quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
297s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (14) - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral28/memory/2296-1-0x0000000000E30000-0x0000000000E9C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
5108	Client.exe
992	Client.exe
1700	Client.exe
2968	Client.exe
3224	Client.exe
2384	Client.exe
1368	Client.exe
1392	Client.exe
4596	Client.exe
4064	Client.exe
824	Client.exe
4368	Client.exe
2356	Client.exe
1460	Client.exe
3628	Client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	ip-api.com
8	api.ipify.org
25	ip-api.com
33	ip-api.com
19	ip-api.com
22	ip-api.com
35	ip-api.com
13	ip-api.com
15	ip-api.com
29	ip-api.com
31	ip-api.com
17	ip-api.com
27	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4656	5108	WerFault.exe	Client.exe
4648	992	WerFault.exe	Client.exe
4360	1700	WerFault.exe	Client.exe
4480	2968	WerFault.exe	Client.exe
2776	3224	WerFault.exe	Client.exe
1792	2384	WerFault.exe	Client.exe
2964	1368	WerFault.exe	Client.exe
3756	1392	WerFault.exe	Client.exe
1936	4596	WerFault.exe	Client.exe
4676	4064	WerFault.exe	Client.exe
4852	824	WerFault.exe	Client.exe
3776	4368	WerFault.exe	Client.exe
1904	2356	WerFault.exe	Client.exe
3200	1460	WerFault.exe	Client.exe
4868	3628	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2144	schtasks.exe
1988	schtasks.exe
1876	schtasks.exe
3412	schtasks.exe
984	schtasks.exe
4028	schtasks.exe
1900	schtasks.exe
4596	schtasks.exe
3180	schtasks.exe
3980	schtasks.exe
3628	schtasks.exe
5024	schtasks.exe
3040	SCHTASKS.exe
1904	schtasks.exe
2172	schtasks.exe
2796	schtasks.exe
3476	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3124	PING.EXE
3944	PING.EXE
524	PING.EXE
1752	PING.EXE
4924	PING.EXE
3016	PING.EXE
4492	PING.EXE
2588	PING.EXE
3612	PING.EXE
2752	PING.EXE
1588	PING.EXE
4104	PING.EXE
4168	PING.EXE
2756	PING.EXE
4408	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Uni - Copy (14) - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2296	Uni - Copy (14) - Copy - Copy.exe
Token: SeDebugPrivilege	5108	Client.exe
Token: SeDebugPrivilege	992	Client.exe
Token: SeDebugPrivilege	1700	Client.exe
Token: SeDebugPrivilege	2968	Client.exe
Token: SeDebugPrivilege	3224	Client.exe
Token: SeDebugPrivilege	2384	Client.exe
Token: SeDebugPrivilege	1368	Client.exe
Token: SeDebugPrivilege	1392	Client.exe
Token: SeDebugPrivilege	4596	Client.exe
Token: SeDebugPrivilege	4064	Client.exe
Token: SeDebugPrivilege	824	Client.exe
Token: SeDebugPrivilege	4368	Client.exe
Token: SeDebugPrivilege	2356	Client.exe
Token: SeDebugPrivilege	1460	Client.exe
Token: SeDebugPrivilege	3628	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
5108	Client.exe
992	Client.exe
1700	Client.exe
2968	Client.exe
3224	Client.exe
2384	Client.exe
1368	Client.exe
1392	Client.exe
4596	Client.exe
4064	Client.exe
824	Client.exe
4368	Client.exe
2356	Client.exe
1460	Client.exe
3628	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (14) - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 2296 wrote to memory of 2796	2296	Uni - Copy (14) - Copy - Copy.exe	schtasks.exe
PID 2296 wrote to memory of 2796	2296	Uni - Copy (14) - Copy - Copy.exe	schtasks.exe
PID 2296 wrote to memory of 2796	2296	Uni - Copy (14) - Copy - Copy.exe	schtasks.exe
PID 2296 wrote to memory of 5108	2296	Uni - Copy (14) - Copy - Copy.exe	Client.exe
PID 2296 wrote to memory of 5108	2296	Uni - Copy (14) - Copy - Copy.exe	Client.exe
PID 2296 wrote to memory of 5108	2296	Uni - Copy (14) - Copy - Copy.exe	Client.exe
PID 2296 wrote to memory of 3040	2296	Uni - Copy (14) - Copy - Copy.exe	SCHTASKS.exe
PID 2296 wrote to memory of 3040	2296	Uni - Copy (14) - Copy - Copy.exe	SCHTASKS.exe
PID 2296 wrote to memory of 3040	2296	Uni - Copy (14) - Copy - Copy.exe	SCHTASKS.exe
PID 5108 wrote to memory of 1904	5108	Client.exe	schtasks.exe
PID 5108 wrote to memory of 1904	5108	Client.exe	schtasks.exe
PID 5108 wrote to memory of 1904	5108	Client.exe	schtasks.exe
PID 5108 wrote to memory of 4636	5108	Client.exe	cmd.exe
PID 5108 wrote to memory of 4636	5108	Client.exe	cmd.exe
PID 5108 wrote to memory of 4636	5108	Client.exe	cmd.exe
PID 4636 wrote to memory of 2104	4636	cmd.exe	chcp.com
PID 4636 wrote to memory of 2104	4636	cmd.exe	chcp.com
PID 4636 wrote to memory of 2104	4636	cmd.exe	chcp.com
PID 4636 wrote to memory of 2752	4636	cmd.exe	PING.EXE
PID 4636 wrote to memory of 2752	4636	cmd.exe	PING.EXE
PID 4636 wrote to memory of 2752	4636	cmd.exe	PING.EXE
PID 4636 wrote to memory of 992	4636	cmd.exe	Client.exe
PID 4636 wrote to memory of 992	4636	cmd.exe	Client.exe
PID 4636 wrote to memory of 992	4636	cmd.exe	Client.exe
PID 992 wrote to memory of 3476	992	Client.exe	schtasks.exe
PID 992 wrote to memory of 3476	992	Client.exe	schtasks.exe
PID 992 wrote to memory of 3476	992	Client.exe	schtasks.exe
PID 992 wrote to memory of 2868	992	Client.exe	cmd.exe
PID 992 wrote to memory of 2868	992	Client.exe	cmd.exe
PID 992 wrote to memory of 2868	992	Client.exe	cmd.exe
PID 2868 wrote to memory of 1948	2868	cmd.exe	chcp.com
PID 2868 wrote to memory of 1948	2868	cmd.exe	chcp.com
PID 2868 wrote to memory of 1948	2868	cmd.exe	chcp.com
PID 2868 wrote to memory of 1588	2868	cmd.exe	PING.EXE
PID 2868 wrote to memory of 1588	2868	cmd.exe	PING.EXE
PID 2868 wrote to memory of 1588	2868	cmd.exe	PING.EXE
PID 2868 wrote to memory of 1700	2868	cmd.exe	Client.exe
PID 2868 wrote to memory of 1700	2868	cmd.exe	Client.exe
PID 2868 wrote to memory of 1700	2868	cmd.exe	Client.exe
PID 1700 wrote to memory of 3180	1700	Client.exe	schtasks.exe
PID 1700 wrote to memory of 3180	1700	Client.exe	schtasks.exe
PID 1700 wrote to memory of 3180	1700	Client.exe	schtasks.exe
PID 1700 wrote to memory of 856	1700	Client.exe	cmd.exe
PID 1700 wrote to memory of 856	1700	Client.exe	cmd.exe
PID 1700 wrote to memory of 856	1700	Client.exe	cmd.exe
PID 856 wrote to memory of 4336	856	cmd.exe	chcp.com
PID 856 wrote to memory of 4336	856	cmd.exe	chcp.com
PID 856 wrote to memory of 4336	856	cmd.exe	chcp.com
PID 856 wrote to memory of 3944	856	cmd.exe	PING.EXE
PID 856 wrote to memory of 3944	856	cmd.exe	PING.EXE
PID 856 wrote to memory of 3944	856	cmd.exe	PING.EXE
PID 856 wrote to memory of 2968	856	cmd.exe	Client.exe
PID 856 wrote to memory of 2968	856	cmd.exe	Client.exe
PID 856 wrote to memory of 2968	856	cmd.exe	Client.exe
PID 2968 wrote to memory of 1988	2968	Client.exe	schtasks.exe
PID 2968 wrote to memory of 1988	2968	Client.exe	schtasks.exe
PID 2968 wrote to memory of 1988	2968	Client.exe	schtasks.exe
PID 2968 wrote to memory of 2612	2968	Client.exe	cmd.exe
PID 2968 wrote to memory of 2612	2968	Client.exe	cmd.exe
PID 2968 wrote to memory of 2612	2968	Client.exe	cmd.exe
PID 2612 wrote to memory of 4116	2612	cmd.exe	chcp.com
PID 2612 wrote to memory of 4116	2612	cmd.exe	chcp.com
PID 2612 wrote to memory of 4116	2612	cmd.exe	chcp.com
PID 2612 wrote to memory of 524	2612	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2796

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VNnZrSwaBGQq.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2104

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2752

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyM8gNhIB3tq.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:1948

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1588

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UBMcr3IGkqSk.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4336

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:3944

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gl6RtEtfEpEq.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:4116

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:524

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3224

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LiDFqnE7PwKq.bat" "
11⤵
PID:2500

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:1904

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:2756

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1D9mhecAfV1J.bat" "
13⤵
PID:1596

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:5040

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:1752

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1368

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hi5JZU0Ev4hl.bat" "
15⤵
PID:4568

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:3328

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:4408

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1392

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ND1pRLPHAdOE.bat" "
17⤵
PID:1900

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:2936

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4924

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4596

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:4028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w8FIs2gBnWpJ.bat" "
19⤵
PID:4044

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2832

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:3016

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4064

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gw0PWuuD4CjH.bat" "
21⤵
PID:3760

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:4544

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4492

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:824

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GHDKQVEnQqu4.bat" "
23⤵
PID:4008

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:4328

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2588

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4368

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d6mAr7c9DJVw.bat" "
25⤵
PID:3688

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:2936

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:3124

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ttiYiEgryAh0.bat" "
27⤵
PID:4420

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:4560

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:4104

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1460

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\67lbvwnjcAMa.bat" "
29⤵
PID:264

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:3024

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:3612

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aW2WnhIE2ICr.bat" "
31⤵
PID:4492

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:5008

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 2212
31⤵
- Program crash
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1096
29⤵
- Program crash
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 1092
27⤵
- Program crash
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1684
25⤵
- Program crash
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 2232
23⤵
- Program crash
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 2248
21⤵
- Program crash
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1092
19⤵
- Program crash
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 2248
17⤵
- Program crash
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 2252
15⤵
- Program crash
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1092
13⤵
- Program crash
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 2200
11⤵
- Program crash
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 2196
9⤵
- Program crash
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 1088
7⤵
- Program crash
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1652
5⤵
- Program crash
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 1608
3⤵
- Program crash
PID:4656

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5108 -ip 5108
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 992 -ip 992
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1700 -ip 1700
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2968 -ip 2968
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3224 -ip 3224
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2384 -ip 2384
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1368 -ip 1368
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1392 -ip 1392
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4596 -ip 4596
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4064 -ip 4064
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 824 -ip 824
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4368 -ip 4368
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2356 -ip 2356
1⤵
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1460 -ip 1460
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3628 -ip 3628
1⤵
PID:5040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1D9mhecAfV1J.bat
Filesize
207B

MD5
c694bad378b87890016ca860837dbc94

SHA1
d3bb4e95836947f91687619d606e43ea234e5f09

SHA256
a702c46dae03b4e377291cec536681186f66616473e7656bad2421d9d363e9b5

SHA512
65a40ca876b11b07aa38623f8598876255e6e3c5e11af7756d6fea29b5e76b16464975fd3d6aca428d020c4ea5b597e0a6742631704e2e88dd0fe292e0f54258

Download Submit
C:\Users\Admin\AppData\Local\Temp\67lbvwnjcAMa.bat
Filesize
207B

MD5
47d6020feef3c3d2e9a6edd192373fe0

SHA1
d66274f1c5e5579c27b1d0fc1bfd4a4c3a203350

SHA256
d29d5a79ce0906852691006d68962d6c63db948ae9917f665d3727a68c5b312e

SHA512
e6c4e0e8a1943c2f321fbbca5f106da403d05bb3c2d0e011d82610d2a1e74c345056fce1f7fe4f1af959c83cc9e673198e617778578c026bcc03338f1202496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GHDKQVEnQqu4.bat
Filesize
207B

MD5
0593faa39e89952bd8c74cde7eee724f

SHA1
73e8e87138f5c94e1d93bde0c148167d3de42703

SHA256
4941402fdba975cf62907076f94f34157d48351f0e81f9c350ce231b00afac75

SHA512
e1e3b06d4e5c2627683499533ee314515bf20fbdb24844dc98eee6596c009a293a7b96d2282035cff25ab83d28d4a74caf5716f1e42e43248ce42d07d77eb51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gl6RtEtfEpEq.bat
Filesize
207B

MD5
8f0d905b348d8d9238d1978cfcb58404

SHA1
91d9d03a9b5e48a03c240543a3c6728b4c07fc05

SHA256
97a03b99a161ddeba7b54bc054d802a8b76de4e6c4b95f20261b0ae2b6ebdb85

SHA512
92d9069bcc47c954b7b08dc2fb6c49c95fee2b8e8e9b980eaebfcf74f6b0c4673b4d342d40f7453021b2bba00c448b7e0d22642965769d8c252b5e081e4b0a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gw0PWuuD4CjH.bat
Filesize
207B

MD5
c773cbe6fcdc5ca489fa93441adebcc2

SHA1
e48793ca2e3af6ed0dae1ad218c4573b1171d41f

SHA256
ffcbdf675497e2af052e607d399784e38eb6c44898cea789900e668e8913a622

SHA512
25e9ca1ce5a18efeee7e6f91df61438a3576803e516411e1f69b19f44ada0dfa0b29ca90ab233e6c42f53a6514a0e4f192f66f4e9671af42d8fdd00ebb57b508

Download Submit
C:\Users\Admin\AppData\Local\Temp\KyM8gNhIB3tq.bat
Filesize
207B

MD5
5c1876b15a610acc45fd8fe1ca3f83ba

SHA1
6fa5bd40b43d61185e53990db266a6b4119187bb

SHA256
9371218023c47b44d9133bf4d1b6610bf74d2d954192fb94cf708d848badb838

SHA512
bbbce39d79940f5af5b2cb5eda4de967f226fae06d9923563a46142cc749ef46ff3f02e7ed9ce75bf110e9679322c9a1719b1c18e90aa84e735192333ec11313

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiDFqnE7PwKq.bat
Filesize
207B

MD5
9599ba271893f7b29a38a7fe7e4f7bf6

SHA1
cbe7cb3f804e8a9fe933a1f273324570b842884e

SHA256
f08508cfa462cf6e33f391cca9e54112dbd50ec3279459a611a8bc6bbe7cca73

SHA512
116f97578303a59ebf8b5833f2e1b6982e30d61ba19bea3d540c965fcd390eee0e92855832d136263f098f3f86c8ddd15016e6dcd79183e8645b4950a0b2065c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ND1pRLPHAdOE.bat
Filesize
207B

MD5
bacee5f585327f7597e9c0c679f96163

SHA1
ad228fafedcbce8204b89f53863ba147ff646dab

SHA256
26631a38ba0e15b61c4fde4027a5785279c04d209897d5e58cf41887d6509bbc

SHA512
898abb304790ebe3ba02b1f6a81e9f2ee0ddbff215473c96a91cca0cfa074b676e6dbe2571bbd9ffc140ec4b7fc45dbd0d0146ee1f021f371f4c88504830bbfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\UBMcr3IGkqSk.bat
Filesize
207B

MD5
57403dd27afbc22a43f75d1d3f995272

SHA1
0333a2e9bcec329240d8ab461732688e49dcc327

SHA256
a6ba2ef4d4abe75f401c171c94bcc38ebff87294a1904288a9d81258c0677689

SHA512
87d3c205e56861fb470505c0f7959379fb2c21d00089c445950d49816e4446b19ca95b2da8dce7caf460364aa04ebff55dd8bb6935b0c93f053508e174136ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VNnZrSwaBGQq.bat
Filesize
207B

MD5
b542c9076b36bbf2719da4691c1d08ad

SHA1
5ed03ea989a294aea36a8b7f0373e7ccf70299cb

SHA256
b70425888fac027a3c77637e68aae36a407698c18de18931482fde1716b269a6

SHA512
7c91b22368852f1208d6e63dfa4cbdbe96e0217ad46c79585839bdbaec92e4d79310551e01783bc2ecf379222bf7ad8d8757068ff761f5e5cda8dbf8fae12213

Download Submit
C:\Users\Admin\AppData\Local\Temp\aW2WnhIE2ICr.bat
Filesize
207B

MD5
6814b979ad5aaf54947b4f962709e7cd

SHA1
80da3282906e902ee7287d9cb50f52a2693d57e7

SHA256
198f8583cdd14132482ad7f2614e2b8e7785b0420bab7f5841ea3dbeab7739b6

SHA512
55ffd5a2d43f7f451e8a88d8cb73e9a037a3f1eedb56b6def5f61620413bdfff268972f371d4776f1935cb2f68774a469f7166be0351630603e8c9eecf1678e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6mAr7c9DJVw.bat
Filesize
207B

MD5
c439691af33e13a83a9e447d72f28899

SHA1
b956915c746938274eb0a12d24cf4b9af9be9d31

SHA256
57af5060ece6264951ad972db6750ca13525558e65018368297229517198b80f

SHA512
48d2a031ad02c3e067350403b15172ab5e4cad8653a3710a0b2535952e6d21d4655fb178c1df17a5280bdd5c6021e684bc75a6c6612944eb35f3f521343826a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hi5JZU0Ev4hl.bat
Filesize
207B

MD5
9be405b0a0cfed3212b75f9930abe542

SHA1
90d13ecd369dbf3a5a883b87604c5aab1239f543

SHA256
030658135bf3b3e678378cbc9b029f63603eeee6cd69055c241a1a8345bd91db

SHA512
543bc0a751aa020333117209ccb5b46d2d630622a1c286baed659c5603efeb4e96dc996e83c465cb229ba66273830191eb5fc22e71b4407ce6974c9058600c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttiYiEgryAh0.bat
Filesize
207B

MD5
91eed5fbc28485ba8b1afa34e4a863c5

SHA1
1e53cb698aa5c5f096e05d19755d35af13bc39fd

SHA256
67f6ea5ad1f0a3d65288d9d98c6fb921bb1e6668e7fe469c98e0a5a0339a0722

SHA512
8418aaddad8dda97b64ffb0a7d44e5fcc2d5d916e84b79ff4950dfa0ffa2702742214ce64bf832d9e1a25260549977e9026d418413f43c17a1e29a4fe1e392f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\w8FIs2gBnWpJ.bat
Filesize
207B

MD5
bfcde9831a639cf94850856b94da945c

SHA1
af6ec0aa09b60fdf3f79ce9b50830f1293b68ac7

SHA256
932dcdc4060977d3bb5569258ac98045036fb87cea66bed811247e712312f468

SHA512
43f38be28a5c3db25be4f59762779d5a4b85c1098b7d02f8af3c0776650d911b1437a60a0a265378f856cae7ef228cee91e80ea797e0a0a1c27729936d1a6e5d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
e288cb14428cb243494b44db0f9a556f

SHA1
1274d9e2941a7560c92318f5bdde4abcec65a32d

SHA256
702c93e9ccc2d032c5c6c3161f58cd55000625e45886dd1d3bb93e1ba207f421

SHA512
a3d30f5ac48d938dcfacdca442615a93d40dc82a69b2755f541396290ad9ca687c695c74527157ca2da5477ea943d0b1fb0981fb581ba42bd922163db871fe87

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
f99fa902650c3a1130f387af4fcf495f

SHA1
0faac45773192b99ad62cacf31346a3b622a0a47

SHA256
e0cb9fe2a41abd8116ed3561bd122355f1992940e90f44f1a5efe2c170f5b613

SHA512
6c61329531e8de8cf54323a81783118873cf280e659e1a9ec07637f05e19d926299a1d98a7e229eaffb409599e3ca40ace47aba56a64cc0e7242bdaffc6ceb32

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
05e137434936097742c47f68ce0c32e2

SHA1
b054b86124f0195f344fdbe4fb7c4b0551ddaf67

SHA256
a5e693850b4ea8053b3fbef2c6b1708f6ed571834c8af0eb8a6fd05cf962d955

SHA512
a3ddc0ebe7b8fe5beb9421ac02dc10e60eafb2bf0ef0487a2a1990a943d5e9d97034cc9222389ae0712d2883856099cadd9dddf752afba7c76a1c3d68d4d8236

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
7c8768539c3e4417810de9f852f03828

SHA1
906e0f42a77786d40ccb7376351b1dcce95902e1

SHA256
1821506b22e019e592049741d86b9f05508601d44b2cf2bb38d67683a6e58eb3

SHA512
269f6010e123597604efcdb9f29e5ab0ff594a23345dc7a46c120ad6e441208a6f2513c5d71b1ef900fd5e5a7da46c8a2bc7c7f3efce8e6fa4c1f33baef00666

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
74b84a028795b296644c7f1568133e8f

SHA1
9c2af89c3aa5d6489eb6e52770d5f27fde149522

SHA256
d315f193c5694e7eca05df5898c4f64d20e2682ac9f6067de19f4a18025ead02

SHA512
0d325c075f202127003bef728c356a543813875e841c972dd31a703c274e1f1e994b11c9ff15bd0d5d8d6ddf71e94bd318614e3ee6d22ecab7d158ffa3ebf222

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
c4b634fd977a9249e532178c1049c1e4

SHA1
ca36ad616b6063336a9983fb6d8282d042104184

SHA256
072ad27aa7b3fb66bc554324e0ac0aacc7012cf9febc52c3975628fc53400fe8

SHA512
901b4a221b76581984e1787dc1e2cf306a7ff9e3f20460b29b7ec82b1c32f24b96b8b476dc83d93faa3236c0fb361c5ef75d0c07b71faf323d4dd6f9fbea62c3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/2296-4-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2296-3-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/2296-1-0x0000000000E30000-0x0000000000E9C000-memory.dmp

Filesize
432KB

Download
memory/2296-2-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/2296-0-0x000000007518E000-0x000000007518F000-memory.dmp

Filesize
4KB

Download
memory/2296-8-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2296-7-0x000000007518E000-0x000000007518F000-memory.dmp

Filesize
4KB

Download
memory/2296-16-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/2296-6-0x0000000005DC0000-0x0000000005DD2000-memory.dmp

Filesize
72KB

Download
memory/2296-5-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/5108-19-0x00000000063A0000-0x00000000063AA000-memory.dmp

Filesize
40KB

Download
memory/5108-24-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/5108-17-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/5108-15-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download