quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
298s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (15) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral32/memory/3656-1-0x0000000000940000-0x00000000009AC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1504	Client.exe
2768	Client.exe
532	Client.exe
404	Client.exe
1796	Client.exe
4916	Client.exe
2260	Client.exe
2612	Client.exe
3164	Client.exe
3704	Client.exe
632	Client.exe
4824	Client.exe
4264	Client.exe
4324	Client.exe
2448	Client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\""	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
13	ip-api.com
18	ip-api.com
37	ip-api.com
2	ip-api.com
30	ip-api.com
23	ip-api.com
25	ip-api.com
28	ip-api.com
33	ip-api.com
16	ip-api.com
20	ip-api.com
8	api.ipify.org
35	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4892	1504	WerFault.exe	Client.exe
1128	2768	WerFault.exe	Client.exe
3424	532	WerFault.exe	Client.exe
1712	404	WerFault.exe	Client.exe
872	1796	WerFault.exe	Client.exe
3344	4916	WerFault.exe	Client.exe
3048	2260	WerFault.exe	Client.exe
536	2612	WerFault.exe	Client.exe
3440	3164	WerFault.exe	Client.exe
1892	3704	WerFault.exe	Client.exe
3180	632	WerFault.exe	Client.exe
4300	4824	WerFault.exe	Client.exe
1624	4264	WerFault.exe	Client.exe
3812	4324	WerFault.exe	Client.exe
2236	2448	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2648	schtasks.exe
2692	schtasks.exe
4752	schtasks.exe
976	schtasks.exe
4272	schtasks.exe
1904	schtasks.exe
4720	schtasks.exe
2648	schtasks.exe
3540	schtasks.exe
2012	schtasks.exe
2124	schtasks.exe
996	SCHTASKS.exe
3504	schtasks.exe
1392	schtasks.exe
1092	schtasks.exe
3540	schtasks.exe
1320	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2708	PING.EXE
2628	PING.EXE
3416	PING.EXE
2312	PING.EXE
804	PING.EXE
3256	PING.EXE
456	PING.EXE
2540	PING.EXE
5076	PING.EXE
408	PING.EXE
2932	PING.EXE
1616	PING.EXE
5004	PING.EXE
3152	PING.EXE
2444	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Uni - Copy (15) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3656	Uni - Copy (15) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	1504	Client.exe
Token: SeDebugPrivilege	2768	Client.exe
Token: SeDebugPrivilege	532	Client.exe
Token: SeDebugPrivilege	404	Client.exe
Token: SeDebugPrivilege	1796	Client.exe
Token: SeDebugPrivilege	4916	Client.exe
Token: SeDebugPrivilege	2260	Client.exe
Token: SeDebugPrivilege	2612	Client.exe
Token: SeDebugPrivilege	3164	Client.exe
Token: SeDebugPrivilege	3704	Client.exe
Token: SeDebugPrivilege	632	Client.exe
Token: SeDebugPrivilege	4824	Client.exe
Token: SeDebugPrivilege	4264	Client.exe
Token: SeDebugPrivilege	4324	Client.exe
Token: SeDebugPrivilege	2448	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1504	Client.exe
2768	Client.exe
532	Client.exe
404	Client.exe
1796	Client.exe
4916	Client.exe
2260	Client.exe
2612	Client.exe
3164	Client.exe
3704	Client.exe
632	Client.exe
4824	Client.exe
4264	Client.exe
4324	Client.exe
2448	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (15) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 3656 wrote to memory of 1320	3656	Uni - Copy (15) - Copy - Copy - Copy.exe	schtasks.exe
PID 3656 wrote to memory of 1320	3656	Uni - Copy (15) - Copy - Copy - Copy.exe	schtasks.exe
PID 3656 wrote to memory of 1320	3656	Uni - Copy (15) - Copy - Copy - Copy.exe	schtasks.exe
PID 3656 wrote to memory of 1504	3656	Uni - Copy (15) - Copy - Copy - Copy.exe	Client.exe
PID 3656 wrote to memory of 1504	3656	Uni - Copy (15) - Copy - Copy - Copy.exe	Client.exe
PID 3656 wrote to memory of 1504	3656	Uni - Copy (15) - Copy - Copy - Copy.exe	Client.exe
PID 3656 wrote to memory of 996	3656	Uni - Copy (15) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 3656 wrote to memory of 996	3656	Uni - Copy (15) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 3656 wrote to memory of 996	3656	Uni - Copy (15) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 1504 wrote to memory of 2012	1504	Client.exe	schtasks.exe
PID 1504 wrote to memory of 2012	1504	Client.exe	schtasks.exe
PID 1504 wrote to memory of 2012	1504	Client.exe	schtasks.exe
PID 1504 wrote to memory of 1604	1504	Client.exe	cmd.exe
PID 1504 wrote to memory of 1604	1504	Client.exe	cmd.exe
PID 1504 wrote to memory of 1604	1504	Client.exe	cmd.exe
PID 1604 wrote to memory of 4420	1604	cmd.exe	chcp.com
PID 1604 wrote to memory of 4420	1604	cmd.exe	chcp.com
PID 1604 wrote to memory of 4420	1604	cmd.exe	chcp.com
PID 1604 wrote to memory of 2312	1604	cmd.exe	PING.EXE
PID 1604 wrote to memory of 2312	1604	cmd.exe	PING.EXE
PID 1604 wrote to memory of 2312	1604	cmd.exe	PING.EXE
PID 1604 wrote to memory of 2768	1604	cmd.exe	Client.exe
PID 1604 wrote to memory of 2768	1604	cmd.exe	Client.exe
PID 1604 wrote to memory of 2768	1604	cmd.exe	Client.exe
PID 2768 wrote to memory of 1904	2768	Client.exe	schtasks.exe
PID 2768 wrote to memory of 1904	2768	Client.exe	schtasks.exe
PID 2768 wrote to memory of 1904	2768	Client.exe	schtasks.exe
PID 2768 wrote to memory of 3916	2768	Client.exe	cmd.exe
PID 2768 wrote to memory of 3916	2768	Client.exe	cmd.exe
PID 2768 wrote to memory of 3916	2768	Client.exe	cmd.exe
PID 3916 wrote to memory of 428	3916	cmd.exe	chcp.com
PID 3916 wrote to memory of 428	3916	cmd.exe	chcp.com
PID 3916 wrote to memory of 428	3916	cmd.exe	chcp.com
PID 3916 wrote to memory of 408	3916	cmd.exe	PING.EXE
PID 3916 wrote to memory of 408	3916	cmd.exe	PING.EXE
PID 3916 wrote to memory of 408	3916	cmd.exe	PING.EXE
PID 3916 wrote to memory of 532	3916	cmd.exe	Client.exe
PID 3916 wrote to memory of 532	3916	cmd.exe	Client.exe
PID 3916 wrote to memory of 532	3916	cmd.exe	Client.exe
PID 532 wrote to memory of 3504	532	Client.exe	schtasks.exe
PID 532 wrote to memory of 3504	532	Client.exe	schtasks.exe
PID 532 wrote to memory of 3504	532	Client.exe	schtasks.exe
PID 532 wrote to memory of 4604	532	Client.exe	cmd.exe
PID 532 wrote to memory of 4604	532	Client.exe	cmd.exe
PID 532 wrote to memory of 4604	532	Client.exe	cmd.exe
PID 4604 wrote to memory of 5012	4604	cmd.exe	chcp.com
PID 4604 wrote to memory of 5012	4604	cmd.exe	chcp.com
PID 4604 wrote to memory of 5012	4604	cmd.exe	chcp.com
PID 4604 wrote to memory of 804	4604	cmd.exe	PING.EXE
PID 4604 wrote to memory of 804	4604	cmd.exe	PING.EXE
PID 4604 wrote to memory of 804	4604	cmd.exe	PING.EXE
PID 4604 wrote to memory of 404	4604	cmd.exe	Client.exe
PID 4604 wrote to memory of 404	4604	cmd.exe	Client.exe
PID 4604 wrote to memory of 404	4604	cmd.exe	Client.exe
PID 404 wrote to memory of 1392	404	Client.exe	schtasks.exe
PID 404 wrote to memory of 1392	404	Client.exe	schtasks.exe
PID 404 wrote to memory of 1392	404	Client.exe	schtasks.exe
PID 404 wrote to memory of 2796	404	Client.exe	cmd.exe
PID 404 wrote to memory of 2796	404	Client.exe	cmd.exe
PID 404 wrote to memory of 2796	404	Client.exe	cmd.exe
PID 2796 wrote to memory of 4356	2796	cmd.exe	chcp.com
PID 2796 wrote to memory of 4356	2796	cmd.exe	chcp.com
PID 2796 wrote to memory of 4356	2796	cmd.exe	chcp.com
PID 2796 wrote to memory of 1616	2796	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1320

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uTyc8K8de1O5.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4420

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:2312

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vu734we2OULJ.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:428

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:408

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sDm9Ej8YnikQ.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:5012

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:804

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dnXyHtjxHhWV.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:4356

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1616

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F2LzfLWuaBMI.bat" "
11⤵
PID:212

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:5096

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3256

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4916

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\03F468gM2VdZ.bat" "
13⤵
PID:4724

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:1436

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2932

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dXMsBEv6mGc8.bat" "
15⤵
PID:2024

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:2904

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:5004

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2612

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qlPvNw1yQGGi.bat" "
17⤵
PID:4604

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:4300

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:456

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3164

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgeOoeIs3Ain.bat" "
19⤵
PID:2120

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:1796

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2540

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3704

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kY81LisfkiHK.bat" "
21⤵
PID:4800

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:1036

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:3152

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:632

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rT3zhSJPj2hV.bat" "
23⤵
PID:1920

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:4400

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:5076

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4824

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:4752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqhQzjVH7Y9x.bat" "
25⤵
PID:3756

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:1696

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:2708

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4264

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C10dIot3pDw1.bat" "
27⤵
PID:3176

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:4116

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:2628

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4324

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cLjJUctTJdQn.bat" "
29⤵
PID:3996

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:3220

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:3416

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2448

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OQMtocPgCrMe.bat" "
31⤵
PID:1892

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:3704

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1668
31⤵
- Program crash
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1092
29⤵
- Program crash
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 2236
27⤵
- Program crash
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 2224
25⤵
- Program crash
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 1696
23⤵
- Program crash
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 1708
21⤵
- Program crash
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 2224
19⤵
- Program crash
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 2224
17⤵
- Program crash
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1724
15⤵
- Program crash
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 932
13⤵
- Program crash
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 2196
11⤵
- Program crash
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 2176
9⤵
- Program crash
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 1660
7⤵
- Program crash
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 2200
5⤵
- Program crash
PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 1084
3⤵
- Program crash
PID:4892

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (15) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1504 -ip 1504
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2768 -ip 2768
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 532 -ip 532
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 404 -ip 404
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1796 -ip 1796
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4916 -ip 4916
1⤵
PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2260 -ip 2260
1⤵
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2612 -ip 2612
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3164 -ip 3164
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3704 -ip 3704
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 632 -ip 632
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4824 -ip 4824
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4264 -ip 4264
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4324 -ip 4324
1⤵
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2448 -ip 2448
1⤵
PID:5020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\03F468gM2VdZ.bat
Filesize
207B

MD5
cec81c3157400fe26761e69a7bec0e8b

SHA1
a55ad907c965764598c467d334b3482126fcabdf

SHA256
85d65492b7995a200cbe8e3e500b8204b47bed9638f1bf22eddd5c40f3729fb9

SHA512
fb81a137e610913c9b17149d0c5f6a912dbd280c6e772abf8497c8dedb17f2b23d912bcabd37b00dacef9aa4194364924ccbbe1ec58bd750ca251cb9e1413149

Download Submit
C:\Users\Admin\AppData\Local\Temp\C10dIot3pDw1.bat
Filesize
207B

MD5
9e24168f92cd55f52fc5edcec4fd311b

SHA1
3fff04fa7a45e090bb0f2bfa68ff8c01bcb81087

SHA256
11d3d3d947b0065b968c82beef13acc348939fd404291b7832681fd93f435a47

SHA512
a0ba50d9228d7399c7e9218599c71a9567b677dc96352b1e51ca54bdcb9ba7e492dcc52a3937e4249399ab0ffbea41f4e2d0e89e53b1a522efc63154c1eb2490

Download Submit
C:\Users\Admin\AppData\Local\Temp\EqhQzjVH7Y9x.bat
Filesize
207B

MD5
4c7842ee8ef5732238037ce417981b51

SHA1
9f58a0ca2522eca46e049e721f697b25b8a37766

SHA256
6ab0b88ea7f2c0c17e2a932e531ffc86c41ac8300965190631ae441acf0d63f8

SHA512
bb508cc9a0601fddac257847ef7f9958ebf02f8246e6217833b72c0161665a6beae3d5d2cfd76daa8c1ef7202148e868135119405df249144ff8c1b340d41c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2LzfLWuaBMI.bat
Filesize
207B

MD5
6329db82b2578af13dbadc9f949093c9

SHA1
feda314bb39e5a9e3a5deb452c292f3a41388632

SHA256
12b3757f4ce4b8d04cd836b7c9f1d4730b8c58bdbe517453ab597ae564535681

SHA512
ba8e2b2e2b24cffc06dbc4a211b115e4e66642bbfe0de46477d636495ce8e1de5334096c8c82db53a062fcf3bc260f83cc9c1f0a25733deef9f1384c0ab55ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQMtocPgCrMe.bat
Filesize
207B

MD5
b4014a81569222bed93735146abf98b9

SHA1
d7a9357101da51c4dda0ed67874e1999c5bc5210

SHA256
bde81f68c6f40cad65f162b42f739e67c1140f2288a3493877889c3dea445cbf

SHA512
1946bf609639b6256c318e91419b42184d00ed7c62ffc9c7c9a4f17c207f2614b6b0dfc1663b7d115b86d4b148498df2e3c743fbad21855c03fdc44a68574ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PgeOoeIs3Ain.bat
Filesize
207B

MD5
9c0832090df812dc9ec1701d434d5a2e

SHA1
2b05d379aad7f76a596364df5555772b9de55535

SHA256
ffaecf4f54c001fab517e4b4e84978d64d544b9dace251866066ab70027ab4c9

SHA512
c8bdbfc4aacaa44dd2c91d9c32f884a162bf23d7f2f37df78736225dc8b77a3edb6b25a3bcd472013b2e6eba1da3717aa9df3b9b048ef060f0f5c1e45fb097ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vu734we2OULJ.bat
Filesize
207B

MD5
35f55b2fde4a22bb9b9885b27606cccf

SHA1
8fe9e796d1116fd3f227a29f1a8d796e730e26ec

SHA256
01a7aea4af0e4b3cedd093ea4d8403bd02b8ee88455e7d9edbee15b8fd262bc7

SHA512
3d9fa5eb9f967cc002a8a235274d2a4448b1a0353a579226ddb580ac71c5ed74ef8a4324df7efc397ab455e12265b1c342edd697ee62d4bb70cfa814e67b55a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cLjJUctTJdQn.bat
Filesize
207B

MD5
4ea63391c833e766d6b3e218d0b37ff4

SHA1
96169943dd982a7e571972ed4ce41858b9922b58

SHA256
00ffef590e52badd6e36f741eb8ec4ae574ea40aebbcafd5556633df89ed8530

SHA512
4adefaa7324594d93c5b4429e10b4ec22ded7d8f84183d10ab63ea30cbc6b8a6a76e2c5d56855abf96dac8e01900d4b679a0b781cd70b07d47954abf1a714a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\dXMsBEv6mGc8.bat
Filesize
207B

MD5
fd96643471b88b85a1262db0877bd254

SHA1
0a1f472d5aa7b808850bb7e1873b0929df8d9fc6

SHA256
6810a71ef0c0db7436570db1d84e29afac2e1cca4a1a98eef473b987f390312f

SHA512
2170fbdba956ff14bf2b59fe8cd0fe06d270f32f88749149bc9846870a50efb22fbe9078b3e6633f38d3ab99419d4e27b1211db8aaa89633788723fbaa5c87bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnXyHtjxHhWV.bat
Filesize
207B

MD5
9bbfe2bfa61841fefb8cf7870bfae6ec

SHA1
1446296d58018348c039275a1ebc3724dd2155e3

SHA256
b7ee3ff1d4d05458f664ebfa019c80cef85c5073e2cd1c5ce9ab4f2fd00324c5

SHA512
6eef082c66b5a7cea8158525618a1ee8afb6451ab93ef7266e15a07c9a6888a0afdfbf1ee7120a3c5169da6f63b9d54c7ff5bc3af590095cdcbbced3a3967a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\kY81LisfkiHK.bat
Filesize
207B

MD5
0a7994c019f79cb3f99e94bd35257fdd

SHA1
59ca92d6026c5596290eeb5e4c7d389da751d603

SHA256
8c03a8fcb41612a38668af4854612a0348a884d5c29822ea66147cf6a190d213

SHA512
92e11b65dbd85cbf7b5c6cae4a543e81c21e5ab0bb6c18416b6a80f146bf1c7a465226662acafafa33ee1735ae64945123f97b46287888c4921da9189f32bbaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\qlPvNw1yQGGi.bat
Filesize
207B

MD5
37b70b997ab152ce2423dceee19b930f

SHA1
583ea1ab3f30ae90b71720ba8a63708afb7fe07b

SHA256
0984af9a771d544787c8799b74b78c5594cd01fe304a26c186e18323eee5c4cb

SHA512
83858ab66f0f6ab0946674091bc8960ef4c86034a708b59441173179f748f7dc4576cbd43ade868050b96106e0fcf69a402bb72c8b3b4c3db72ffc5179ac702c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rT3zhSJPj2hV.bat
Filesize
207B

MD5
0d5b0833b36922b58e462359c6663232

SHA1
a67c17fc82d38706ed5526e346d198db7901a410

SHA256
e6b328f8897261ff408301cda70c956293921016e71b60babc17014cf6e5c1e6

SHA512
d5ec896c0c2d5de1b0ebaf2d3e38661beac17dc234d9e4e2d5d89473fd646b6c41ad8700131e6c0a7a00b085550f1b85ce8fbc4c3f592f590a4ee76ad5ff400d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sDm9Ej8YnikQ.bat
Filesize
207B

MD5
66267290cb422a26a33bc42008b3762b

SHA1
4f0d51b174373c57717545771084a420182e1f10

SHA256
867c933fbde947498b58d7dafa15f3e4fd2f8e00235966d9753686b6200d0f8a

SHA512
107df198de641043f4c1ea173199ea6cf254b6de5edf9173656a442ad07608f782217945c78e5788d16fb72afa29897f94204caf725affe4ba1872ff784df147

Download Submit
C:\Users\Admin\AppData\Local\Temp\uTyc8K8de1O5.bat
Filesize
207B

MD5
dc4ca94fa542b97280dace221b2811f0

SHA1
fba67e2b9d8c8a9e5cbb91163c53a6e3f4434c10

SHA256
5de21686bf88c8c6a4159aa37a025196e693e8a640287419830ba647ea4f5027

SHA512
750dafcfc077d1e7ac437c0a9012f709862197330c2571b073ee7805823da137c85c33a1b8cb7ef48f4a759cdebb42b7128bbf530d080946a0ec040dadca4000

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
7cda1a4132f1b9a1444d03ed038b65f4

SHA1
d7cb6f28ec41a7fc7c8c5c8b51c8ad5301a8d1cb

SHA256
6b03048c9069917cca07f8d7a257feda63143cd772cbbfcf6a547c82c7ba7b1d

SHA512
e40156e0877cfcae3ff24cbb67dbc02bdf90e340855101908dfcdaa8360d854419843f80266c38494d95978321bb501fab5580da324f6e010177939246c4d595

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
4bc719dcc4eb9a33bb779a4c033fee8d

SHA1
9237db80354955e57a970f7728ab50efd6f52db6

SHA256
7a6924eb9d51b42ea5e995107566d5389ccbdc9d7c601089bd23cd37cbc2d8db

SHA512
0adea360a984c2680d3d623fee59c1ba3a0c4296e346c329fc0e6b98368d704ce06ca05775cf9e359fe4230a8c836982b61a6aba1c943de79944bc530256dc02

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
bcb647e23984480e51d33ecb60d48760

SHA1
cc1fcfd5c3a1a00f53f309ae518f179ff13cba43

SHA256
e150190541f637f1a9e2b208a8c027752780d78205343ab353da65d14c172686

SHA512
268c7ce40549feea17187044bc837d317db8c20770b7ba81fbc93d04dda686782cb7339acc4063d7eb4bc6b4a1d34abc5ed9b0fe9600cb3db85ec7be208ab893

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
04c501c10f6b5c0e6fe012511facfb64

SHA1
01a42980c7bba3abc916ce7fec0842f298b00104

SHA256
082ae9fc6a4f70c83ac3784aba5319684abfa4bb20783c5b6592be97e421c570

SHA512
1b8bd87a2e6770b14cd6f58d4381311b79979ebb26f8af1cdcb55f634154726bf1b7c4cec39e8c5e631f7b18a80590d2f434b9671437d476c5687278789cdf96

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
4b60bef05702790d6f3e7184c198eebb

SHA1
2d4c2b53b3b5d611953bdfc2e34d947987dc257f

SHA256
096ee60fb83b14b934ec270baf4080bb1b51d597a051b30206349dc5dfc19962

SHA512
c18c0fbf85bf31af9512e98b41d287b8f2da9c2c1558c73ce7f1a9915737bc2966d962ef2ef6f2edfcfb2f153a6db50e311bce2de9716718f69dcc38694a629b

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1504-17-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/1504-19-0x00000000067D0000-0x00000000067DA000-memory.dmp

Filesize
40KB

Download
memory/1504-24-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/1504-15-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/3656-0-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/3656-8-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/3656-7-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/3656-16-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/3656-6-0x00000000060C0000-0x00000000060D2000-memory.dmp

Filesize
72KB

Download
memory/3656-5-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/3656-4-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/3656-3-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/3656-2-0x0000000005860000-0x0000000005E04000-memory.dmp

Filesize
5.6MB

Download
memory/3656-1-0x0000000000940000-0x00000000009AC000-memory.dmp

Filesize
432KB

Download