6e9bbebb524554df3865b249aa73bc30fc5288f197c9ac894654739a6e13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwdwRW0E3DyM.bat
Filesize
207B

MD5
6d89d7c7cf1aa65d8d4f7f349602782f

SHA1
da7712e35cb42d6a02393f2fd749d16ffa733af9

SHA256
685483c38d3a584223981539b31f3f3131887214e17ded8293e08f941bc37116

SHA512
d7398672a7b6c6bd1fa8931f0ee9e02fc3d716cfc55a3b47d7665b49ce2cda7c33c6e0a370cf83789ec79579f2dad57c4157376080c29850da4bc0318beb7fbe

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
0d42f062dcac90c2480bb300c6556000

SHA1
0843eac63afe066ee95d028630c63868df5a8edc

SHA256
4e19a1c5dd16cc6aba072b902f15c5785941450e52d455d76ea2568252ce4737

SHA512
eb9443f9e36bf91412ec8590d9dd8ffa93edab43d1b99f93ca316918495f4155574f77841fd9b951bfc7cd77410fd349568aaabe5d1a81332da074f25149167d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
fb2a9a4160b8c71e08b4b910f978984c

SHA1
3b1c1100f7791822082d79e3535260ba4d94cb5e

SHA256
6c0be66cd98a2d38b573457ec5afd03bee6f80789d04e16493c4679145b0b2e9

SHA512
391396aaded445635b1cf8169e8b0053922c95c7e3599a9f61f5571d01beca3c1181d53254ac6a52902db29772b2a6be1b22203d11cb8db5d838890248d34a9f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
ca6d495809fc66fef2f80801f99b988b

SHA1
932a9f804b3bf2245e50dbf11cb5a972939c8d00

SHA256
50dc0711fa714f161cd4ac2d4034d1396002af261ee84df6920467ab5abf619c

SHA512
5c8d52330ecae09ee4fdc1196f02c96899bec59709119286388f642c2053b5a76e807aebb444cd9b7152500f36608c8f71847f47668daec0c190471e2cd4fa81

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
a8aad513901d3e48ad4b08475be13113

SHA1
cfa74b58113d50ede2386465a7e9d612b35daf46

SHA256
f92f2530ff2342c0972931484bc06ceba782ab0591dcf3962b6b1d863804900c

SHA512
78b3b8b763e310f905c1d402ea98646add609b3d08cd0f3ebff4e5a018f5346068f169251ee24cfaf9f1650d6908eaee607edf9b8197ed96800bb032d8b35d14

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
671fa015b2a7ec5df347033e39a30ef0

SHA1
28f43c1f78d61a4e0dfba66c79c544901426c801

SHA256
b861174a78691a479192ce44b54b08de9f9f30d2c1770fe105d2088f9f12a994

SHA512
d3c1d6dd7c922264d1faad4e39616fb860868b6dfc8b005460b313afec3cf8011dbff5aeb671b74e4065081c384ddfc2327cd8be66c53ac71071bba95c1d3c0b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
bfc5cff2e60ff8d0ed1a3c91551b1caa

SHA1
111df6f23c9b590bddbffcd6c6c361fb5b9b2353

SHA256
20a89d4109c8fbff1d72a3ce5885ac6bc646cf9228832d7cbe305933d47514f0

SHA512
e3743ddef6bffc9258bf42d7d4d1cc3d454e1be479a50ae322e66109a910d9cbbafe26fcbf5add3c89f78e23b40efd0403552d3f07ae620078f012eb512b3e5d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
fe5300371a7d1851af5bcd6f5eae06aa

SHA1
8ccd6e85146c295e186398b803a83668e289073d

SHA256
fd011a3d6b992aedc5ec7a83099e1d56f44e284bf4b95ec6735dfc92d5fde146

SHA512
c2fa063cb8ef581aad4a3ad63653138caa67a6af8f8fc16387fccb416b88c4a7d5f44279b092f3200808226ecff0087b62be7443490bdc77cf9746751822b68b

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1756-15-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/1756-17-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/1756-19-0x0000000006240000-0x000000000624A000-memory.dmp

Filesize
40KB

Download
memory/1756-24-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/2408-6-0x0000000005D50000-0x0000000005D62000-memory.dmp

Filesize
72KB

Download
memory/2408-8-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/2408-7-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/2408-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/2408-16-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/2408-5-0x0000000005110000-0x0000000005176000-memory.dmp

Filesize
408KB

Download
memory/2408-4-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/2408-3-0x0000000005070000-0x0000000005102000-memory.dmp

Filesize
584KB

Download
memory/2408-2-0x0000000005520000-0x0000000005AC4000-memory.dmp

Filesize
5.6MB

Download
memory/2408-1-0x0000000000600000-0x000000000066C000-memory.dmp

Filesize
432KB

Download