quasar | 1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58

Analysis

max time kernel
296s
max time network
309s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (100) - Copy - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral10/memory/1092-1-0x00000000009B0000-0x0000000000A1C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 14 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
4616	Client.exe
2092	Client.exe
2228	Client.exe
4484	Client.exe
4892	Client.exe
4560	Client.exe
2432	Client.exe
1704	Client.exe
5116	Client.exe
5064	Client.exe
3332	Client.exe
3420	Client.exe
1008	Client.exe
4176	Client.exe

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
18	ip-api.com
26	ip-api.com
30	ip-api.com
32	ip-api.com
3	ip-api.com
14	ip-api.com
24	ip-api.com
28	ip-api.com
36	ip-api.com
12	api.ipify.org
16	ip-api.com
20	ip-api.com
22	ip-api.com
34	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4880	4616	WerFault.exe	Client.exe
2836	2092	WerFault.exe	Client.exe
232	2228	WerFault.exe	Client.exe
3612	4484	WerFault.exe	Client.exe
5064	4892	WerFault.exe	Client.exe
1516	4560	WerFault.exe	Client.exe
4744	2432	WerFault.exe	Client.exe
3612	1704	WerFault.exe	Client.exe
4776	5116	WerFault.exe	Client.exe
1828	5064	WerFault.exe	Client.exe
2592	3332	WerFault.exe	Client.exe
808	3420	WerFault.exe	Client.exe
4704	1008	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4928	schtasks.exe
1216	SCHTASKS.exe
1436	schtasks.exe
692	schtasks.exe
4776	schtasks.exe
1828	schtasks.exe
1416	schtasks.exe
1576	schtasks.exe
2076	schtasks.exe
2204	schtasks.exe
1380	schtasks.exe
232	schtasks.exe
756	schtasks.exe
1712	schtasks.exe
4052	schtasks.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4392	PING.EXE
4052	PING.EXE
1576	PING.EXE
5076	PING.EXE
2776	PING.EXE
1808	PING.EXE
4672	PING.EXE
2252	PING.EXE
5028	PING.EXE
2596	PING.EXE
4380	PING.EXE
2080	PING.EXE
2036	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

Uni - Copy (100) - Copy - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	1092	Uni - Copy (100) - Copy - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	4616	Client.exe
Token: SeDebugPrivilege	2092	Client.exe
Token: SeDebugPrivilege	2228	Client.exe
Token: SeDebugPrivilege	4484	Client.exe
Token: SeDebugPrivilege	4892	Client.exe
Token: SeDebugPrivilege	4560	Client.exe
Token: SeDebugPrivilege	2432	Client.exe
Token: SeDebugPrivilege	1704	Client.exe
Token: SeDebugPrivilege	5116	Client.exe
Token: SeDebugPrivilege	5064	Client.exe
Token: SeDebugPrivilege	3332	Client.exe
Token: SeDebugPrivilege	3420	Client.exe
Token: SeDebugPrivilege	1008	Client.exe
Token: SeDebugPrivilege	4176	Client.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
4616	Client.exe
2092	Client.exe
2228	Client.exe
4484	Client.exe
4892	Client.exe
4560	Client.exe
2432	Client.exe
1704	Client.exe
5116	Client.exe
5064	Client.exe
3332	Client.exe
3420	Client.exe
1008	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (100) - Copy - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 1092 wrote to memory of 1576	1092	Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	schtasks.exe
PID 1092 wrote to memory of 1576	1092	Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	schtasks.exe
PID 1092 wrote to memory of 1576	1092	Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	schtasks.exe
PID 1092 wrote to memory of 4616	1092	Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	Client.exe
PID 1092 wrote to memory of 4616	1092	Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	Client.exe
PID 1092 wrote to memory of 4616	1092	Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	Client.exe
PID 1092 wrote to memory of 1216	1092	Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 1092 wrote to memory of 1216	1092	Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 1092 wrote to memory of 1216	1092	Uni - Copy (100) - Copy - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 4616 wrote to memory of 756	4616	Client.exe	schtasks.exe
PID 4616 wrote to memory of 756	4616	Client.exe	schtasks.exe
PID 4616 wrote to memory of 756	4616	Client.exe	schtasks.exe
PID 4616 wrote to memory of 1760	4616	Client.exe	cmd.exe
PID 4616 wrote to memory of 1760	4616	Client.exe	cmd.exe
PID 4616 wrote to memory of 1760	4616	Client.exe	cmd.exe
PID 1760 wrote to memory of 4776	1760	cmd.exe	chcp.com
PID 1760 wrote to memory of 4776	1760	cmd.exe	chcp.com
PID 1760 wrote to memory of 4776	1760	cmd.exe	chcp.com
PID 1760 wrote to memory of 4672	1760	cmd.exe	PING.EXE
PID 1760 wrote to memory of 4672	1760	cmd.exe	PING.EXE
PID 1760 wrote to memory of 4672	1760	cmd.exe	PING.EXE
PID 1760 wrote to memory of 2092	1760	cmd.exe	Client.exe
PID 1760 wrote to memory of 2092	1760	cmd.exe	Client.exe
PID 1760 wrote to memory of 2092	1760	cmd.exe	Client.exe
PID 2092 wrote to memory of 1712	2092	Client.exe	schtasks.exe
PID 2092 wrote to memory of 1712	2092	Client.exe	schtasks.exe
PID 2092 wrote to memory of 1712	2092	Client.exe	schtasks.exe
PID 2092 wrote to memory of 3472	2092	Client.exe	cmd.exe
PID 2092 wrote to memory of 3472	2092	Client.exe	cmd.exe
PID 2092 wrote to memory of 3472	2092	Client.exe	cmd.exe
PID 3472 wrote to memory of 4116	3472	cmd.exe	chcp.com
PID 3472 wrote to memory of 4116	3472	cmd.exe	chcp.com
PID 3472 wrote to memory of 4116	3472	cmd.exe	chcp.com
PID 3472 wrote to memory of 2080	3472	cmd.exe	PING.EXE
PID 3472 wrote to memory of 2080	3472	cmd.exe	PING.EXE
PID 3472 wrote to memory of 2080	3472	cmd.exe	PING.EXE
PID 3472 wrote to memory of 2228	3472	cmd.exe	Client.exe
PID 3472 wrote to memory of 2228	3472	cmd.exe	Client.exe
PID 3472 wrote to memory of 2228	3472	cmd.exe	Client.exe
PID 2228 wrote to memory of 1436	2228	Client.exe	schtasks.exe
PID 2228 wrote to memory of 1436	2228	Client.exe	schtasks.exe
PID 2228 wrote to memory of 1436	2228	Client.exe	schtasks.exe
PID 2228 wrote to memory of 4236	2228	Client.exe	cmd.exe
PID 2228 wrote to memory of 4236	2228	Client.exe	cmd.exe
PID 2228 wrote to memory of 4236	2228	Client.exe	cmd.exe
PID 4236 wrote to memory of 4364	4236	cmd.exe	chcp.com
PID 4236 wrote to memory of 4364	4236	cmd.exe	chcp.com
PID 4236 wrote to memory of 4364	4236	cmd.exe	chcp.com
PID 4236 wrote to memory of 2252	4236	cmd.exe	PING.EXE
PID 4236 wrote to memory of 2252	4236	cmd.exe	PING.EXE
PID 4236 wrote to memory of 2252	4236	cmd.exe	PING.EXE
PID 4236 wrote to memory of 4484	4236	cmd.exe	Client.exe
PID 4236 wrote to memory of 4484	4236	cmd.exe	Client.exe
PID 4236 wrote to memory of 4484	4236	cmd.exe	Client.exe
PID 4484 wrote to memory of 692	4484	Client.exe	schtasks.exe
PID 4484 wrote to memory of 692	4484	Client.exe	schtasks.exe
PID 4484 wrote to memory of 692	4484	Client.exe	schtasks.exe
PID 4484 wrote to memory of 4932	4484	Client.exe	cmd.exe
PID 4484 wrote to memory of 4932	4484	Client.exe	cmd.exe
PID 4484 wrote to memory of 4932	4484	Client.exe	cmd.exe
PID 4932 wrote to memory of 1176	4932	cmd.exe	chcp.com
PID 4932 wrote to memory of 1176	4932	cmd.exe	chcp.com
PID 4932 wrote to memory of 1176	4932	cmd.exe	chcp.com
PID 4932 wrote to memory of 4392	4932	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1576

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c2uiNkZicCSH.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4776

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:4672

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYilKSzfC5Fh.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:4116

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2080

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rg6CW5Cz1f35.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4364

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2252

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5ExVUOmUBJiD.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:1176

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4392

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4892

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xpZeMK46GJFs.bat" "
11⤵
PID:4972

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:3084

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:2036

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQAnEGLiMIlX.bat" "
13⤵
PID:2556

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:2208

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:4052

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:1416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aR4te3VAod2o.bat" "
15⤵
PID:628

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:3512

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:5076

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ihEyAUdAruyA.bat" "
17⤵
PID:5068

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:1488

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:5028

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5116

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmsZTT9Nk8u1.bat" "
19⤵
PID:1940

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:868

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2776

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5064

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f3qOleRhIDWG.bat" "
21⤵
PID:4564

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:3932

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:2596

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3332

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BxG8PbYHPJGR.bat" "
23⤵
PID:3772

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:2292

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:4380

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3420

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rSCfHSwLfsxu.bat" "
25⤵
PID:4288

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:3100

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1808

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LrTZ9DSq50oA.bat" "
27⤵
PID:4404

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:2656

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:1576

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 1192
27⤵
- Program crash
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 2224
25⤵
- Program crash
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 1084
23⤵
- Program crash
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 2224
21⤵
- Program crash
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 2236
19⤵
- Program crash
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1708
17⤵
- Program crash
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 2236
15⤵
- Program crash
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1692
13⤵
- Program crash
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1088
11⤵
- Program crash
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 2224
9⤵
- Program crash
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 1692
7⤵
- Program crash
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 2148
5⤵
- Program crash
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 2148
3⤵
- Program crash
PID:4880

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (100) - Copy - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (100) - Copy - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4616 -ip 4616
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2092 -ip 2092
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2228 -ip 2228
1⤵
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4484 -ip 4484
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4892 -ip 4892
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4560 -ip 4560
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2432 -ip 2432
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1704 -ip 1704
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5116 -ip 5116
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5064 -ip 5064
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3332 -ip 3332
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3420 -ip 3420
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1008 -ip 1008
1⤵
PID:3436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5ExVUOmUBJiD.bat
Filesize
207B

MD5
d7536fe6b96bae99540f71e2334550bb

SHA1
4cf240c675ae1b38b7773c9d55e397c247e08802

SHA256
6f7e94600cea93a8e0370614b1acebbd2f7d39beae20bfe46b1f97e6367af6b0

SHA512
5c42f1adfe44604936b3c119be2860c398407c2e226b86f67bc3f7e55098cf046d6a9bf6ea5447f6f3f09d959e60f78d91ac97ea67270dc3c51a91fdaecb897d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BxG8PbYHPJGR.bat
Filesize
207B

MD5
a5b907684bd2e6acacde90da2c31bb83

SHA1
18da262170957a6cedcb829d923a04a316c2d996

SHA256
466a4a4bcdf1579f8691333ac8d463190c6c5afa23cb99eabccc60c2b08f6e14

SHA512
43794efdcfac6b4e6d6a99dad020f0179a86238621f12d9f50ec5298c3dc92e7a8eb76281f755a5489957931614ec3c1ac91bc88b0e4f61a5271934e7a942cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LrTZ9DSq50oA.bat
Filesize
207B

MD5
32195b1e18e53bd7749c13fcec064714

SHA1
0f9b8c9a3f565a684bb70c12954cca93e7357403

SHA256
b9d4096bd6189ca28d3a9ec451f592200a045be8345ebabbbfc72a40d6e7cd40

SHA512
38ca025cfbfb27fdce711e9b981d7a74f6c9395c9d95e9cafd70bc0f81cc2f05fc312de04b0fe910d94d140825178bc4b270c516469dfd724e682d7fc23706db

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYilKSzfC5Fh.bat
Filesize
207B

MD5
e64c2fc6367c56cdcaaf780162eee191

SHA1
a40a0d9b4315ec3c3dd61476dc8cf1ef4bd23ece

SHA256
98cc91c40e23be2ed25da5495f4faead4a19111bf6a9bf9a8b721cda833eb4cd

SHA512
77f6bbe612d857d1e380656b082a43258e63006f18ac5a762a57c34f0401dc597106e3f7bbb4e94c1690d38c118a645ba90cc6cd7f34b894e89685292d42bb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rg6CW5Cz1f35.bat
Filesize
207B

MD5
c9810c2a277a4ff607a24bc40546afcb

SHA1
bf76f8f756ca450449126c319fa666d6c1d59bc8

SHA256
886da55cdc1e43fe32b30381c875c24395000ddedacfef7c2e0ae6577a921342

SHA512
dc50c7e0e6a13c86302a210f31e8297ef8f3c79ee368dbd34209b707a27960620e6fda43a018f628ef18ff0ac9cbc87fc26d8e79766bae9044486b631d5b1541

Download Submit
C:\Users\Admin\AppData\Local\Temp\UmsZTT9Nk8u1.bat
Filesize
207B

MD5
edc29dad15496e840dfd6254b7e1e01a

SHA1
c99ccc13d06d60702cce96ed7cc27aa768825515

SHA256
af8bebc2aa6daa8232cdda481e8278d2614219d1775142b52b66f6022362d6d5

SHA512
7f4428b9da5558256f6ff0e294ba99cfd1f4729eaa5489e84d65b105868a5959d7ceab0b053d39326cbc6db32ec9b9f253087ade47806fdf628525af07b4537c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aR4te3VAod2o.bat
Filesize
207B

MD5
d75260ad11715b27ca1164c5d958d509

SHA1
d2a946a83a3fdda45fd6bc6e704a011fe0c3be5a

SHA256
e16428758bc08078b984313bd386c102aadc7a12001b8f4131056353ea2e72a0

SHA512
2133ee0b82a84fdce88cd8a4dd97d76012fa4fbd4ad8e67584640960523a8304db380e129d0a82fd00d1e0bd1bae9b55d1d7889e9c10f23b581e563a5bd39b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2uiNkZicCSH.bat
Filesize
207B

MD5
ce538f817a0f756a99bb9b18dc006ca7

SHA1
19a3e469ea1e04a734be2025f34584414990e905

SHA256
2f8510df5667646a4ca8fc674a3fd65fa672a05af99d725fbc8667b64bda4880

SHA512
f53bffb9b778073a761baf23ca355b4ca42aa0b3a9bb17b71bb134cebc8cf481d92ed478cefc8a550d6f25d166e89a217ca14e1af732c54c5f713adabff8b374

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3qOleRhIDWG.bat
Filesize
207B

MD5
02f8e30a115062df6ffa396364d393b9

SHA1
be4480166540941d9504438a943f64d5d837e383

SHA256
f26aee1b773f7ffc0a8dc08803cb44d86f57db386a7c41f23d766688f587cdf8

SHA512
f748ee47ddea9e7ec2ff4558ddcd4dac8b14f0f36bae318bd9f031c2ae25642b1ee583cc287389562abfe5936d14f6c99c27ac017fc3bfdc602494cfa9c3cf19

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihEyAUdAruyA.bat
Filesize
207B

MD5
70b8b318d523583e1c05ade9bea6d0fd

SHA1
efc97fd3c40ab39c76ec22e8313502490e2d369e

SHA256
2a5c0bc0348fd87d247915283d067b7da855c2478a5555ecab2d7354bd1464bb

SHA512
d5627d1f8cce6ce6d531b4f76a239ab4bbcc7b219f5f50a9689ce69445c0f5e6dc638526b122241d1e02d78e029afbfcc2930faf099c3cf019b1344a2e83f5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pQAnEGLiMIlX.bat
Filesize
207B

MD5
04124f40009713243618583c57db1c8d

SHA1
aa2d500cd420ed443448991a08d90ed3be9eda7c

SHA256
ad8ea5d1efad55bcd5158d6b38a223d1f6c508936573b45f22e309f679b9f983

SHA512
11c021d296ba43ea887a7de423a44b2925cffee8a21114ae3ce0f01281bb75c13d5ad7c056e61345733b1fdd27468c626bc089baeca42a4b2e35718dddc54a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rSCfHSwLfsxu.bat
Filesize
207B

MD5
f39691a250fc2cb9aa56e12ba8386ae1

SHA1
19337d508613be97a0d18a39337a037761a5b7d8

SHA256
3d2ab78515e93367f2f3b9376dead1dd80ca16577cd9c96c7758fe5c82af9476

SHA512
7b332917e4dee5677ade7fea40350a0a6dc694580cbc5c89bc60e86249fe7eac7b1c549edc3850f9b9171332bda6e8506f7ad2f121290176881a9e96e9623081

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpZeMK46GJFs.bat
Filesize
207B

MD5
31e05b658e7d0da712159cbaec6b0fb9

SHA1
86f01335e69064b4282e6df8ae5de513be8c849c

SHA256
6220c343c92859b88980a5161736eef70567630181658a1fd35992382b08aa1f

SHA512
a1a762804e52133b12e7c8abdbb49aa88e4608e75b0aa603b44b99e1e168e93edeacc8b95c2a674fe711b7654c0b45cd232164f0eae91ef2d78b8200f16cca6c

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
c34b60566e4ff68f66d7d24905f69a00

SHA1
b9a7ebd8f0dc0a2086b46a5b1a614ecf17dc0195

SHA256
803f7f146d9c8b9fd09efad0cb12c1bb3a7d02b2502a510644c39fa570888d49

SHA512
b820cac8b1dcfce89abfcb460263dfaa992cc4e12bed2c08e33430da9509d820740d5a3e6a9f4e63bdbd3fb572722550d3cc683ef65b65e5fd9eb9c2c36b9860

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
fb50649750f90749ae3c2b38d9e81b38

SHA1
da2bb087b5d4b771449bc2d6e70d181d52e15cb5

SHA256
6ca4bbdf13c64b94e8204992bad1555a02ab22d32c723a57b8f434ead1a70821

SHA512
ee2c7af3ac8327395bd79fbc0c8cbf7d04ee354f5eea02ed101021ae18fa852a16d907d8177b9a875b63bb3c1119f23461951f078c2131d1f2314f01fc29c7b9

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
c0f9e4857d8205a03c0c0286a4759475

SHA1
c42575b17c5d4c6a7113e4fc2074cdc5ea248026

SHA256
b6b277deb0a8d0a2b61bb6c75f5f2f9c6ab788d89b0115f54697cbb4103dc713

SHA512
adf2b48736a1c6605d9630604f62696ccf26ae236722b563c559ec8f152098c8ec92f24763c46365040c07402e55f5877f21f556ba3b29555444cc4b3afe9835

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
21ef274a7cb9e84c3912afb80da39402

SHA1
84447760462a69ca13b8fd075065a8814ecbf339

SHA256
6fe885e031d74a0a30a4959154b35fd7506319b574fe104f58ae72dfa80b9fba

SHA512
a43bc0ef7d7b0d0e74a09f27403666e2955a1c059da48441637662ce25fd01d2d1143cc8b2d8ebe56a199857720d8cc78cc2358705d87026078bd27360c2fdbc

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
7ef4af54ad8b144109af0c07a6c8921e

SHA1
80d45e00f4e29c10cce51b1036c82fdf7247b7fe

SHA256
8af9b2bbf0681ca2b7757a1edfac0ea97fa0787c7429ca68f0bafd753411e656

SHA512
577c77f66b30c9395aa812617327f1bfd867576748d91e9ea260c1309725bbb4b14dd06cba6dae6cb1e53c6a4352338013ea66b691f20133c1004fde3d9a539d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
c13d47dfbc76ade349eac7f972a021b2

SHA1
44c25cf26b926ce78fbc18f9f7fe54980fcb20a1

SHA256
46b764d724dc66dbdc2127028c6fe340e42dda443d9b340d1f064a77ee6a18e2

SHA512
1bcf17a698c88d4c46870bceb8ca4f2d7eb08449088e7fef6afe9a77bbcc016eaa00fe28f6e82e334c092e11e515d8ffda922796e75ff8078b35e6c07ee2a5b9

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
06325d55fdbc09d2b2a95a306f577d3d

SHA1
ec65c147081cb47239b64f7028f31f7666f8233e

SHA256
e00cd861c17dfe7576b29b92b0108d24a77ca6cc2e6341643697c825f62ede95

SHA512
3aef1e41129ff99f21786ba8ab0832f9f707d7174f6725dc86786e3cb2b21d8b53faf6d5c6d339ab5527523698f091654f5986b5683e04b392279e5d74e6a90e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
36c429e1598c6ddd3863da9e097b31e0

SHA1
482d40fc0dc351c70606f29d6d622c05581bfe85

SHA256
ee0c657449f6f2e7baa1299510362d2dbc835d064ac112fbfa2e53191abdf01a

SHA512
4f6aaa9da296aea3bfd223f4b8797a3ae8967110e22e7d403fc2d16a3eedd132fff7072dec92ffc210ae35f7816eb3982a4ce3d9d096dc27c6f908e2d907b3e9

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1092-8-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/1092-5-0x0000000005290000-0x00000000052F6000-memory.dmp

Filesize
408KB

Download
memory/1092-1-0x00000000009B0000-0x0000000000A1C000-memory.dmp

Filesize
432KB

Download
memory/1092-2-0x00000000058C0000-0x0000000005E64000-memory.dmp

Filesize
5.6MB

Download
memory/1092-7-0x000000007506E000-0x000000007506F000-memory.dmp

Filesize
4KB

Download
memory/1092-6-0x0000000005FB0000-0x0000000005FC2000-memory.dmp

Filesize
72KB

Download
memory/1092-3-0x0000000005310000-0x00000000053A2000-memory.dmp

Filesize
584KB

Download
memory/1092-15-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/1092-0-0x000000007506E000-0x000000007506F000-memory.dmp

Filesize
4KB

Download
memory/1092-4-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/4616-19-0x0000000006A20000-0x0000000006A2A000-memory.dmp

Filesize
40KB

Download
memory/4616-17-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/4616-24-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/4616-16-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download