quasar | 1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58

Analysis

max time kernel
298s
max time network
309s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (10) - Copy - Copy - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1068-1-0x00000000009D0000-0x0000000000A3C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 14 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2384	Client.exe
1036	Client.exe
1668	Client.exe
456	Client.exe
4796	Client.exe
4972	Client.exe
4612	Client.exe
4456	Client.exe
1824	Client.exe
3264	Client.exe
4140	Client.exe
4636	Client.exe
4628	Client.exe
4864	Client.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
8	api.ipify.org
15	ip-api.com
17	ip-api.com
19	ip-api.com
22	ip-api.com
31	ip-api.com
35	ip-api.com
2	ip-api.com
12	ip-api.com
24	ip-api.com
26	ip-api.com
33	ip-api.com
29	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2896	2384	WerFault.exe	Client.exe
4728	1036	WerFault.exe	Client.exe
848	1668	WerFault.exe	Client.exe
2552	456	WerFault.exe	Client.exe
4640	4796	WerFault.exe	Client.exe
2596	4972	WerFault.exe	Client.exe
4148	4612	WerFault.exe	Client.exe
1464	4456	WerFault.exe	Client.exe
3280	1824	WerFault.exe	Client.exe
3656	3264	WerFault.exe	Client.exe
4816	4140	WerFault.exe	Client.exe
5084	4636	WerFault.exe	Client.exe
2760	4628	WerFault.exe	Client.exe
3256	4864	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

SCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2252	SCHTASKS.exe
4812	schtasks.exe
8	schtasks.exe
4232	schtasks.exe
4644	schtasks.exe
2244	schtasks.exe
872	schtasks.exe
3236	schtasks.exe
2876	schtasks.exe
4036	schtasks.exe
1628	schtasks.exe
2348	schtasks.exe
1212	schtasks.exe
660	schtasks.exe
1272	schtasks.exe
4916	schtasks.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3788	PING.EXE
1852	PING.EXE
4832	PING.EXE
4796	PING.EXE
3588	PING.EXE
2272	PING.EXE
2896	PING.EXE
1872	PING.EXE
3148	PING.EXE
3320	PING.EXE
2536	PING.EXE
1212	PING.EXE
4244	PING.EXE
4816	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

Uni - Copy (10) - Copy - Copy - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	1068	Uni - Copy (10) - Copy - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	2384	Client.exe
Token: SeDebugPrivilege	1036	Client.exe
Token: SeDebugPrivilege	1668	Client.exe
Token: SeDebugPrivilege	456	Client.exe
Token: SeDebugPrivilege	4796	Client.exe
Token: SeDebugPrivilege	4972	Client.exe
Token: SeDebugPrivilege	4612	Client.exe
Token: SeDebugPrivilege	4456	Client.exe
Token: SeDebugPrivilege	1824	Client.exe
Token: SeDebugPrivilege	3264	Client.exe
Token: SeDebugPrivilege	4140	Client.exe
Token: SeDebugPrivilege	4636	Client.exe
Token: SeDebugPrivilege	4628	Client.exe
Token: SeDebugPrivilege	4864	Client.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2384	Client.exe
1036	Client.exe
1668	Client.exe
456	Client.exe
4796	Client.exe
4972	Client.exe
4612	Client.exe
4456	Client.exe
1824	Client.exe
3264	Client.exe
4140	Client.exe
4636	Client.exe
4628	Client.exe
4864	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (10) - Copy - Copy - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 1068 wrote to memory of 2876	1068	Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	schtasks.exe
PID 1068 wrote to memory of 2876	1068	Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	schtasks.exe
PID 1068 wrote to memory of 2876	1068	Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	schtasks.exe
PID 1068 wrote to memory of 2384	1068	Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	Client.exe
PID 1068 wrote to memory of 2384	1068	Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	Client.exe
PID 1068 wrote to memory of 2384	1068	Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	Client.exe
PID 1068 wrote to memory of 2252	1068	Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 1068 wrote to memory of 2252	1068	Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 1068 wrote to memory of 2252	1068	Uni - Copy (10) - Copy - Copy - Copy - Copy.exe	SCHTASKS.exe
PID 2384 wrote to memory of 4812	2384	Client.exe	schtasks.exe
PID 2384 wrote to memory of 4812	2384	Client.exe	schtasks.exe
PID 2384 wrote to memory of 4812	2384	Client.exe	schtasks.exe
PID 2384 wrote to memory of 3908	2384	Client.exe	cmd.exe
PID 2384 wrote to memory of 3908	2384	Client.exe	cmd.exe
PID 2384 wrote to memory of 3908	2384	Client.exe	cmd.exe
PID 3908 wrote to memory of 2456	3908	cmd.exe	chcp.com
PID 3908 wrote to memory of 2456	3908	cmd.exe	chcp.com
PID 3908 wrote to memory of 2456	3908	cmd.exe	chcp.com
PID 3908 wrote to memory of 3588	3908	cmd.exe	PING.EXE
PID 3908 wrote to memory of 3588	3908	cmd.exe	PING.EXE
PID 3908 wrote to memory of 3588	3908	cmd.exe	PING.EXE
PID 3908 wrote to memory of 1036	3908	cmd.exe	Client.exe
PID 3908 wrote to memory of 1036	3908	cmd.exe	Client.exe
PID 3908 wrote to memory of 1036	3908	cmd.exe	Client.exe
PID 1036 wrote to memory of 2348	1036	Client.exe	schtasks.exe
PID 1036 wrote to memory of 2348	1036	Client.exe	schtasks.exe
PID 1036 wrote to memory of 2348	1036	Client.exe	schtasks.exe
PID 1036 wrote to memory of 3548	1036	Client.exe	cmd.exe
PID 1036 wrote to memory of 3548	1036	Client.exe	cmd.exe
PID 1036 wrote to memory of 3548	1036	Client.exe	cmd.exe
PID 3548 wrote to memory of 3576	3548	cmd.exe	chcp.com
PID 3548 wrote to memory of 3576	3548	cmd.exe	chcp.com
PID 3548 wrote to memory of 3576	3548	cmd.exe	chcp.com
PID 3548 wrote to memory of 1212	3548	cmd.exe	PING.EXE
PID 3548 wrote to memory of 1212	3548	cmd.exe	PING.EXE
PID 3548 wrote to memory of 1212	3548	cmd.exe	PING.EXE
PID 3548 wrote to memory of 1668	3548	cmd.exe	Client.exe
PID 3548 wrote to memory of 1668	3548	cmd.exe	Client.exe
PID 3548 wrote to memory of 1668	3548	cmd.exe	Client.exe
PID 1668 wrote to memory of 4036	1668	Client.exe	schtasks.exe
PID 1668 wrote to memory of 4036	1668	Client.exe	schtasks.exe
PID 1668 wrote to memory of 4036	1668	Client.exe	schtasks.exe
PID 1668 wrote to memory of 4276	1668	Client.exe	cmd.exe
PID 1668 wrote to memory of 4276	1668	Client.exe	cmd.exe
PID 1668 wrote to memory of 4276	1668	Client.exe	cmd.exe
PID 4276 wrote to memory of 4652	4276	cmd.exe	chcp.com
PID 4276 wrote to memory of 4652	4276	cmd.exe	chcp.com
PID 4276 wrote to memory of 4652	4276	cmd.exe	chcp.com
PID 4276 wrote to memory of 2272	4276	cmd.exe	PING.EXE
PID 4276 wrote to memory of 2272	4276	cmd.exe	PING.EXE
PID 4276 wrote to memory of 2272	4276	cmd.exe	PING.EXE
PID 4276 wrote to memory of 456	4276	cmd.exe	Client.exe
PID 4276 wrote to memory of 456	4276	cmd.exe	Client.exe
PID 4276 wrote to memory of 456	4276	cmd.exe	Client.exe
PID 456 wrote to memory of 1628	456	Client.exe	schtasks.exe
PID 456 wrote to memory of 1628	456	Client.exe	schtasks.exe
PID 456 wrote to memory of 1628	456	Client.exe	schtasks.exe
PID 456 wrote to memory of 2224	456	Client.exe	cmd.exe
PID 456 wrote to memory of 2224	456	Client.exe	cmd.exe
PID 456 wrote to memory of 2224	456	Client.exe	cmd.exe
PID 2224 wrote to memory of 3556	2224	cmd.exe	chcp.com
PID 2224 wrote to memory of 3556	2224	cmd.exe	chcp.com
PID 2224 wrote to memory of 3556	2224	cmd.exe	chcp.com
PID 2224 wrote to memory of 2896	2224	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2876

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uRmkRxfaOR19.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2456

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3588

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fSgpskp2rmIR.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:3576

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1212

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ukSOxfHfvfca.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4652

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2272

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgVaB7jt4NkZ.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:3556

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2896

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4796

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2avJo4qTBTUk.bat" "
11⤵
PID:1352

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:3496

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4244

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4972

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VvRioczDAigQ.bat" "
13⤵
PID:2532

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4884

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:4816

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4612

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jDEHtXSqFbza.bat" "
15⤵
PID:3116

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:5048

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:1872

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4456

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUAW9gDGiUXA.bat" "
17⤵
PID:3540

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:3920

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:3148

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1824

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boqQlUjSKbWF.bat" "
19⤵
PID:3536

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:1508

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4832

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3264

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m5oG4e1mtg8V.bat" "
21⤵
PID:3144

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:748

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:3320

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4140

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egQPvbJOygfA.bat" "
23⤵
PID:1120

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:3464

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2536

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4636

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QhJUMOTqR0wR.bat" "
25⤵
PID:1600

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:1780

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:3788

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4628

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XPOz0AoJsE0D.bat" "
27⤵
PID:3540

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:2896

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:1852

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vExpRlBffib5.bat" "
29⤵
PID:1520

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:1984

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1720
29⤵
- Program crash
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 2248
27⤵
- Program crash
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 2248
25⤵
- Program crash
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 2224
23⤵
- Program crash
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 2232
21⤵
- Program crash
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 2180
19⤵
- Program crash
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 2180
17⤵
- Program crash
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1660
15⤵
- Program crash
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 2224
13⤵
- Program crash
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1696
11⤵
- Program crash
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 2248
9⤵
- Program crash
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 2248
7⤵
- Program crash
PID:848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 2196
5⤵
- Program crash
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1656
3⤵
- Program crash
PID:2896

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2384 -ip 2384
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1036 -ip 1036
1⤵
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1668 -ip 1668
1⤵
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 456 -ip 456
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4796 -ip 4796
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4972 -ip 4972
1⤵
PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4612 -ip 4612
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4456 -ip 4456
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1824 -ip 1824
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3264 -ip 3264
1⤵
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4140 -ip 4140
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4636 -ip 4636
1⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4628 -ip 4628
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4864 -ip 4864
1⤵
PID:3436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2avJo4qTBTUk.bat
Filesize
207B

MD5
8e439698069e8825c2b68dd8ec878536

SHA1
6b0e107149dbec3c2ba028cdc1a9cf169e54fe85

SHA256
501374ce65c90fd66668141252fa76fa1bbc9acf3f9cba9e4dcc292c587b1764

SHA512
e99b224d5b603a0a901674bcb109adb41b34c8738b15f9e64bc8bac570ed8d29dc8895290621d3c48061f102efc2d7901b7312f12e1d9519309c19c20b724dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QhJUMOTqR0wR.bat
Filesize
207B

MD5
476460a2dfa43a696246d6c127733998

SHA1
bbb218a9393f40e0f803c61029168589293b170a

SHA256
16e466e87b1b39c0d8c6cef7ff8c43b5de7db4543d47e536b70cd73323190a6c

SHA512
8fe4a3eb20fe10eebead8ef65850b15cc62eb9681042654e5f5c75f5e988df42c63f6b68f6c67edc6a9fdc1b7ea484808ae7bf0f7e9aaabeaf0e10a849b59fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\VvRioczDAigQ.bat
Filesize
207B

MD5
3b2bb1df38be4d476d56835eef1c7b2c

SHA1
7eb3070c3b27690b36de50d50934c832434fdea0

SHA256
0c356ae5cd977ec47c4367c8d77ccfb38065ef789bd58c2a2549cb5a2262b59b

SHA512
60c3ccd645c868121dd96cbaf134684971951f9386211b1c7b6da31e11e64cf4dbacf5288cb11f11580cad96b91516b9374b9e7b33320d4f23b5998deca69a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgVaB7jt4NkZ.bat
Filesize
207B

MD5
86bf98090e656c6fe3623f76e7173df8

SHA1
a1a5ec50b18cce68a8b4466b1e41ea7ab01373e2

SHA256
d5b73fdecdbe4c04aba735f3960d87ea019b3de3e476ba1040a1632d5fd587bd

SHA512
2f6a79f027e047aaf6388afd2a2cce3f43f9009f00ec9f563bc9ea1ade1aad7b3caaa2c88f1f1ef909f4e4b84c19da2a9da4c87255c25458357e8c91b5fd76dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPOz0AoJsE0D.bat
Filesize
207B

MD5
d173b887eee0651ba4ba6f4799c96cac

SHA1
257cc3d2c403073ad14d03222d9da8b4433c358c

SHA256
b58e6c59ff91d508e5a789813ba45da76b40ded507c9a224cf48cce0fb3b64c3

SHA512
6affd9f15ab20219c00a5e1fd15f88d01e42a1c3657e5d86795517e33273cb957c997b6843d11e219c0656dec323776327a604267b6a61fd23530e02bde64c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\boqQlUjSKbWF.bat
Filesize
207B

MD5
860a873cb759685e826392bc6d3a0fdc

SHA1
1e83a56c3fceee423caddf01d5a848ddfdde00b8

SHA256
76de3302da6d02fdcea44f80e2f7f8ec51fc4bb46c553d44190c3ee6fcca873c

SHA512
224c3e73d006c56377728db43dda751af251485246fab29124ead3c6be6f3e65b46f915aafb94ced365cf3f580007a7fe6e04850b4d91ed0aef36c9f3c69d634

Download Submit
C:\Users\Admin\AppData\Local\Temp\egQPvbJOygfA.bat
Filesize
207B

MD5
2c0665e6c46afce2c0ff30318b40dd6a

SHA1
460f2f4c49395507841ee5a18cd5f0ef2e5bdb77

SHA256
b2a8b20985965fac73b0cc93fc0e9290897ba7a582f37cc5b66a7b7380e85e6b

SHA512
b207ecab4ea375ffeece8c6a78d154bffd0101550076b294570534aeaadabf78299f9bd822cceb0859a56bfebd63ec6e9169c2c3a5c34e030ba22c1fe758d576

Download Submit
C:\Users\Admin\AppData\Local\Temp\fSgpskp2rmIR.bat
Filesize
207B

MD5
967ecfad66639dfe8a680795a2c12d53

SHA1
78718c4decc47d8a390eaae26956c41d152080ce

SHA256
fdaa4c2812ae92defb28c7d42057f433e42864fe3aed8af095e870fbe666bb9d

SHA512
8420ea7396a274bee3e1d076588294805fc3c8379ec71dc4cad5ab908976adb3080e934ddabcd67b8c8ec074abfae75ef657b9cef93eeae03a09deb651d481b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jDEHtXSqFbza.bat
Filesize
207B

MD5
b1fcc62d66e31937e4fe601d0b1f1013

SHA1
47aa5fbda021a5088707e1723d29ae36797ecd7f

SHA256
dccbd8beae0c7f1557a8a45031720beb555db776353134c507783a5419e42bee

SHA512
b69077a5f41748e85cddb18aca275181c7f010af69a05a56d5a8149a38d0a171776fdfe25f9b22b4aa1b408846fd35bc744c08e05652534a0b3ef76cd584f474

Download Submit
C:\Users\Admin\AppData\Local\Temp\m5oG4e1mtg8V.bat
Filesize
207B

MD5
7e08380bb484f241d7a9bd5e69481961

SHA1
7189a7ece24961ed6f3ed30fba46f8a29467df13

SHA256
f94b38275326f3471304642a9b19cf36802c75a4d0edcf5870e9a420b45e8c9e

SHA512
70cf181d2796934259533fbb3cda999c5a68be08ab11efab24de9e6e6b8ae3702291adf139bf47d64b4ba650b5eaabae82c8019856f3e736f2a9bc75c6f3c650

Download Submit
C:\Users\Admin\AppData\Local\Temp\rUAW9gDGiUXA.bat
Filesize
207B

MD5
70c7ea5046ed60658dd928519d5c1b9e

SHA1
9b8a04f81f08defc7a7bf7ebde1a04606a7334d0

SHA256
754b3cd1e40f12f53cfe3e5422ae58100d26d77362dd0e07e2323bc9c37b3306

SHA512
ca0bf7616109fbd560be0b6388d7304d2560c64dc1f299bd032d90e53723c3edba023773420fe41ace31ad51e7cca34ec1c07c1cc9191388159bdb09489ffc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRmkRxfaOR19.bat
Filesize
207B

MD5
f0975b3274fa09c74e9789804c185b1f

SHA1
68f2a3072489fc43abae82cdea92f46a865f6a85

SHA256
829df18ceeb70b4962186de934abce77519d479f24f97c6df84d97c6c6ef978f

SHA512
122a4588897cbf4d1b8a250c6a7f06ef30cd346f447003b05bee0d41b2d7e4b47ac7079fef6436e1bbe9271e427976f681a455597ba8c9c136fdc5ad31ed7509

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukSOxfHfvfca.bat
Filesize
207B

MD5
0afe1b9c6cf09e4d0708fdf0c192ee41

SHA1
2527ca2d87546b24d5d959534a3d078556421b53

SHA256
a5f21ea6deafaf87cc524116021533aec5b477a512efcaca11ad7926da4f5963

SHA512
9bd8b3cb7a24fb242637b8abb1700aabab4f9e4147187142afc50c7c25f5d3ed9b91c932d5f01c2a1b5b0c7e0ecb51d8ed2ba5b3fef84c80565d2b5e0bd7a039

Download Submit
C:\Users\Admin\AppData\Local\Temp\vExpRlBffib5.bat
Filesize
207B

MD5
4b68a94235f2d085b7cb22ab2cff5d25

SHA1
ce41cae3ab7342e6653b4727da4ecf345979cfbf

SHA256
350dc800a28a854e9b33f5d88bbdb6dab48e8277cb72ba4b42375330285a6921

SHA512
853ce344fc22975338009626dc841829cd2993ece52601064c053cccb3078a40c75e113db5addfde2a4d7d4ac75e442f89df24358c91a377413a064017a8353b

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
63da7970aa3146eb91c6af6d79bb42c1

SHA1
1b2e1240ee5d6053f0578586064201f559a4c7f7

SHA256
c139d4efe33aab6d1ce017569fc7e1cd0a6738346bc23344096f2fb51e6b0b6a

SHA512
a50b128c984aea76f8ff5bc6dcf53c93b8661a26e67913fd350f9145b4c91152b138bb46febc28e5fe58f6f4b7fdbef8202d916f413a8c40aa8b61d7eab7813d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
6d4369724679450e30d1045f8a600a88

SHA1
2088d6f2877aab63cab8bf92b2609413fb16f151

SHA256
0832b3a92e61bc2139a2a35a94c8eba62ee821d324af75e9756dbd438d809f9d

SHA512
a5a1228927d56631a07959ed884b9088b846152fd2ea9217339166c9f22bff5897811994c1f1fb9b84fa38af02253ee33f0cdfd2f219b93512e879bc3e9cc57f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
5e47b7e92ab8a19cb82a4aba144b0273

SHA1
852599d0d757e40ef4bb26a40352dc4f977a0b1f

SHA256
ca6b9143aca14056cdcc9cd4da02716aa00250333ddc87d0df20406ab39e6277

SHA512
e819c2a0d1763ed1c6ff3ea1304ae961b1110b20d943955a20354831b69eee69e1e2c486d151493e3d0b1a9726a4a3ff3aea2b1e4debcb2f3bd2237ef5e389b0

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
bae8e79550ef336b500b3677fa32f31a

SHA1
00a992ce6e052ccf679be6162db8b29e0e63ed84

SHA256
6d2b5e9154bc182b621e2a733e0a38146065012d4292121f693e2fe4745afbb9

SHA512
418498dabcf683074a981f5010d1749d06773b364cff6ace925e704d38c2825134b00630ecc03f6de8325aeb50cb9620b49730e37cc4922ddd1c9beba696c351

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
3415fcd350d9dda71f95b8eb7cc93e5a

SHA1
4aef985e04195e88e87c4f7c7c4cc45b4d57fe21

SHA256
3920cec23feb35b59d26ffa673f2f8ff706b8c846b8f6fca54fdec68cf49b91b

SHA512
168ee5e6779a22ebca0b30a2219a9e4e782e005ee9df03031c934f47b695d72bac4a4897d68e6395e485ed4be9aae538772febc69ac08d68838b32d1a98707f6

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
ba9e4a590b284ac6c884999f968b493c

SHA1
0a9568aa6b68f3f98babac09eafe3576c59b7766

SHA256
4687ec58ac09d7b5f790fd65b5f917531402204cc72841a79c1851f6d081e0de

SHA512
a2219a6ce92a55d02bb860b0172a404268c9424a6b4791afd95c6ec3118d7804aee2a61225e858ffe2d360ade7a3e06bf945b0ccb66b0097f5ac62f0f0001e8d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
a2bcaa5f72969bc5799fdddd6be47efa

SHA1
0c8856d2429496b3fe27d658110bce8f4cde45b6

SHA256
c0811b6a49be218bdaae63d96fb8a611c0f20839a3fe26385c1f05a9d1a5b5ae

SHA512
538960c7bc650ec65e70a01798d75accfe6727a1968333746ed52449c4d7b6aeb75285622ea3c18340d1aa0e55ac4a4bb16a62c387a2d990ae61966d0c32568e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1068-5-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/1068-6-0x0000000005960000-0x0000000005972000-memory.dmp

Filesize
72KB

Download
memory/1068-16-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/1068-8-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/1068-0-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/1068-7-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/1068-1-0x00000000009D0000-0x0000000000A3C000-memory.dmp

Filesize
432KB

Download
memory/1068-2-0x00000000059C0000-0x0000000005F64000-memory.dmp

Filesize
5.6MB

Download
memory/1068-3-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/1068-4-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/2384-24-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/2384-19-0x0000000006210000-0x000000000621A000-memory.dmp

Filesize
40KB

Download
memory/2384-15-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/2384-17-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download