quasar | 1a4689bd6cc37dac5abf6a68afda78aa46cf114aadb276b21299d1f566e4ef58

Analysis

max time kernel
300s
max time network
314s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uni/Uni - Copy (103) - Copy - Copy.exe
Size

409KB
MD5

b70fdac25a99501e3cae11f1b775249e
SHA1

3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71
SHA256

51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246
SHA512

43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44
SSDEEP

12288:gpbJjGut6AoE3hVVdFaC/eZPTMTDlpgfJCKuMsVs:oVaurMLcDlpRKai

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
Lme7VBS3l58VwLM69PNM
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral28/memory/1128-1-0x0000000000230000-0x000000000029C000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 14 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
5028	Client.exe
1088	Client.exe
2416	Client.exe
2816	Client.exe
372	Client.exe
4256	Client.exe
3984	Client.exe
3124	Client.exe
332	Client.exe
3056	Client.exe
4496	Client.exe
1852	Client.exe
228	Client.exe
3280	Client.exe

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
3	ip-api.com
18	ip-api.com
34	ip-api.com
20	ip-api.com
26	ip-api.com
36	ip-api.com
28	ip-api.com
30	ip-api.com
12	api.ipify.org
16	ip-api.com
24	ip-api.com
14	ip-api.com
22	ip-api.com
32	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1656	5028	WerFault.exe	Client.exe
1848	1088	WerFault.exe	Client.exe
4356	2416	WerFault.exe	Client.exe
4896	2816	WerFault.exe	Client.exe
5064	372	WerFault.exe	Client.exe
3916	4256	WerFault.exe	Client.exe
3996	3984	WerFault.exe	Client.exe
3944	3124	WerFault.exe	Client.exe
2464	332	WerFault.exe	Client.exe
2756	3056	WerFault.exe	Client.exe
3344	4496	WerFault.exe	Client.exe
3356	1852	WerFault.exe	Client.exe
560	228	WerFault.exe	Client.exe
1912	3280	WerFault.exe	Client.exe

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1552	schtasks.exe
2832	schtasks.exe
3244	schtasks.exe
4656	schtasks.exe
4896	schtasks.exe
1800	schtasks.exe
2856	schtasks.exe
4772	schtasks.exe
4128	schtasks.exe
1716	schtasks.exe
3652	schtasks.exe
5076	SCHTASKS.exe
3496	schtasks.exe
4332	schtasks.exe
2284	schtasks.exe
1632	schtasks.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3444	PING.EXE
4636	PING.EXE
2652	PING.EXE
1840	PING.EXE
3688	PING.EXE
4932	PING.EXE
3420	PING.EXE
3404	PING.EXE
4680	PING.EXE
4820	PING.EXE
4960	PING.EXE
2796	PING.EXE
5116	PING.EXE
4980	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

Uni - Copy (103) - Copy - Copy.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	1128	Uni - Copy (103) - Copy - Copy.exe
Token: SeDebugPrivilege	5028	Client.exe
Token: SeDebugPrivilege	1088	Client.exe
Token: SeDebugPrivilege	2416	Client.exe
Token: SeDebugPrivilege	2816	Client.exe
Token: SeDebugPrivilege	372	Client.exe
Token: SeDebugPrivilege	4256	Client.exe
Token: SeDebugPrivilege	3984	Client.exe
Token: SeDebugPrivilege	3124	Client.exe
Token: SeDebugPrivilege	332	Client.exe
Token: SeDebugPrivilege	3056	Client.exe
Token: SeDebugPrivilege	4496	Client.exe
Token: SeDebugPrivilege	1852	Client.exe
Token: SeDebugPrivilege	228	Client.exe
Token: SeDebugPrivilege	3280	Client.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
5028	Client.exe
1088	Client.exe
2416	Client.exe
2816	Client.exe
372	Client.exe
4256	Client.exe
3984	Client.exe
3124	Client.exe
332	Client.exe
3056	Client.exe
4496	Client.exe
1852	Client.exe
228	Client.exe
3280	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni - Copy (103) - Copy - Copy.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 1128 wrote to memory of 4772	1128	Uni - Copy (103) - Copy - Copy.exe	schtasks.exe
PID 1128 wrote to memory of 4772	1128	Uni - Copy (103) - Copy - Copy.exe	schtasks.exe
PID 1128 wrote to memory of 4772	1128	Uni - Copy (103) - Copy - Copy.exe	schtasks.exe
PID 1128 wrote to memory of 5028	1128	Uni - Copy (103) - Copy - Copy.exe	Client.exe
PID 1128 wrote to memory of 5028	1128	Uni - Copy (103) - Copy - Copy.exe	Client.exe
PID 1128 wrote to memory of 5028	1128	Uni - Copy (103) - Copy - Copy.exe	Client.exe
PID 1128 wrote to memory of 5076	1128	Uni - Copy (103) - Copy - Copy.exe	SCHTASKS.exe
PID 1128 wrote to memory of 5076	1128	Uni - Copy (103) - Copy - Copy.exe	SCHTASKS.exe
PID 1128 wrote to memory of 5076	1128	Uni - Copy (103) - Copy - Copy.exe	SCHTASKS.exe
PID 5028 wrote to memory of 3496	5028	Client.exe	schtasks.exe
PID 5028 wrote to memory of 3496	5028	Client.exe	schtasks.exe
PID 5028 wrote to memory of 3496	5028	Client.exe	schtasks.exe
PID 5028 wrote to memory of 2160	5028	Client.exe	cmd.exe
PID 5028 wrote to memory of 2160	5028	Client.exe	cmd.exe
PID 5028 wrote to memory of 2160	5028	Client.exe	cmd.exe
PID 2160 wrote to memory of 3196	2160	cmd.exe	chcp.com
PID 2160 wrote to memory of 3196	2160	cmd.exe	chcp.com
PID 2160 wrote to memory of 3196	2160	cmd.exe	chcp.com
PID 2160 wrote to memory of 3444	2160	cmd.exe	PING.EXE
PID 2160 wrote to memory of 3444	2160	cmd.exe	PING.EXE
PID 2160 wrote to memory of 3444	2160	cmd.exe	PING.EXE
PID 2160 wrote to memory of 1088	2160	cmd.exe	Client.exe
PID 2160 wrote to memory of 1088	2160	cmd.exe	Client.exe
PID 2160 wrote to memory of 1088	2160	cmd.exe	Client.exe
PID 1088 wrote to memory of 4128	1088	Client.exe	schtasks.exe
PID 1088 wrote to memory of 4128	1088	Client.exe	schtasks.exe
PID 1088 wrote to memory of 4128	1088	Client.exe	schtasks.exe
PID 1088 wrote to memory of 1992	1088	Client.exe	cmd.exe
PID 1088 wrote to memory of 1992	1088	Client.exe	cmd.exe
PID 1088 wrote to memory of 1992	1088	Client.exe	cmd.exe
PID 1992 wrote to memory of 3800	1992	cmd.exe	chcp.com
PID 1992 wrote to memory of 3800	1992	cmd.exe	chcp.com
PID 1992 wrote to memory of 3800	1992	cmd.exe	chcp.com
PID 1992 wrote to memory of 1840	1992	cmd.exe	PING.EXE
PID 1992 wrote to memory of 1840	1992	cmd.exe	PING.EXE
PID 1992 wrote to memory of 1840	1992	cmd.exe	PING.EXE
PID 1992 wrote to memory of 2416	1992	cmd.exe	Client.exe
PID 1992 wrote to memory of 2416	1992	cmd.exe	Client.exe
PID 1992 wrote to memory of 2416	1992	cmd.exe	Client.exe
PID 2416 wrote to memory of 1552	2416	Client.exe	schtasks.exe
PID 2416 wrote to memory of 1552	2416	Client.exe	schtasks.exe
PID 2416 wrote to memory of 1552	2416	Client.exe	schtasks.exe
PID 2416 wrote to memory of 2064	2416	Client.exe	cmd.exe
PID 2416 wrote to memory of 2064	2416	Client.exe	cmd.exe
PID 2416 wrote to memory of 2064	2416	Client.exe	cmd.exe
PID 2064 wrote to memory of 4364	2064	cmd.exe	chcp.com
PID 2064 wrote to memory of 4364	2064	cmd.exe	chcp.com
PID 2064 wrote to memory of 4364	2064	cmd.exe	chcp.com
PID 2064 wrote to memory of 3404	2064	cmd.exe	PING.EXE
PID 2064 wrote to memory of 3404	2064	cmd.exe	PING.EXE
PID 2064 wrote to memory of 3404	2064	cmd.exe	PING.EXE
PID 2064 wrote to memory of 2816	2064	cmd.exe	Client.exe
PID 2064 wrote to memory of 2816	2064	cmd.exe	Client.exe
PID 2064 wrote to memory of 2816	2064	cmd.exe	Client.exe
PID 2816 wrote to memory of 1716	2816	Client.exe	schtasks.exe
PID 2816 wrote to memory of 1716	2816	Client.exe	schtasks.exe
PID 2816 wrote to memory of 1716	2816	Client.exe	schtasks.exe
PID 2816 wrote to memory of 1672	2816	Client.exe	cmd.exe
PID 2816 wrote to memory of 1672	2816	Client.exe	cmd.exe
PID 2816 wrote to memory of 1672	2816	Client.exe	cmd.exe
PID 1672 wrote to memory of 3668	1672	cmd.exe	chcp.com
PID 1672 wrote to memory of 3668	1672	cmd.exe	chcp.com
PID 1672 wrote to memory of 3668	1672	cmd.exe	chcp.com
PID 1672 wrote to memory of 4680	1672	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4772

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGHKR4SQvlgD.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:3196

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3444

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w2B8G9zFbPpc.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:3800

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1840

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SK7BxJnKIBwA.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:4364

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:3404

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reprA7nklcQx.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:3668

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:4680

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:372

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aieigN9e82ft.bat" "
11⤵
PID:4916

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:3496

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:4932

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4256

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xXDY7zXzvVGl.bat" "
13⤵
PID:2292

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:2756

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:3688

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3984

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d295zpv3B4xE.bat" "
15⤵
PID:2256

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:3112

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:5116

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3124

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hjQrqr6D7UK6.bat" "
17⤵
PID:4004

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:3220

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:4980

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:332

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TkKwGeGfZobN.bat" "
19⤵
PID:1808

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:3552

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:4636

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3056

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EkD1hRQ729se.bat" "
21⤵
PID:4268

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:1088

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:3420

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4496

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:3652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uF9YZIpAIiZ7.bat" "
23⤵
PID:4356

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:3480

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2652

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1852

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:3244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9Yw6eDHoMbsG.bat" "
25⤵
PID:4532

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:2692

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:4820

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:228

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yremr1GEq2M3.bat" "
27⤵
PID:3080

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:404

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:4960

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3280

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dcf3bFmABMPU.bat" "
29⤵
PID:1536

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:4916

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 1528
29⤵
- Program crash
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1688
27⤵
- Program crash
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 2248
25⤵
- Program crash
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1096
23⤵
- Program crash
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 1668
21⤵
- Program crash
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 1092
19⤵
- Program crash
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1092
17⤵
- Program crash
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1092
15⤵
- Program crash
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 1084
13⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 1732
11⤵
- Program crash
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1092
9⤵
- Program crash
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 2196
7⤵
- Program crash
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 2168
5⤵
- Program crash
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 1628
3⤵
- Program crash
PID:1656

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (103) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (103) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5028 -ip 5028
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1088 -ip 1088
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2416 -ip 2416
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2816 -ip 2816
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 372 -ip 372
1⤵
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4256 -ip 4256
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3984 -ip 3984
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3124 -ip 3124
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 332 -ip 332
1⤵
PID:700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3056 -ip 3056
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4496 -ip 4496
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1852 -ip 1852
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 228 -ip 228
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3280 -ip 3280
1⤵
PID:3572

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9Yw6eDHoMbsG.bat
Filesize
207B

MD5
8492071f2aa473c9aaaff92a088a7583

SHA1
c5fe1eb6fba623ad5b75e60b8e636b1e280e29e6

SHA256
e6d94dec8eb483ba2bd5653edf2497768edf03056380b73c20667d7f0a4940e4

SHA512
1eec18ea28da8a257f4a60f4f1986b2b73764efc3ad3b776c674ea162532129cd119fb906c857f99826c3e56a00a453ded01ddf909dc81b51be1eaf18debf453

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkD1hRQ729se.bat
Filesize
207B

MD5
878900805b5f75f8e6d67a7d9dd0b012

SHA1
49453b0f6b49d8d1bc31f6cc1fba5401ce26e1ae

SHA256
d190d480b69769701d6bf459cd27e121d0c02f886d4aab2e206421fd9ab364f1

SHA512
f13baf98761f2e88ca8584a32df944873d6380451f119f4dc958ec898514250bc4456a546b7a61c76732fcb2e67611da23e6f6cce8b10602ae15f53bcc854dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SK7BxJnKIBwA.bat
Filesize
207B

MD5
ad63b405eff6e8b250938ed45074d8f8

SHA1
98471d535143a67cb920301fa9ac6f32bea08518

SHA256
ac66587c84e47644880236e8661c06cc55278d07f13214e07a2bd62b83a4e507

SHA512
a8ad659c438591c21135fbf68b05a124ae5e4bf5a8cb47de280e037c019a8a33c9b069adfc3d0228036383df8c6315efba8f1389d0de1052038b1c12bc1a8b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\TkKwGeGfZobN.bat
Filesize
207B

MD5
54d682b8263b22050e41c68b9bba95db

SHA1
51a72de50262a73c5f90f4f74cb1a49e2eb9ee29

SHA256
d8956ee92cc61e7851142b11a2d1141fdd49f82f342f584ca14368b4d3179171

SHA512
221b60cb7469eef7e9552d31a1a29affd223530cd82d3fbd0a12fb84a3f9c76135aa4cc3333f7f7a01606ad6c6dbbee5de60590d7a92663a3e699ebf4776104a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yremr1GEq2M3.bat
Filesize
207B

MD5
2432e29df4d75101a94f490efb9f273f

SHA1
5e703bce83fec0f3acfd6d9e0a3849092b7eea1e

SHA256
659da8fd314f990fb72009759a2a84b36517a01471c182571192b7ea83ee6e46

SHA512
04ff808b73f73107a9cf7dc7caf4f7012d08cca865c284bbab8bc375b31eb87bd12f5d16833d95c2015dd9db07458bb59f1b00b2ddf1628299f00a92d3e42469

Download Submit
C:\Users\Admin\AppData\Local\Temp\aieigN9e82ft.bat
Filesize
207B

MD5
19aa63db2e02a14c3711b93d0d9e57ef

SHA1
40ba7d7f0a77814e8eefaca5b0f2082b28f2a4f6

SHA256
70f680f4336a1ff6f3cbe41ce4bfc2a08d44bbc1ddece8d9f684da82f407943f

SHA512
2e606402ab33e9c45882af22975fac1f5a6c61738ea4ee115d29a63867f262f94a0a0238bbbfe3ac8697ccdec5455204246ab0365034697dd8be7c34f70af01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d295zpv3B4xE.bat
Filesize
207B

MD5
bba948fc2d7f939b7ce9e563c9ca9a44

SHA1
013fdaabc586ffc10f39f73c4ced374f1446d23c

SHA256
6da351031f27b33edb60fa1ff1d76f4400d0d9c3d53fe652a66a02178b440c88

SHA512
76c13047b1e2f604113c0b036b5cc4b20ee302c7f449dcb4cf506211ad4a6fedda0854fb2c7ea02ac1789c9b5363f7654ba86875cecef0c6cfbb5761abe89071

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcf3bFmABMPU.bat
Filesize
207B

MD5
2123707212e96c82f8e35273ab50d4ac

SHA1
5bb5f0f3d83767d26dc64581b509697ec9702b02

SHA256
fe8fba3fdf97385a58cba7c6f228e4853566d8313f81861417c33ceb0b1fecfe

SHA512
1c93dc468ceb2e5eb8d5009b7630d05c85f1ee0cbac5094ea9a33b27604661a204972ee5a135c6da941c3d0ab00013e5018737e3f4bc6d52b42c7620dadd0459

Download Submit
C:\Users\Admin\AppData\Local\Temp\hjQrqr6D7UK6.bat
Filesize
207B

MD5
4e51d49b7a26d7dcf1b2e38ac85a730f

SHA1
acd150f86c862b1d5413627619458baabfd89de7

SHA256
75686d1f2657092d4500ab19f16d4e84f6a81ff085ec2554ec9e23752a995c2f

SHA512
6a5450f6f0f13f163460de69d7486be6f52fcc1a36653ad844c3c891a6bc453f9f722de33b46d11ddcba2c6d8178780ae3ddbfff990641f4ff94f14c9655c4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\iGHKR4SQvlgD.bat
Filesize
207B

MD5
720e3780dfb673ed03dd8d68cf108be1

SHA1
017a1a16ace203ef7b500aa5b932d70c8426ac0e

SHA256
915ecf91ee41c02d6a636432c0b78c832b8d4a954d215b4237dcea1101ef2435

SHA512
8b83f387cac7ab13e5688a21d0da58f2b56ce3c34c4e4cff363f640a3fdf737077dcb57ff3990144aa44ec76c5573078750845cb2c584a2f0257789ff96c04a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\reprA7nklcQx.bat
Filesize
207B

MD5
729fbfd877f58d15e31dfdcfd9535255

SHA1
b87250d46157e775d9455173aa49245036929927

SHA256
f6cbc91ebff29d95ddc1363c23ececcf3d2687d12b0ce6619b4092556835ac9c

SHA512
05d469086653615ea1ea158f915b55cf43aba702d10c9f7669e807eb7c4f58cb13ae9ab93c3f3ed2d1e152bb10bc764dd125d87e1b8f760fe5f9cf98e22d50f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uF9YZIpAIiZ7.bat
Filesize
207B

MD5
68661048988b29355e7aee7fdaf475d4

SHA1
fe6f1405c566616b357097c80318ad3597bb6f0b

SHA256
d8f4a68e83895a10847d3415eafe5d1391054f1143271a2278fa8d5765f507f9

SHA512
9c24efaa35cbb86bb5a5c18ca6d5b966e6f53d81a05c182a9855cf6e02401efc860d0ac0185bfb4eb6eeae7204e60ddc71d86378649f56eac31a4021de5f9d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2B8G9zFbPpc.bat
Filesize
207B

MD5
ab05b51e592fdaa7c5240299707b4fc6

SHA1
e569070c3f296d66da4469a41aabd3757f0efaac

SHA256
50128514f7e691f466b5fa48b1df9fbd5657128f133b2e20527723ccdad2d0c1

SHA512
a2cc1f5181d76c24e42189ce486bc6570385692fcfeb420af0faa12e881fe1255f76794b38d533f22abb4773720991d23ed0a2e9affdccb08edde321e0554c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xXDY7zXzvVGl.bat
Filesize
207B

MD5
c4b825dc7fd1262b69c12fe7dd185275

SHA1
590094e80a15ab455c149135d0627eb866167c08

SHA256
4446b4b12a458a2f1d6c3b8f197849b9de707008965c31ce3c251746bb9e4f58

SHA512
3a2f2af0393e8527a8fb9d9b9c582721ba62474723caa39f17a376cd95b509bbb7fbf1de5d1e94300319777c18ed2c03991802498300c48824d9113dfd8899b0

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
fe0b11d8ca857d2d5cd86e6b83806882

SHA1
8d2315942619d562dca81a5df1247f8d78b343bf

SHA256
9be5ace470637e441f3619264b739707ed9a407863c8ebdc28ad0ed129a1efd6

SHA512
b4328ff2e884f72ba0f763917c8fa48667d6802b017d4e8ef173f8bac7d99af02fcdd6cf0ef60ee7552b1946d8df4be9942da30671a2946d5077ebdf6b8c1465

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
caee8548865a5425542896bc04b927ad

SHA1
e85cedae7a891294a832d2bb25489369a74dfe0b

SHA256
c24cf148fecdac8ea9a4bb7b19431d6ea99ec919c7e1ad2e4b3077646a8b031f

SHA512
60f146fff145f04c91b36230eb6b804c0a0d88115a8277bf4d75f96b2d57add1cf2e1ff01f06804057bf58166c3a131b6136cfbabf934f3def78a81bf4274d3d

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
3ce08434d995b85e607e3c740158c231

SHA1
cc1ed8f45b47b090c63b3d621dc6d9e85dd864bc

SHA256
9272e39465fe3e451685abdd023af5ffc082695fd7b27d854c2a9e47549b0c55

SHA512
c5fb2607db79d933444a46f36aa9d5740e21669803c448d0b03fa027510bdbb4366a86516b7f7c478dc1a809e499e6ac2712eb45474b9dc6b98d163c1aceca80

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
e43709ee5efb4505827605b5bfbbd919

SHA1
dcc4407bc0bf7453511cc647c2ee330f4a4278b2

SHA256
122c3e037e6b77ca47c3c4e48b4c736f2c0b12f87fb946a2ef9f0631d426ac6b

SHA512
fda7e1b6c364f7e32ab218bbfb5609a5a0331c4d5aa7d21049f9831c25d9b929b7d0597cc3e580e6483587c4a6fc3b56735477b53cc8c9474be35c14fe844739

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
0eaf184c6803cde8c3b7f191a2ea4a79

SHA1
a8058c330f9a88b060f2ca12d5c0f203352af096

SHA256
7205d46f9a5a77cc7293d676d1a688683edfa065bddc44fde727df7981825048

SHA512
e39c0f21e8ca0317171ace8095e2c493f1c0a6129bb565973efc290a797f0f9abe613ca8a510c0f3c7e3e023fe340cdd4b6e8de256cd71ddf9810a75fd88caa7

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
890bd6bdcef936ccd28aea7cbfa99e29

SHA1
a150f21958ea61cc429b3c3bb88c8a4ef46f9347

SHA256
6531a1f589543a5a032b8b0d307771609fa480b1f510dd6f6de7ceb43a5a1922

SHA512
eeeacf7c1f8da70ac8afecb8d9b162f24bc002bc5a422a9aae0b7f7f7f0fd426ae3da59ac249f0104215818dd9ebbdff46fcb46e16109b015cf27435c4f41752

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-15-2024
Filesize
224B

MD5
77f44a0088eabd4bfd127299f6325980

SHA1
66258bc025a3ee7bd3d3235398b5410d48c20e6a

SHA256
c705e92c97715e1ff5d6ccb7b4af950ae2a46fec2a1e8755bbc4557aa6504003

SHA512
e0d40f955180605b0c52d7cb1b5657e50122056748911c18fe374bae76844aed557c39db8b15e3e9b113abe4f466643c1aebdcb64089207c3918f872cd3e6d23

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
b70fdac25a99501e3cae11f1b775249e

SHA1
3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71

SHA256
51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246

SHA512
43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44

Download Submit
memory/1128-8-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/1128-0-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

Filesize
4KB

Download
memory/1128-16-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/1128-1-0x0000000000230000-0x000000000029C000-memory.dmp

Filesize
432KB

Download
memory/1128-7-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

Filesize
4KB

Download
memory/1128-2-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/1128-6-0x00000000059D0000-0x00000000059E2000-memory.dmp

Filesize
72KB

Download
memory/1128-3-0x0000000004CD0000-0x0000000004D62000-memory.dmp

Filesize
584KB

Download
memory/1128-5-0x0000000004DD0000-0x0000000004E36000-memory.dmp

Filesize
408KB

Download
memory/1128-4-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/5028-19-0x0000000006EA0000-0x0000000006EAA000-memory.dmp

Filesize
40KB

Download
memory/5028-15-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/5028-17-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/5028-24-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download