quasar | 49686a0b50103315e6a2a8af78084b9b5eb485ad4767f2d63043d8969ff9bb23

Analysis

max time kernel
296s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost1.exe
Size

409KB
MD5

b80b8c569a390b124cb7aaae003c8a82
SHA1

c38fc46e835ccbb538f4df122e501d07562553c4
SHA256

49686a0b50103315e6a2a8af78084b9b5eb485ad4767f2d63043d8969ff9bb23
SHA512

75148f5e619eea0b6f44b3e6ecc0d4e6a97775fee2456209d90c002f8baacfa9109b2be90da6afdf0282c7704a9542bb01c6566d383d4a0b587508e4f6fdfb47
SSDEEP

12288:epsD64e1M8c4Q7JkMgtqB+chi4gjEhNjh:6sG4kMfJiqBNfPh

Score

10^/10

quasar seroxen | v3.1.5 |spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen | v3.1.5 |

nexosmith1231-54169.portmap.host:4782

Mutex

$Sxr-NbHXQzYHWTCnT97XUN

Attributes

encryption_key
v2wYEk6QCkLkJJ1DyEGm
install_name
$sxr-powershell.exe
log_directory
$sxr-Logs
reconnect_delay
3000
startup_key
Powershell
subdirectory
$sxr-seroxen2

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1352-1-0x0000000000C80000-0x0000000000CEC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	$sxr-powershell.exe

Executes dropped EXE 15 IoCs

Processes:

pid	process
1524	$sxr-powershell.exe
2732	$sxr-powershell.exe
2464	$sxr-powershell.exe
4628	$sxr-powershell.exe
4476	$sxr-powershell.exe
3988	$sxr-powershell.exe
2748	$sxr-powershell.exe
2140	$sxr-powershell.exe
1648	$sxr-powershell.exe
4072	$sxr-powershell.exe
4540	$sxr-powershell.exe
3440	$sxr-powershell.exe
1692	$sxr-powershell.exe
4488	$sxr-powershell.exe
3968	$sxr-powershell.exe

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
15	ip-api.com
32	ip-api.com
34	ip-api.com
8	api.ipify.org
25	ip-api.com
36	ip-api.com
19	ip-api.com
13	ip-api.com
17	ip-api.com
30	ip-api.com
2	ip-api.com
27	ip-api.com
22	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1912	1524	WerFault.exe	$sxr-powershell.exe
4232	2732	WerFault.exe	$sxr-powershell.exe
2220	2464	WerFault.exe	$sxr-powershell.exe
3216	4628	WerFault.exe	$sxr-powershell.exe
4952	4476	WerFault.exe	$sxr-powershell.exe
4040	3988	WerFault.exe	$sxr-powershell.exe
2240	2748	WerFault.exe	$sxr-powershell.exe
3944	2140	WerFault.exe	$sxr-powershell.exe
3516	1648	WerFault.exe	$sxr-powershell.exe
1948	4072	WerFault.exe	$sxr-powershell.exe
2324	4540	WerFault.exe	$sxr-powershell.exe
3620	3440	WerFault.exe	$sxr-powershell.exe
676	1692	WerFault.exe	$sxr-powershell.exe
2840	4488	WerFault.exe	$sxr-powershell.exe

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3884	schtasks.exe
1548	SCHTASKS.exe
2404	schtasks.exe
2068	schtasks.exe
1292	schtasks.exe
3792	schtasks.exe
208	schtasks.exe
1696	schtasks.exe
3792	schtasks.exe
2232	schtasks.exe
2076	schtasks.exe
3060	schtasks.exe
2252	schtasks.exe
2020	schtasks.exe
3996	schtasks.exe
4016	schtasks.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4020	PING.EXE
3880	PING.EXE
1416	PING.EXE
1292	PING.EXE
3932	PING.EXE
2120	PING.EXE
3640	PING.EXE
2368	PING.EXE
3672	PING.EXE
3772	PING.EXE
4040	PING.EXE
3800	PING.EXE
2184	PING.EXE
348	PING.EXE

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

svchost1.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe$sxr-powershell.exe

description	pid	process
Token: SeDebugPrivilege	1352	svchost1.exe
Token: SeDebugPrivilege	1524	$sxr-powershell.exe
Token: SeDebugPrivilege	2732	$sxr-powershell.exe
Token: SeDebugPrivilege	2464	$sxr-powershell.exe
Token: SeDebugPrivilege	4628	$sxr-powershell.exe
Token: SeDebugPrivilege	4476	$sxr-powershell.exe
Token: SeDebugPrivilege	3988	$sxr-powershell.exe
Token: SeDebugPrivilege	2748	$sxr-powershell.exe
Token: SeDebugPrivilege	2140	$sxr-powershell.exe
Token: SeDebugPrivilege	1648	$sxr-powershell.exe
Token: SeDebugPrivilege	4072	$sxr-powershell.exe
Token: SeDebugPrivilege	4540	$sxr-powershell.exe
Token: SeDebugPrivilege	3440	$sxr-powershell.exe
Token: SeDebugPrivilege	1692	$sxr-powershell.exe
Token: SeDebugPrivilege	4488	$sxr-powershell.exe
Token: SeDebugPrivilege	3968	$sxr-powershell.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

pid	process
1524	$sxr-powershell.exe
2732	$sxr-powershell.exe
2464	$sxr-powershell.exe
4628	$sxr-powershell.exe
4476	$sxr-powershell.exe
3988	$sxr-powershell.exe
2748	$sxr-powershell.exe
2140	$sxr-powershell.exe
1648	$sxr-powershell.exe
4072	$sxr-powershell.exe
4540	$sxr-powershell.exe
3440	$sxr-powershell.exe
1692	$sxr-powershell.exe
4488	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

svchost1.exe$sxr-powershell.execmd.exe$sxr-powershell.execmd.exe$sxr-powershell.execmd.exe$sxr-powershell.execmd.exe

description	pid	process	target process
PID 1352 wrote to memory of 2252	1352	svchost1.exe	schtasks.exe
PID 1352 wrote to memory of 2252	1352	svchost1.exe	schtasks.exe
PID 1352 wrote to memory of 2252	1352	svchost1.exe	schtasks.exe
PID 1352 wrote to memory of 1524	1352	svchost1.exe	$sxr-powershell.exe
PID 1352 wrote to memory of 1524	1352	svchost1.exe	$sxr-powershell.exe
PID 1352 wrote to memory of 1524	1352	svchost1.exe	$sxr-powershell.exe
PID 1352 wrote to memory of 1548	1352	svchost1.exe	SCHTASKS.exe
PID 1352 wrote to memory of 1548	1352	svchost1.exe	SCHTASKS.exe
PID 1352 wrote to memory of 1548	1352	svchost1.exe	SCHTASKS.exe
PID 1524 wrote to memory of 2020	1524	$sxr-powershell.exe	schtasks.exe
PID 1524 wrote to memory of 2020	1524	$sxr-powershell.exe	schtasks.exe
PID 1524 wrote to memory of 2020	1524	$sxr-powershell.exe	schtasks.exe
PID 1524 wrote to memory of 2300	1524	$sxr-powershell.exe	cmd.exe
PID 1524 wrote to memory of 2300	1524	$sxr-powershell.exe	cmd.exe
PID 1524 wrote to memory of 2300	1524	$sxr-powershell.exe	cmd.exe
PID 2300 wrote to memory of 1388	2300	cmd.exe	chcp.com
PID 2300 wrote to memory of 1388	2300	cmd.exe	chcp.com
PID 2300 wrote to memory of 1388	2300	cmd.exe	chcp.com
PID 2300 wrote to memory of 3772	2300	cmd.exe	PING.EXE
PID 2300 wrote to memory of 3772	2300	cmd.exe	PING.EXE
PID 2300 wrote to memory of 3772	2300	cmd.exe	PING.EXE
PID 2300 wrote to memory of 2732	2300	cmd.exe	$sxr-powershell.exe
PID 2300 wrote to memory of 2732	2300	cmd.exe	$sxr-powershell.exe
PID 2300 wrote to memory of 2732	2300	cmd.exe	$sxr-powershell.exe
PID 2732 wrote to memory of 3792	2732	$sxr-powershell.exe	schtasks.exe
PID 2732 wrote to memory of 3792	2732	$sxr-powershell.exe	schtasks.exe
PID 2732 wrote to memory of 3792	2732	$sxr-powershell.exe	schtasks.exe
PID 2732 wrote to memory of 3640	2732	$sxr-powershell.exe	cmd.exe
PID 2732 wrote to memory of 3640	2732	$sxr-powershell.exe	cmd.exe
PID 2732 wrote to memory of 3640	2732	$sxr-powershell.exe	cmd.exe
PID 3640 wrote to memory of 2164	3640	cmd.exe	chcp.com
PID 3640 wrote to memory of 2164	3640	cmd.exe	chcp.com
PID 3640 wrote to memory of 2164	3640	cmd.exe	chcp.com
PID 3640 wrote to memory of 4040	3640	cmd.exe	PING.EXE
PID 3640 wrote to memory of 4040	3640	cmd.exe	PING.EXE
PID 3640 wrote to memory of 4040	3640	cmd.exe	PING.EXE
PID 3640 wrote to memory of 2464	3640	cmd.exe	$sxr-powershell.exe
PID 3640 wrote to memory of 2464	3640	cmd.exe	$sxr-powershell.exe
PID 3640 wrote to memory of 2464	3640	cmd.exe	$sxr-powershell.exe
PID 2464 wrote to memory of 2404	2464	$sxr-powershell.exe	schtasks.exe
PID 2464 wrote to memory of 2404	2464	$sxr-powershell.exe	schtasks.exe
PID 2464 wrote to memory of 2404	2464	$sxr-powershell.exe	schtasks.exe
PID 2464 wrote to memory of 3116	2464	$sxr-powershell.exe	cmd.exe
PID 2464 wrote to memory of 3116	2464	$sxr-powershell.exe	cmd.exe
PID 2464 wrote to memory of 3116	2464	$sxr-powershell.exe	cmd.exe
PID 3116 wrote to memory of 1312	3116	cmd.exe	chcp.com
PID 3116 wrote to memory of 1312	3116	cmd.exe	chcp.com
PID 3116 wrote to memory of 1312	3116	cmd.exe	chcp.com
PID 3116 wrote to memory of 4020	3116	cmd.exe	PING.EXE
PID 3116 wrote to memory of 4020	3116	cmd.exe	PING.EXE
PID 3116 wrote to memory of 4020	3116	cmd.exe	PING.EXE
PID 3116 wrote to memory of 4628	3116	cmd.exe	$sxr-powershell.exe
PID 3116 wrote to memory of 4628	3116	cmd.exe	$sxr-powershell.exe
PID 3116 wrote to memory of 4628	3116	cmd.exe	$sxr-powershell.exe
PID 4628 wrote to memory of 3996	4628	$sxr-powershell.exe	schtasks.exe
PID 4628 wrote to memory of 3996	4628	$sxr-powershell.exe	schtasks.exe
PID 4628 wrote to memory of 3996	4628	$sxr-powershell.exe	schtasks.exe
PID 4628 wrote to memory of 4200	4628	$sxr-powershell.exe	cmd.exe
PID 4628 wrote to memory of 4200	4628	$sxr-powershell.exe	cmd.exe
PID 4628 wrote to memory of 4200	4628	$sxr-powershell.exe	cmd.exe
PID 4200 wrote to memory of 3324	4200	cmd.exe	chcp.com
PID 4200 wrote to memory of 3324	4200	cmd.exe	chcp.com
PID 4200 wrote to memory of 3324	4200	cmd.exe	chcp.com
PID 4200 wrote to memory of 1416	4200	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\svchost1.exe
"C:\Users\Admin\AppData\Local\Temp\svchost1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\svchost1.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:2252

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QaF2iLhA1Wo3.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:1388

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:3772

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LlWfzOa2eyWR.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:2164

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4040

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQv71e4yyN8j.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\chcp.com
chcp 65001
8⤵
PID:1312

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:4020

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N7CssgF8toUa.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\SysWOW64\chcp.com
chcp 65001
10⤵
PID:3324

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:1416

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VpHNWSacL2YM.bat" "
11⤵
PID:3068

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:1772

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:2120

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3988

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
13⤵
- Creates scheduled task(s)
PID:3792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g6GCpdswt7Bc.bat" "
13⤵
PID:4576

C:\Windows\SysWOW64\chcp.com
chcp 65001
14⤵
PID:4688

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:3640

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2748

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
15⤵
- Creates scheduled task(s)
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JaOzuj6gdsAB.bat" "
15⤵
PID:4808

C:\Windows\SysWOW64\chcp.com
chcp 65001
16⤵
PID:380

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:1292

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2140

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BBz8mfOIjshq.bat" "
17⤵
PID:676

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:1020

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:3880

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1648

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\It4dQRilA6lb.bat" "
19⤵
PID:2376

C:\Windows\SysWOW64\chcp.com
chcp 65001
20⤵
PID:2832

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2368

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4072

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L5BaWHHrOZFZ.bat" "
21⤵
PID:1052

C:\Windows\SysWOW64\chcp.com
chcp 65001
22⤵
PID:548

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:3672

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4540

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwwGXiYuOqWG.bat" "
23⤵
PID:2312

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:3500

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3932

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3440

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
25⤵
- Creates scheduled task(s)
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rDv5qtqExv8V.bat" "
25⤵
PID:3136

C:\Windows\SysWOW64\chcp.com
chcp 65001
26⤵
PID:5048

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:3800

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2Utv838YV1ll.bat" "
27⤵
PID:3648

C:\Windows\SysWOW64\chcp.com
chcp 65001
28⤵
PID:3924

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:2184

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4488

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:3884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYjmfJURsR0i.bat" "
29⤵
PID:3704

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:4428

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:348

C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
"C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe"
30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 2248
29⤵
- Program crash
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 1092
27⤵
- Program crash
PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 2232
25⤵
- Program crash
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 1632
23⤵
- Program crash
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 1708
21⤵
- Program crash
PID:1948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 1092
19⤵
- Program crash
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 2220
17⤵
- Program crash
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1728
15⤵
- Program crash
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1092
13⤵
- Program crash
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1096
11⤵
- Program crash
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 2252
9⤵
- Program crash
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1092
7⤵
- Program crash
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 2156
5⤵
- Program crash
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1916
3⤵
- Program crash
PID:1912

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77svchost1.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\svchost1.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1524 -ip 1524
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2732 -ip 2732
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2464 -ip 2464
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4628 -ip 4628
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4476 -ip 4476
1⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3988 -ip 3988
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2748 -ip 2748
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2140 -ip 2140
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1648 -ip 1648
1⤵
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4072 -ip 4072
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4540 -ip 4540
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3440 -ip 3440
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1692 -ip 1692
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4488 -ip 4488
1⤵
PID:1144

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2Utv838YV1ll.bat
Filesize
223B

MD5
a340467eb75a98cfd0ed0777a07c2538

SHA1
98a2ab36cd63f541f9858fbed44165fd03931482

SHA256
a4128e52e8b9de14e270e3e3c47d01fde078e67033b067987d563fb4558d254b

SHA512
97221791e80a738f360b0944b0cbe483d538acbd2d721d706649310ff1a049dcc49050947f5b0d19c8c205508330cac9f9c2eda925d371c5482156cda411e028

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBz8mfOIjshq.bat
Filesize
223B

MD5
fa05bbc25b524b825f4bee29fe51185c

SHA1
2e7e7bad3ec8464329a800550767906c6a5c5261

SHA256
b13cf615488859041763f8b4c2faeb96209f0fed7c612337957051e6bd5de0d5

SHA512
4afa9aba4bd839cf732f0be0e8050f421430e871d7f0e689c0b2f5d8b9d6b6665b9bfc0d0fe05c9075ad544e8e7e9ac5e7308469a3337b29aa8308a1ab0c281c

Download Submit
C:\Users\Admin\AppData\Local\Temp\It4dQRilA6lb.bat
Filesize
223B

MD5
d656257addd91061a4f8e62151230324

SHA1
6a871a47db26029b6bc11c877d9d5251370fc963

SHA256
63abbeabc667a6c8e6a5d3010f59ea42a5d9260cec90dbfbab98dee3be00048b

SHA512
6f772f899da884a99071585b7b5e0e9d0c3cefe5fcbab7c4ae28ff6d6b5bbe0bcb0bd70628b21824cb4381094f64b18d935605c8b8d802626c71429813ff1d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\JQv71e4yyN8j.bat
Filesize
223B

MD5
fc3046d5aab7a3a46fa6f1bf53cdd4aa

SHA1
bbe5e8dfd10c3525b24c99dd1c7ee084a2fa02ef

SHA256
e36157b14d2fa3c4d92790603cefb722002a0193e1f28e86fa8441179e3434da

SHA512
c9df8c8950f11f32431e8f709730a7f362fe5f71e975a872a92f8c84a530de00777133d097c83bff4703c2bb98ffa71b8351f7868705af297467699b55c1b166

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaOzuj6gdsAB.bat
Filesize
223B

MD5
ac82440ab2e9a27df7b3d83dadc24192

SHA1
eeaa564ffb68549e8fafac498f8bc476c49a0794

SHA256
ed49d8dface059853fb90761f32cc32cfe2acb8e152e4b79e003ab442bcb07d1

SHA512
ee92cb0d1ec8a76135bdf9da4afef8040130bc8403a7aed1420dc5e08ba1c888010705ad12a1a61d62d8727b2ae362cf40beed7ed3bf2ec8d0ee43c7921c6c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\L5BaWHHrOZFZ.bat
Filesize
223B

MD5
7ab17a0eb651524bb33d1e965a8d6797

SHA1
62aeeb91d2ac8baecab8c06aad0471d82ca08213

SHA256
3d5c793ea2d8d51d1d3579f1fc5afa94de56bd44472eefdbad646e5186712a8a

SHA512
71563bae695feb4ba4ec2a4675780c9e0a76bcc5eae0d95220a818761839cdc7eb52ea024e8ffe45eda5e599cb60ba129a29728bcfa1da16685d0ef0d82a01f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\LlWfzOa2eyWR.bat
Filesize
223B

MD5
1cdb37916a33008a4d183440a7059a71

SHA1
ba0fcddb009c5a270d6110ef40517c53f75212de

SHA256
05a6813858aa04caeb31c340facd37f8e935356dbef990748e841bdc5d84f2ab

SHA512
c6cc3033de8327082046cc613e3bef28a979201238d8c49177242673ddc5d0fd97efef07fb3d19829d8bc4d73290569568a979b009af3b1c3f2fcfcc6318847f

Download Submit
C:\Users\Admin\AppData\Local\Temp\N7CssgF8toUa.bat
Filesize
223B

MD5
98678d8a91eeb7fefd8566e49c7e88f9

SHA1
6f05ef8218068231374bb371aef1c4746a86438b

SHA256
e608551f4025c445431dc17b50dfdbe7efd25ad75137bd8d20756549ee70c026

SHA512
a82df09394fa353bc208951dce012b34b44a08b6e875051067e054608922c19175667741deee0ceae011551b61f84041ff2de3083c553c6035fbc194a099fc06

Download Submit
C:\Users\Admin\AppData\Local\Temp\QaF2iLhA1Wo3.bat
Filesize
223B

MD5
236e4d46918d26257c689b2fc1918956

SHA1
9d1cee0822a138aaff4bd01dd3234abee29507c9

SHA256
08851c55ae6f0485848df798a34e51c9a563a20229185bc581b17e407c6e11b9

SHA512
55d8a9f7a2f449659687d07b43c923094c88217421f9fd4550a2d8915afe35115e7389dadeee7fdf347f80af71f366df1e421c1c49a010fa2892a68f23364e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\VpHNWSacL2YM.bat
Filesize
223B

MD5
180be726b9205bfe7683365d8c6f513b

SHA1
3030a05bd4617ee042c46fb6efccebad10651fdf

SHA256
b558e33bc8e0b4e412a07bf70920b107be2d7532538661fc5dfaf0eb7d80eb0a

SHA512
0284dcde08d12f3a31c6739117e982391d69c60e5e5a5b6f129c32ce5d00a8b8a985b71ca4a3cadc58188b3b51ddfad74ad5c4cb9fa21d3035bc52a8510e6596

Download Submit
C:\Users\Admin\AppData\Local\Temp\g6GCpdswt7Bc.bat
Filesize
223B

MD5
35b23680dd3b466436a38dfa914fe6a9

SHA1
beb355904e2129f96ee86b2e06167d5c2a4c3631

SHA256
a43c81cbeff37a2ab3e79091b9a74697cf44721d47432f337119534ef3f12e7f

SHA512
dc4003788a6eec1cb17278eaddd4d7d602885c28db0f9ca79f5f1ee7e4265316e7c34e6ed7ae38842b222a59cba11b8d4a7ffeb2dab4548143f8f2c4c2f5d571

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwwGXiYuOqWG.bat
Filesize
223B

MD5
85546b9585e83be7f9e390d9e4ef3d85

SHA1
09788e6d1ddcc2bd246536bc021dabb96c0da089

SHA256
76e2d7504410f332f387cf17e3c0890c46db879349b4a02dd5d6b4f0cd1393d1

SHA512
caef300ac556137993ff1fb3994ffc5f17ba41e4128118bb6f59e36f432307395b093032f90a833f70e059c752ae920b34d7d8bd2cc0f01a571faf6c9def0306

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYjmfJURsR0i.bat
Filesize
223B

MD5
e33fbb43c8e1097175ff901dc271e815

SHA1
17174bec2de14906def12b578b2983ea313c5a34

SHA256
e60d5acc21863ccdf950d7f7128f58aad194d9bc43550f9beffaa6d307d044d4

SHA512
392bf5ff3ad1f19412b340c4160a190cef24fdaf7aeef5c7fe6fd3495419127218316a40988d361813376669e1d41d8cf7544a15385fee3756322678c65f73c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rDv5qtqExv8V.bat
Filesize
223B

MD5
b82bdc70ea44592b31edd80d23fa1a91

SHA1
a02fa34f5b8e33278a89e4d1a7c60e0ecd941281

SHA256
2f5346dd88118976cc443f489adf9287a73b43a503dc9b584d6d426aa7dd009d

SHA512
7c9d843581e9c6322078247f5076032bcc22752a444702a4532b9e4014b16d3d4b52d41bd439ad42aafd65fdc787d0ff02ae6beb3b62d11932742931c4750dc1

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
Filesize
224B

MD5
b07ab7573d4295bba8b1ee4aa5484bda

SHA1
66f86c07ff0c61d214c5ea8d1f6cf09a6c167073

SHA256
db9f841b86fc64d26caca276bcc862b1cc2f708d6cd95780507d03e94ef650a0

SHA512
503c3d7e08566e3b18ade15a7217438e544b1345ed522719c342a6d58a81df3109e3210ec2dcefa7ff3aba39b7eca329ae6dbf6a0ad7c03cc956158e8cc43788

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
Filesize
224B

MD5
e8589fba5e3cce2aa84da18783d62d23

SHA1
fddca99dd73e4437dd293ccfa2badf190eb3c10c

SHA256
ff64078fcd73a919df48025da6a8d60ea0a81100121a0c39161ab5de5cd62cc0

SHA512
75a3c37f5965d5179ecab1c9974f770f0c5e5a7ec513402e85456505cd05dd6773a27d98da00efef1e1cf26391d987ebb13bc44f914528caa254ed313ab97e3a

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
Filesize
224B

MD5
2202420e062a372980eee3fa80768b94

SHA1
5f4de0343a49760820e753fdb5c5f8edbec65771

SHA256
6e41d8fb35ed28c19a6d3b4009ae91b75fa7643f4fde67145e3870afe2914156

SHA512
3c7164e4df7d512cb571169c83e6d1ece0d91b62f9fb22d716c582357e40aec1cf28e7906c43f3616d3783a6748ad97ee58dd79b68598ca1b5704d4f8162c848

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
Filesize
224B

MD5
cae1934fa65fc3800b7ef35279817bc3

SHA1
ec3b88f5ebff31d307ce0da9bddb49417ac034bb

SHA256
06c4ec3e3991cf2bfe7a22b1a39b7d4723eb49ef1c12f73b4e380956b34e7157

SHA512
e1df230ce6f371097615b77c35c529e7352de1c1d5f1241dbfd48641ca256120a41d68252252f3f8e4eb4bf88ccfb109bd8fbe8e02921badc69eff0d2301f920

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
Filesize
224B

MD5
1b003b277d9b133f2d442bd93e4fe5dd

SHA1
f020744ecd4d1506ac3277cf556529268312c2e2

SHA256
28108a2a4facbb9af9c1a6a93c69ebe4ddbb9d442ffe81fe86c8cb6bd02a5989

SHA512
9f023c20c81844fdb567910a6e9998edd77a7c8fe5bd89bf378250b18efbfcf32172034a104fe81f6df38ea951a38c0e43ead3c2e8ee9d6549caa735964666d9

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
Filesize
224B

MD5
09f9512b965b7286a006fd3236f0ab98

SHA1
b55b4bb249fcd68222d5d890e303312e1b39ab97

SHA256
5fef0872f2ee165a0e4921946b3738d7178c35898ab610f57ff108e6287718b8

SHA512
ef64d03984a9414e227110b9b563e8cbcaee65f21c4240f25449687cf4b1cc63e73bc5bf26a29889219d6b6398708794fd807ebdb5956c0440eb4bda1bf5321c

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-Logs\06-16-2024
Filesize
224B

MD5
35d69b506f6a4fe3981d40946f5543c4

SHA1
cabfdf4a876015cb43b7a13efa21bd08750e303f

SHA256
67d1782772e76f01683d8d0140121947b7a40629d70694ee2e5595575ea0e615

SHA512
8c49aada8dcda3ebe876fefd63b9d04229fe3d2af7f3a66d4d6e90b848489433b9a4e1ebbfca20fcdb8ea947e18050d86f10b1d4bbc2db408c2d31a6453333cc

Download Submit
C:\Users\Admin\AppData\Roaming\$sxr-seroxen2\$sxr-powershell.exe
Filesize
409KB

MD5
b80b8c569a390b124cb7aaae003c8a82

SHA1
c38fc46e835ccbb538f4df122e501d07562553c4

SHA256
49686a0b50103315e6a2a8af78084b9b5eb485ad4767f2d63043d8969ff9bb23

SHA512
75148f5e619eea0b6f44b3e6ecc0d4e6a97775fee2456209d90c002f8baacfa9109b2be90da6afdf0282c7704a9542bb01c6566d383d4a0b587508e4f6fdfb47

Download Submit
memory/1352-4-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/1352-5-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/1352-16-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/1352-8-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/1352-0-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/1352-7-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/1352-6-0x00000000062E0000-0x00000000062F2000-memory.dmp

Filesize
72KB

Download
memory/1352-1-0x0000000000C80000-0x0000000000CEC000-memory.dmp

Filesize
432KB

Download
memory/1352-2-0x0000000005C10000-0x00000000061B4000-memory.dmp

Filesize
5.6MB

Download
memory/1352-3-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/1524-19-0x0000000005EF0000-0x0000000005EFA000-memory.dmp

Filesize
40KB

Download
memory/1524-24-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/1524-17-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download
memory/1524-15-0x00000000746E0000-0x0000000074E90000-memory.dmp

Filesize
7.7MB

Download