quasar | 956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4

Analysis

max time kernel
296s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (11) - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral8/memory/756-1-0x0000000000420000-0x000000000048C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2880	Client.exe
552	Client.exe
3700	Client.exe
1672	Client.exe
5104	Client.exe
5032	Client.exe
3040	Client.exe
3628	Client.exe
1544	Client.exe
4412	Client.exe
3948	Client.exe
2224	Client.exe
1052	Client.exe
412	Client.exe
1324	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
15	ip-api.com
19	ip-api.com
21	ip-api.com
25	ip-api.com
29	ip-api.com
2	ip-api.com
23	ip-api.com
33	ip-api.com
31	ip-api.com
8	api.ipify.org
13	ip-api.com
17	ip-api.com
27	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4216	2880	WerFault.exe	Client.exe
1824	552	WerFault.exe	Client.exe
4408	3700	WerFault.exe	Client.exe
3788	1672	WerFault.exe	Client.exe
2956	5104	WerFault.exe	Client.exe
1324	5032	WerFault.exe	Client.exe
2984	3040	WerFault.exe	Client.exe
876	3628	WerFault.exe	Client.exe
3996	1544	WerFault.exe	Client.exe
4396	4412	WerFault.exe	Client.exe
716	3948	WerFault.exe	Client.exe
5036	2224	WerFault.exe	Client.exe
2200	1052	WerFault.exe	Client.exe
3672	412	WerFault.exe	Client.exe
3844	1324	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1504	schtasks.exe
4748	SCHTASKS.exe
3056	schtasks.exe
608	schtasks.exe
3960	schtasks.exe
244	schtasks.exe
5048	schtasks.exe
3728	schtasks.exe
3296	schtasks.exe
4092	schtasks.exe
2036	schtasks.exe
3980	schtasks.exe
3528	schtasks.exe
2816	schtasks.exe
3056	schtasks.exe
2984	schtasks.exe
3656	schtasks.exe

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3872	PING.EXE
2800	PING.EXE
552	PING.EXE
5080	PING.EXE
4848	PING.EXE
4868	PING.EXE
2816	PING.EXE
3596	PING.EXE
4388	PING.EXE
4128	PING.EXE
3008	PING.EXE
3888	PING.EXE
4632	PING.EXE
3684	PING.EXE
3124	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

Uni - Copy (11) - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	756	Uni - Copy (11) - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	2880	Client.exe
Token: SeDebugPrivilege	552	Client.exe
Token: SeDebugPrivilege	3700	Client.exe
Token: SeDebugPrivilege	1672	Client.exe
Token: SeDebugPrivilege	5104	Client.exe
Token: SeDebugPrivilege	5032	Client.exe
Token: SeDebugPrivilege	3040	Client.exe
Token: SeDebugPrivilege	3628	Client.exe
Token: SeDebugPrivilege	1544	Client.exe
Token: SeDebugPrivilege	4412	Client.exe
Token: SeDebugPrivilege	3948	Client.exe
Token: SeDebugPrivilege	2224	Client.exe
Token: SeDebugPrivilege	1052	Client.exe
Token: SeDebugPrivilege	412	Client.exe
Token: SeDebugPrivilege	1324	Client.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2880	Client.exe
552	Client.exe
3700	Client.exe
1672	Client.exe
5104	Client.exe
5032	Client.exe
3040	Client.exe
3628	Client.exe
1544	Client.exe
4412	Client.exe
3948	Client.exe
2224	Client.exe
1052	Client.exe
412	Client.exe
1324	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (11) - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 756 wrote to memory of 1504	756	Uni - Copy (11) - Copy - Copy - Copy.exe	schtasks.exe
PID 756 wrote to memory of 1504	756	Uni - Copy (11) - Copy - Copy - Copy.exe	schtasks.exe
PID 756 wrote to memory of 1504	756	Uni - Copy (11) - Copy - Copy - Copy.exe	schtasks.exe
PID 756 wrote to memory of 2880	756	Uni - Copy (11) - Copy - Copy - Copy.exe	Client.exe
PID 756 wrote to memory of 2880	756	Uni - Copy (11) - Copy - Copy - Copy.exe	Client.exe
PID 756 wrote to memory of 2880	756	Uni - Copy (11) - Copy - Copy - Copy.exe	Client.exe
PID 756 wrote to memory of 4748	756	Uni - Copy (11) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 756 wrote to memory of 4748	756	Uni - Copy (11) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 756 wrote to memory of 4748	756	Uni - Copy (11) - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 2880 wrote to memory of 2816	2880	Client.exe	schtasks.exe
PID 2880 wrote to memory of 2816	2880	Client.exe	schtasks.exe
PID 2880 wrote to memory of 2816	2880	Client.exe	schtasks.exe
PID 2880 wrote to memory of 3816	2880	Client.exe	cmd.exe
PID 2880 wrote to memory of 3816	2880	Client.exe	cmd.exe
PID 2880 wrote to memory of 3816	2880	Client.exe	cmd.exe
PID 3816 wrote to memory of 624	3816	cmd.exe	chcp.com
PID 3816 wrote to memory of 624	3816	cmd.exe	chcp.com
PID 3816 wrote to memory of 624	3816	cmd.exe	chcp.com
PID 3816 wrote to memory of 4848	3816	cmd.exe	PING.EXE
PID 3816 wrote to memory of 4848	3816	cmd.exe	PING.EXE
PID 3816 wrote to memory of 4848	3816	cmd.exe	PING.EXE
PID 3816 wrote to memory of 552	3816	cmd.exe	Client.exe
PID 3816 wrote to memory of 552	3816	cmd.exe	Client.exe
PID 3816 wrote to memory of 552	3816	cmd.exe	Client.exe
PID 552 wrote to memory of 3056	552	Client.exe	schtasks.exe
PID 552 wrote to memory of 3056	552	Client.exe	schtasks.exe
PID 552 wrote to memory of 3056	552	Client.exe	schtasks.exe
PID 552 wrote to memory of 1904	552	Client.exe	cmd.exe
PID 552 wrote to memory of 1904	552	Client.exe	cmd.exe
PID 552 wrote to memory of 1904	552	Client.exe	cmd.exe
PID 1904 wrote to memory of 1812	1904	cmd.exe	chcp.com
PID 1904 wrote to memory of 1812	1904	cmd.exe	chcp.com
PID 1904 wrote to memory of 1812	1904	cmd.exe	chcp.com
PID 1904 wrote to memory of 3872	1904	cmd.exe	PING.EXE
PID 1904 wrote to memory of 3872	1904	cmd.exe	PING.EXE
PID 1904 wrote to memory of 3872	1904	cmd.exe	PING.EXE
PID 1904 wrote to memory of 3700	1904	cmd.exe	Client.exe
PID 1904 wrote to memory of 3700	1904	cmd.exe	Client.exe
PID 1904 wrote to memory of 3700	1904	cmd.exe	Client.exe
PID 3700 wrote to memory of 2984	3700	Client.exe	schtasks.exe
PID 3700 wrote to memory of 2984	3700	Client.exe	schtasks.exe
PID 3700 wrote to memory of 2984	3700	Client.exe	schtasks.exe
PID 3700 wrote to memory of 1588	3700	Client.exe	cmd.exe
PID 3700 wrote to memory of 1588	3700	Client.exe	cmd.exe
PID 3700 wrote to memory of 1588	3700	Client.exe	cmd.exe
PID 1588 wrote to memory of 1752	1588	cmd.exe	chcp.com
PID 1588 wrote to memory of 1752	1588	cmd.exe	chcp.com
PID 1588 wrote to memory of 1752	1588	cmd.exe	chcp.com
PID 1588 wrote to memory of 4388	1588	cmd.exe	PING.EXE
PID 1588 wrote to memory of 4388	1588	cmd.exe	PING.EXE
PID 1588 wrote to memory of 4388	1588	cmd.exe	PING.EXE
PID 1588 wrote to memory of 1672	1588	cmd.exe	Client.exe
PID 1588 wrote to memory of 1672	1588	cmd.exe	Client.exe
PID 1588 wrote to memory of 1672	1588	cmd.exe	Client.exe
PID 1672 wrote to memory of 3656	1672	Client.exe	schtasks.exe
PID 1672 wrote to memory of 3656	1672	Client.exe	schtasks.exe
PID 1672 wrote to memory of 3656	1672	Client.exe	schtasks.exe
PID 1672 wrote to memory of 1444	1672	Client.exe	cmd.exe
PID 1672 wrote to memory of 1444	1672	Client.exe	cmd.exe
PID 1672 wrote to memory of 1444	1672	Client.exe	cmd.exe
PID 1444 wrote to memory of 1552	1444	cmd.exe	chcp.com
PID 1444 wrote to memory of 1552	1444	cmd.exe	chcp.com
PID 1444 wrote to memory of 1552	1444	cmd.exe	chcp.com
PID 1444 wrote to memory of 4868	1444	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1504

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iHi3NjG3kkQu.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:624

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:4848

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PDo2sHZqhyxw.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:1812

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:3872

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CrJNneW0bqOc.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:1752

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4388

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CTn3jSpV1A1E.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:1552

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4868

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5104

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eCpmmCfkb5ZI.bat" "
11⤵
PID:2660

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:1340

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:2816

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5032

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vRgZmfwwltum.bat" "
13⤵
PID:2860

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4260

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:4632

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3040

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\assalJzEbYwg.bat" "
15⤵
PID:4464

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:4364

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:3684

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9n73C1G8DSNk.bat" "
17⤵
PID:2032

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:992

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4128

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1544

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\km52VvtnHFTO.bat" "
19⤵
PID:756

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:1416

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2800

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vnz7wi3Fjakg.bat" "
21⤵
PID:3300

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:4640

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:552

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3948

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuYoMa6F1Ls9.bat" "
23⤵
PID:364

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:2824

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3008

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3tWnfUju58yn.bat" "
25⤵
PID:4768

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:1808

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:3596

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1052

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZnwWJRqUBEiy.bat" "
27⤵
PID:2872

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:4980

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:3124

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:412

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:3528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UPMPx8HQn2wX.bat" "
29⤵
PID:3940

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:1612

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:3888

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1324

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
31⤵
- Creates scheduled task(s)
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CPRkbBIYkYWu.bat" "
31⤵
PID:3600

C:\Windows\SysWOW64\chcp.com
chcp 65001
32⤵
PID:4512

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 1676
31⤵
- Program crash
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1712
29⤵
- Program crash
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1668
27⤵
- Program crash
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 2224
25⤵
- Program crash
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 1092
23⤵
- Program crash
PID:716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1668
21⤵
- Program crash
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1720
19⤵
- Program crash
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 2248
17⤵
- Program crash
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 1092
15⤵
- Program crash
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1712
13⤵
- Program crash
PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 2196
11⤵
- Program crash
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1640
9⤵
- Program crash
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 1080
7⤵
- Program crash
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 1088
5⤵
- Program crash
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 1908
3⤵
- Program crash
PID:4216

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2880 -ip 2880
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 552 -ip 552
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3700 -ip 3700
1⤵
PID:364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1672 -ip 1672
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5104 -ip 5104
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5032 -ip 5032
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3040 -ip 3040
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3628 -ip 3628
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1544 -ip 1544
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4412 -ip 4412
1⤵
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3948 -ip 3948
1⤵
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2224 -ip 2224
1⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1052 -ip 1052
1⤵
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 412 -ip 412
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1324 -ip 1324
1⤵
PID:4276

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3tWnfUju58yn.bat
Filesize
207B

MD5
cc77247929bce6f8a72a279267d86466

SHA1
75c98de2f9665053f904a23a5e307d4e9ceb2aef

SHA256
5067a1bf303b310facc626cef2732708f519e58715f8b4ff0208282ff4cf1a60

SHA512
7e459144720e57bfa25971fc20cb2b2b33eaca640dc281f253978242e9036bf3967506a8a96601f3cbac5113e8127fa8ac5d1ff60437e3ccc996be93d36da1c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9n73C1G8DSNk.bat
Filesize
207B

MD5
1d5da11196593cd39a927d22b91e90f2

SHA1
6d13f4a371be346e4bbee367af50f5bf17d56aef

SHA256
c574176f3d2efd02e202e7d982c2b24068e91465ccd21fea8ceb9c5195c70d08

SHA512
0870f223f8ba7587038e1349bd1305197be037b7f65ef72c9d2cae9217f33c2f9a9d4895d24e06bcd9218d69ec89ee250fa76671bf4a05e413582f965a080249

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPRkbBIYkYWu.bat
Filesize
207B

MD5
4fbecd9396cb2c9f8034896873f2baf8

SHA1
2fc93f5f764b3b7bbffaedf97d388eacd5cf12a8

SHA256
d8dfdc5c22ce4f1071dc9ffb79f15874cf0f68ef54a9bb2650dcca6ecfd46c14

SHA512
bd737ee501c5cfd2b629eff47d34ae4505ce89957b8448632520d0c9941297c1cc3fa8490bd7632d76d3611c0b3e8384c0d8853f5da5876730f2a79d2b2842d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CTn3jSpV1A1E.bat
Filesize
207B

MD5
8923da715014849cfd21749dd4f4f4ea

SHA1
2b6630e02ec2841e4750268a1af8162333915f1b

SHA256
171cb8377ca6914ed04140a4b072171ed78e0a4b03274c37f150ab784e949a29

SHA512
15e29138e0b0c249789a6e595ebd5a46ec067a30a90e6498ada2894ce651093b839d01c1c25466b3a9fddfcfa6112be97f03690d57fa19d3fe774d142b64f354

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrJNneW0bqOc.bat
Filesize
207B

MD5
6f9946e350f6358a3867c4cf049d0091

SHA1
f5604143fefd10ab07d4b55a50e465b1130e63af

SHA256
37965aeff527a0ec09fb2f67653edcc5c89696b27a9557cf8dd9e5abfc79f497

SHA512
b46a2bf2b4ef2daaa1dab32fe4443dab93112aefba961e8cb1d4918bc398236e79c89c03865a1610a1a68b6154e5ce3ac6c325224f763f7b8e8771008976a714

Download Submit
C:\Users\Admin\AppData\Local\Temp\PDo2sHZqhyxw.bat
Filesize
207B

MD5
11f3bce5fae64624bee64fdca87de098

SHA1
d15682c4b8845c79c2f49de355fa04d9338a73b0

SHA256
fa36c0f410ffb06fd4635fe725542e1f0fd24a935f1bf25983c7f7022d4c5f94

SHA512
9d26372ba90c444aa88827ba2a9b95b7d9fda13533b6714601547023091b12c11c6b7efcc20dd8a20d729f4805443e2672ca1f8d1b135ad80049983244c96e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\SuYoMa6F1Ls9.bat
Filesize
207B

MD5
ffb480d0a14040790276ab29846d5200

SHA1
cb928b38f21fbaac75d2d4e56be4ed3fdedfb76f

SHA256
8348741fe4e880ef4b4d39e1787c0ad085fbc3d0c18559ec0bb787470c526fce

SHA512
288b81e871e2b833ce4a482f9c3a80f93cbeca2d81ae65e4eacd9c208c8b41c59dcbc1234f1541500263f7ad46b01cd9ee54389ba24f1db1038300e86af86f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPMPx8HQn2wX.bat
Filesize
207B

MD5
750d32fa2b2f6b886e8d3b7d1b1da2ec

SHA1
42312ad1843bda13839ca92d5801ce2e6594dd3d

SHA256
4703c9fb0d2f51a127988d5e3ec542a49275e2d8598c5f8a2f0d51657274a20c

SHA512
d07fb3d2334d77a9c81844473de101de09c441100bc10b6d6914e1cc49122e9767157dc57e5f2c5d10242d2d08a84428c339461a7fa2ab51037340aa7dd09193

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vnz7wi3Fjakg.bat
Filesize
207B

MD5
094b8e6665858a2811ed0c4d38fda8ff

SHA1
b72a1e507c554839a63b5e7e6ecf2479963ffb8e

SHA256
6e2b2e453a85ec7efa350a5f188b53325740336adfb18a4c14fba7a188788dfb

SHA512
c3a823c02497fa266fc7fdc6a33eaa52108fea048760c43b538aa70ece65ea23ebb35d448a36833367dd66d870bf9ffc54614cd786af9b04e6d8cef5315864b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZnwWJRqUBEiy.bat
Filesize
207B

MD5
5586cff564df9214934ea93a12d49878

SHA1
9e550138e9df05ce7a52d7162815fd2c26ad27ab

SHA256
f4994d12c06d5e21606ae2455fe8c582813ff9ad6845c28ebdf9ca5b706a74e0

SHA512
018cfe67fe373242c7b322c7267d35f1f0d6ac5efda72eda2662c72b010ed20671c5f1a20a26bbd39d3b9a57e9a5bf800810955f5615dbf1d7c7a32df683b828

Download Submit
C:\Users\Admin\AppData\Local\Temp\assalJzEbYwg.bat
Filesize
207B

MD5
59f6b811be73baf3d4547541ae1036c0

SHA1
34d111c077bc1f0abdc2ba0fe3e94ec0e63915bb

SHA256
11d1949d25218a19803edac0a1cf5115fa233ef34695fe452143049f428c4011

SHA512
5fde6e8a19c0a593c79c06c423f4bb8606b64b8f3165f0d73bf81fa704d0b8f0771d810ef4c6044b52929d83e58b4e2382c6214e5850a7bb2db21a76fb0fe0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eCpmmCfkb5ZI.bat
Filesize
207B

MD5
695aaf3902370db9fd4853f00cdccc79

SHA1
39c871555be8c034e9a90f2c0b8087170181fb16

SHA256
a5384dae8106dfb63426e8b82d9927787398b960ad2679cd9c53333fc211c935

SHA512
7c54b4230e4bf88a93e6d8028a0add6b97742824a925da0adea5a35d3a6e186c13683e095fb95db33ff15ecbb6054b67465122a5b2346b65495d750cf64c9572

Download Submit
C:\Users\Admin\AppData\Local\Temp\iHi3NjG3kkQu.bat
Filesize
207B

MD5
84970403fa7ab8e77aa1f14a66bad681

SHA1
36a6f7db1211ca06c2ecac0b19fc7dc3bf95c174

SHA256
c82636d26fb74543e28a636d38bf2c60374dc9f78e3674d298bde2a45a82cda4

SHA512
0188e432e5927983947007b6d9205d758428dab5698e7e1686704075a658fd47344e1984bc56f3e9e5cd5d1bf6378dbae17cd42429a0e0b6d943545680f91f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\km52VvtnHFTO.bat
Filesize
207B

MD5
dc660bfa334b132d63748b98ddff3be0

SHA1
cf11c98fa6288b0986a1d8ab03b78515b9152889

SHA256
bbcd7e53e445c153df5e70f8b6faef5c5b9428964a485ec2fa328e1adb45b127

SHA512
521b6a53b7fa4cc7a6cc73060f2cab6317c80ee8d70ef3460e628158bc6583b3b5c681f6f45748874dee2360c0a53e33d271ac23c204f3b5d3aa666e2b4c1df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vRgZmfwwltum.bat
Filesize
207B

MD5
971f4a22757808236dbccae5033d2554

SHA1
5c5778266aec7aff9894e274c1638a36e444ff18

SHA256
0bdc7d794522475cfcddb1a37396435e15dfa6c2d5a6511e0cc1a9b9e4b48015

SHA512
3a07ceb9bf5e941492a23acc305b78ca6caaede1c15b455e0b4f04615c16d42a340e4eb0b7f9cf035b939f999cab849169bd04758df73f02a754e8b571e3940d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
9a13571d3e74285d48248d7699b172ab

SHA1
921bd313d985b0086c956fe92912953a66ce2ee0

SHA256
9f56220c20dea7e01ce8916364a61e2e1c9efa1a120e1273c12a64410660c1b1

SHA512
ba4f1efb388264e8910904dac3f522b4925ec022027d45c7f0d271e990271e9791f4eb8be3e5f27069e55bf650da23ef2bf07bdeb0936b4b0edf10f53bc68006

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
eff94a02c91b0520cc8d8e074776c652

SHA1
97dfc75eb57413109e92cb8b7275eefd2df5241b

SHA256
ece0444f7e89eaebee5343bbcfd6cd1dae15517a9bd760d47b3c1c98148be7ea

SHA512
cb9e0b4382b2f42b5d4a31ed991c597ba3945e76b2e2cad987ca42e1e971e948d11c124f5ab506d97d9499281be8212db96275f9b7aa61c37ebfbc399e3a05ad

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
73821baa8f3cce64ffdacf2fc7d5c512

SHA1
015e623e4c4e0acf6777441287e532e2c2df5281

SHA256
371d2f4a33623938b6743bdabe27b8c14b2075aa4c6eedc23232240714223080

SHA512
f5b24e18f4da775139bf5223ff9f61c83b20f06f5951cc4dd33c395216e1fcdf347f84f509b0b57ddc40a445865b6429ad8835b9d5ca3f80dec936193f254077

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
97a8501e31d232b0a939b8f3592e9f43

SHA1
7589cbc2c6efe87086f9271db861ea6ce3e3b538

SHA256
9ec98518d1757301b3ce3dedb1ed6cce9433277954db0fd98192617d10ef72d7

SHA512
921c3db7fc2d9d8cfc66a6357f86b3e572294e460471973d671041b3d92fb32ab6792a63d397b52f3e5413c7e458830af145b68a53427538a52bfbd0966f3152

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
35aef2fee10a41e8d2c7c9123faff4cf

SHA1
625438a02e3b62cde5a3850226f46f3c35a94c5b

SHA256
00dcee2ec4fe467d4574e9ac351737686796fb7dc29febd56e47a7c23f8d416e

SHA512
b8050bea02c4f831de58c0975fdf7a2970d01088ed426039a481d974194f2f34d68bc0eb9bdbb05a361d09e9e33b0b876112662e213daba166dea90b5cb55b31

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
9c8ab48b4d1bb586f14b2e06c90a13e1

SHA1
442bb7e73c19d32390be97cf38ca0b988a2624ec

SHA256
370df25280eb7739b4727479103f22ba49a604b130e6d31e7fe104f631bceae3

SHA512
20eff8553937425e4b6b2774e7018f38d6dd5d2283e649ad942888544f94e83cb0537077a566da1fa3c4eb5d95fb9e1e22f3a86281f571cb355a928093d089a6

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
3579edcd5968641238a2f8e3ed9783a8

SHA1
83eba73ebae1ef1aedb4a6c3f8cf64097671dd43

SHA256
b77181c0555d15c9b13003299c98e3e459cba3a20fdb860884b237913c8e537a

SHA512
e053bef892573053564f036c2bb7b96252bae9837a2397e956b761e4f24295cca03f7babbea5c9f5254b3a336e7377203860a55361b835d6bccacf231d6107ae

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
80b820727bf831600e2e44d375998401

SHA1
aad441d2010fdfb0eb5d0813537e0b9389251c49

SHA256
854f473cca45cd24b82a0e2deded10038b963c21227749398dcb05bfc21dda17

SHA512
1cb4f69e7a7ba0fb55c24bb24df7151651e8b91ceca42feeec6211dd05927781e352933f042fea210892e092ef0d1b434aa347d4f5ef9b3ef2bd9303bf88f58e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/756-16-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/756-7-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download
memory/756-1-0x0000000000420000-0x000000000048C000-memory.dmp

Filesize
432KB

Download
memory/756-2-0x0000000005410000-0x00000000059B4000-memory.dmp

Filesize
5.6MB

Download
memory/756-0-0x00000000749CE000-0x00000000749CF000-memory.dmp

Filesize
4KB

Download
memory/756-3-0x0000000004F30000-0x0000000004FC2000-memory.dmp

Filesize
584KB

Download
memory/756-8-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/756-4-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/756-6-0x00000000053F0000-0x0000000005402000-memory.dmp

Filesize
72KB

Download
memory/756-5-0x0000000004FD0000-0x0000000005036000-memory.dmp

Filesize
408KB

Download
memory/2880-24-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/2880-17-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/2880-15-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/2880-19-0x0000000006AB0000-0x0000000006ABA000-memory.dmp

Filesize
40KB

Download