Analysis
-
max time kernel
1049s -
max time network
1040s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 08:08
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240220-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
43d43e073f37fcbce4db2a8efea58450
-
SHA1
24014a045dfda1401b81e63435fdf46963967fd4
-
SHA256
e4c6e99ac6e6ddb98b3f0fea20d97c067b593ffdce6d2909ff693d03868e605b
-
SHA512
9c8ca9dee9c24431ea98ce9743cf826b5ba844c339b0cc94ef4261af68f2bf89b7251e1884011e8ff58be5afbebe98b699a243d1cacf83272018baac439ca9bf
-
SSDEEP
49152:3v1t62XlaSFNWPjljiFa2RoUYI4xDEDwNk/JxSoGdk+THHB72eh2NT:3vH62XlaSFNWPjljiFXRoUYI4xWQU
Malware Config
Extracted
quasar
1.4.1
Office04
IPv4:4782
865ecc2b-abfd-4e2c-92cb-d87fb0c27dfe
-
encryption_key
4EC818ABEB58692E09D25328E09F987FEC20E0DF
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4116-0-0x00000000008D0000-0x0000000000BF4000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 64 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 2156 Client.exe 3268 Client.exe 2296 Client.exe 1264 Client.exe 4128 Client.exe 3476 Client.exe 2652 Client.exe 3192 Client.exe 2092 Client.exe 3000 Client.exe 2824 Client.exe 2668 Client.exe 3696 Client.exe 2116 Client.exe 1564 Client.exe 4120 Client.exe 3876 Client.exe 1372 Client.exe 3340 Client.exe 4384 Client.exe 1088 Client.exe 2432 Client.exe 1136 Client.exe 4832 Client.exe 184 Client.exe 1004 Client.exe 4236 Client.exe 3504 Client.exe 4908 Client.exe 1160 Client.exe 1144 Client.exe 4508 Client.exe 2648 Client.exe 1704 Client.exe 1320 Client.exe 1096 Client.exe 3668 Client.exe 2812 Client.exe 1820 Client.exe 1296 Client.exe 1808 Client.exe 5008 Client.exe 3216 Client.exe 4424 Client.exe 3688 Client.exe 5100 Client.exe 1332 Client.exe 4056 Client.exe 3056 Client.exe 4904 Client.exe 4024 Client.exe 3940 Client.exe 2960 Client.exe 1784 Client.exe 2620 Client.exe 1156 Client.exe 2532 Client.exe 644 Client.exe 2148 Client.exe 1520 Client.exe 4608 Client.exe 3252 Client.exe 4412 Client.exe 2664 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4536 schtasks.exe 2480 schtasks.exe 2632 schtasks.exe 808 schtasks.exe 3864 schtasks.exe 4264 schtasks.exe 768 schtasks.exe 2428 schtasks.exe 2184 schtasks.exe 1296 schtasks.exe 1928 schtasks.exe 3016 schtasks.exe 3152 schtasks.exe 4520 schtasks.exe 2716 schtasks.exe 3020 schtasks.exe 4540 schtasks.exe 1436 schtasks.exe 3576 schtasks.exe 4492 schtasks.exe 3036 schtasks.exe 5032 schtasks.exe 5112 schtasks.exe 3952 schtasks.exe 4468 schtasks.exe 4736 schtasks.exe 2356 schtasks.exe 2336 schtasks.exe 2696 schtasks.exe 2696 schtasks.exe 4336 schtasks.exe 1904 schtasks.exe 4844 schtasks.exe 4612 schtasks.exe 1704 schtasks.exe 3900 schtasks.exe 3664 schtasks.exe 3472 schtasks.exe 1568 schtasks.exe 3912 schtasks.exe 3424 schtasks.exe 3992 schtasks.exe 1380 schtasks.exe 3320 schtasks.exe 688 schtasks.exe 3496 schtasks.exe 888 schtasks.exe 3996 schtasks.exe 1212 schtasks.exe 1276 schtasks.exe 2480 schtasks.exe 1480 schtasks.exe 4940 schtasks.exe 1380 schtasks.exe 4732 schtasks.exe 1968 schtasks.exe 3416 schtasks.exe 2532 schtasks.exe 2024 schtasks.exe 1556 schtasks.exe 1480 schtasks.exe 3840 schtasks.exe 824 schtasks.exe 3664 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Runs ping.exe 1 TTPs 64 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1904 PING.EXE 1560 PING.EXE 1912 PING.EXE 1564 PING.EXE 2540 PING.EXE 2664 PING.EXE 764 PING.EXE 1712 PING.EXE 4988 PING.EXE 3864 PING.EXE 4788 PING.EXE 5068 PING.EXE 3576 PING.EXE 4932 PING.EXE 5108 PING.EXE 5032 PING.EXE 428 PING.EXE 2920 PING.EXE 3544 PING.EXE 2960 PING.EXE 560 PING.EXE 2504 PING.EXE 4528 PING.EXE 4176 PING.EXE 3912 PING.EXE 2204 PING.EXE 348 PING.EXE 1244 PING.EXE 3744 PING.EXE 984 PING.EXE 1556 PING.EXE 1588 PING.EXE 3532 PING.EXE 692 PING.EXE 3928 PING.EXE 2008 PING.EXE 3572 PING.EXE 4936 PING.EXE 984 PING.EXE 2232 PING.EXE 4768 PING.EXE 3940 PING.EXE 1060 PING.EXE 1788 PING.EXE 4616 PING.EXE 1564 PING.EXE 1820 PING.EXE 3544 PING.EXE 4420 PING.EXE 2352 PING.EXE 4252 PING.EXE 1156 PING.EXE 368 PING.EXE 3976 PING.EXE 2804 PING.EXE 2880 PING.EXE 4560 PING.EXE 2196 PING.EXE 4136 PING.EXE 2716 PING.EXE 3964 PING.EXE 5096 PING.EXE 820 PING.EXE 3040 PING.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4308 msedge.exe 4308 msedge.exe 2768 msedge.exe 2768 msedge.exe 644 identity_helper.exe 644 identity_helper.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe 556 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Client-built.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription pid process Token: SeDebugPrivilege 4116 Client-built.exe Token: SeDebugPrivilege 2156 Client.exe Token: SeDebugPrivilege 3268 Client.exe Token: SeDebugPrivilege 2296 Client.exe Token: SeDebugPrivilege 1264 Client.exe Token: SeDebugPrivilege 4128 Client.exe Token: SeDebugPrivilege 3476 Client.exe Token: SeDebugPrivilege 2652 Client.exe Token: SeDebugPrivilege 3192 Client.exe Token: SeDebugPrivilege 2092 Client.exe Token: SeDebugPrivilege 3000 Client.exe Token: SeDebugPrivilege 2824 Client.exe Token: SeDebugPrivilege 2668 Client.exe Token: SeDebugPrivilege 3696 Client.exe Token: SeDebugPrivilege 2116 Client.exe Token: SeDebugPrivilege 1564 Client.exe Token: SeDebugPrivilege 4120 Client.exe Token: SeDebugPrivilege 3876 Client.exe Token: SeDebugPrivilege 1372 Client.exe Token: SeDebugPrivilege 3340 Client.exe Token: SeDebugPrivilege 4384 Client.exe Token: SeDebugPrivilege 1088 Client.exe Token: SeDebugPrivilege 2432 Client.exe Token: SeDebugPrivilege 1136 Client.exe Token: SeDebugPrivilege 4832 Client.exe Token: SeDebugPrivilege 184 Client.exe Token: SeDebugPrivilege 1004 Client.exe Token: SeDebugPrivilege 4236 Client.exe Token: SeDebugPrivilege 3504 Client.exe Token: SeDebugPrivilege 4908 Client.exe Token: SeDebugPrivilege 1160 Client.exe Token: SeDebugPrivilege 1144 Client.exe Token: SeDebugPrivilege 4508 Client.exe Token: SeDebugPrivilege 2648 Client.exe Token: SeDebugPrivilege 1704 Client.exe Token: SeDebugPrivilege 1320 Client.exe Token: SeDebugPrivilege 1096 Client.exe Token: SeDebugPrivilege 3668 Client.exe Token: SeDebugPrivilege 2812 Client.exe Token: SeDebugPrivilege 1820 Client.exe Token: SeDebugPrivilege 1296 Client.exe Token: SeDebugPrivilege 1808 Client.exe Token: SeDebugPrivilege 5008 Client.exe Token: SeDebugPrivilege 3216 Client.exe Token: SeDebugPrivilege 4424 Client.exe Token: SeDebugPrivilege 3688 Client.exe Token: SeDebugPrivilege 5100 Client.exe Token: SeDebugPrivilege 1332 Client.exe Token: SeDebugPrivilege 4056 Client.exe Token: SeDebugPrivilege 3056 Client.exe Token: SeDebugPrivilege 4904 Client.exe Token: SeDebugPrivilege 4024 Client.exe Token: SeDebugPrivilege 3940 Client.exe Token: SeDebugPrivilege 2960 Client.exe Token: SeDebugPrivilege 1784 Client.exe Token: SeDebugPrivilege 2620 Client.exe Token: SeDebugPrivilege 1156 Client.exe Token: SeDebugPrivilege 2532 Client.exe Token: SeDebugPrivilege 644 Client.exe Token: SeDebugPrivilege 2148 Client.exe Token: SeDebugPrivilege 1520 Client.exe Token: SeDebugPrivilege 4608 Client.exe Token: SeDebugPrivilege 3252 Client.exe Token: SeDebugPrivilege 4412 Client.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Client.exeClient.exeClient.exemsedge.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 2156 Client.exe 3268 Client.exe 2296 Client.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 1264 Client.exe 4128 Client.exe 3476 Client.exe 2652 Client.exe 3192 Client.exe 2092 Client.exe 3000 Client.exe 2824 Client.exe 2668 Client.exe 3696 Client.exe 2116 Client.exe 1564 Client.exe 4120 Client.exe 3876 Client.exe 1372 Client.exe 3340 Client.exe 4384 Client.exe 1088 Client.exe 2432 Client.exe 1136 Client.exe 4832 Client.exe 184 Client.exe 1004 Client.exe 4236 Client.exe 3504 Client.exe 4908 Client.exe 1160 Client.exe 1144 Client.exe 4508 Client.exe 2648 Client.exe 1704 Client.exe 1320 Client.exe 1096 Client.exe 3668 Client.exe 2812 Client.exe 1820 Client.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Client.exeClient.exeClient.exemsedge.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 2156 Client.exe 3268 Client.exe 2296 Client.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 1264 Client.exe 4128 Client.exe 3476 Client.exe 2652 Client.exe 3192 Client.exe 2092 Client.exe 3000 Client.exe 2824 Client.exe 2668 Client.exe 3696 Client.exe 2116 Client.exe 1564 Client.exe 4120 Client.exe 3876 Client.exe 1372 Client.exe 3340 Client.exe 4384 Client.exe 1088 Client.exe 2432 Client.exe 1136 Client.exe 4832 Client.exe 184 Client.exe 1004 Client.exe 4236 Client.exe 3504 Client.exe 4908 Client.exe 1160 Client.exe 1144 Client.exe 4508 Client.exe 2648 Client.exe 1704 Client.exe 1320 Client.exe 1096 Client.exe 3668 Client.exe 2812 Client.exe 1820 Client.exe 1296 Client.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 2156 Client.exe 3268 Client.exe 2296 Client.exe 1264 Client.exe 4128 Client.exe 3476 Client.exe 2652 Client.exe 3192 Client.exe 2092 Client.exe 3000 Client.exe 2824 Client.exe 2668 Client.exe 3696 Client.exe 2116 Client.exe 1564 Client.exe 4120 Client.exe 3876 Client.exe 1372 Client.exe 3340 Client.exe 4384 Client.exe 1088 Client.exe 2432 Client.exe 1136 Client.exe 4832 Client.exe 184 Client.exe 1004 Client.exe 4236 Client.exe 3504 Client.exe 4908 Client.exe 1160 Client.exe 1144 Client.exe 4508 Client.exe 2648 Client.exe 1704 Client.exe 1320 Client.exe 1096 Client.exe 3668 Client.exe 2812 Client.exe 1820 Client.exe 1296 Client.exe 1808 Client.exe 5008 Client.exe 3216 Client.exe 4424 Client.exe 3688 Client.exe 5100 Client.exe 1332 Client.exe 4056 Client.exe 3056 Client.exe 4904 Client.exe 4024 Client.exe 3940 Client.exe 2960 Client.exe 1784 Client.exe 2620 Client.exe 1156 Client.exe 2532 Client.exe 644 Client.exe 2148 Client.exe 1520 Client.exe 4608 Client.exe 3252 Client.exe 4412 Client.exe 2664 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Client-built.exeClient.execmd.exeClient.execmd.exeClient.execmd.exemsedge.exedescription pid process target process PID 4116 wrote to memory of 3496 4116 Client-built.exe schtasks.exe PID 4116 wrote to memory of 3496 4116 Client-built.exe schtasks.exe PID 4116 wrote to memory of 2156 4116 Client-built.exe Client.exe PID 4116 wrote to memory of 2156 4116 Client-built.exe Client.exe PID 2156 wrote to memory of 3472 2156 Client.exe schtasks.exe PID 2156 wrote to memory of 3472 2156 Client.exe schtasks.exe PID 2156 wrote to memory of 4908 2156 Client.exe cmd.exe PID 2156 wrote to memory of 4908 2156 Client.exe cmd.exe PID 4908 wrote to memory of 3140 4908 cmd.exe chcp.com PID 4908 wrote to memory of 3140 4908 cmd.exe chcp.com PID 4908 wrote to memory of 2804 4908 cmd.exe PING.EXE PID 4908 wrote to memory of 2804 4908 cmd.exe PING.EXE PID 4908 wrote to memory of 3268 4908 cmd.exe Client.exe PID 4908 wrote to memory of 3268 4908 cmd.exe Client.exe PID 3268 wrote to memory of 888 3268 Client.exe schtasks.exe PID 3268 wrote to memory of 888 3268 Client.exe schtasks.exe PID 3268 wrote to memory of 4032 3268 Client.exe cmd.exe PID 3268 wrote to memory of 4032 3268 Client.exe cmd.exe PID 4032 wrote to memory of 1440 4032 cmd.exe chcp.com PID 4032 wrote to memory of 1440 4032 cmd.exe chcp.com PID 4032 wrote to memory of 1564 4032 cmd.exe PING.EXE PID 4032 wrote to memory of 1564 4032 cmd.exe PING.EXE PID 4032 wrote to memory of 2296 4032 cmd.exe Client.exe PID 4032 wrote to memory of 2296 4032 cmd.exe Client.exe PID 2296 wrote to memory of 3864 2296 Client.exe schtasks.exe PID 2296 wrote to memory of 3864 2296 Client.exe schtasks.exe PID 2296 wrote to memory of 540 2296 Client.exe cmd.exe PID 2296 wrote to memory of 540 2296 Client.exe cmd.exe PID 540 wrote to memory of 2980 540 cmd.exe chcp.com PID 540 wrote to memory of 2980 540 cmd.exe chcp.com PID 540 wrote to memory of 348 540 cmd.exe PING.EXE PID 540 wrote to memory of 348 540 cmd.exe PING.EXE PID 2768 wrote to memory of 4052 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 4052 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe PID 2768 wrote to memory of 2444 2768 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:3496 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3472 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkU7V1aQcA6T.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3140
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:2804 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:888 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mm0MzRF60j1N.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1440
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:1564 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:3864 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3GwhBWdwhVCF.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2980
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:348 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1264 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
PID:4736 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lz4qpoWoZBv4.bat" "9⤵PID:2652
-
C:\Windows\system32\chcp.comchcp 6500110⤵PID:1980
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
PID:1588 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4128 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Creates scheduled task(s)
PID:3416 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awpTWIQ3Ao2t.bat" "11⤵PID:4292
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:232
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
PID:5096 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3476 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Creates scheduled task(s)
PID:2532 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s7z38wn2exAs.bat" "13⤵PID:1372
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:1136
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
PID:4252 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2652 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Creates scheduled task(s)
PID:4336 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w1Thgxum07Et.bat" "15⤵PID:3800
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2620
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
PID:1564 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3192 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Creates scheduled task(s)
PID:768 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rDMRB38jznys.bat" "17⤵PID:4992
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1300
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
PID:1820 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2092 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Creates scheduled task(s)
PID:4520 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yxvWEkyMvlZQ.bat" "19⤵PID:1120
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:8
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
PID:3544 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3000 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Creates scheduled task(s)
PID:1568 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2Jv9IdYEds83.bat" "21⤵PID:1880
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:516
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
PID:3576 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2824 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵PID:748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sPJzPEa4XuyN.bat" "23⤵PID:1004
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:3104
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵PID:1480
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2668 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Creates scheduled task(s)
PID:2480 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\u93aVAloAn82.bat" "25⤵PID:2200
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1752
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
PID:3532 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3696 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵PID:2716
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JPjOSvg8M1oY.bat" "27⤵PID:1500
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1928
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- Runs ping.exe
PID:2880 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2116 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵PID:2728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygF2GaoLcvxj.bat" "29⤵PID:4428
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2560
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵PID:4608
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1564 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Creates scheduled task(s)
PID:5032 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puBCyHfGr1jl.bat" "31⤵PID:2068
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:808
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- Runs ping.exe
PID:764 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4120 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f33⤵
- Creates scheduled task(s)
PID:1480 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xG8kpga5wxOa.bat" "33⤵PID:3404
-
C:\Windows\system32\chcp.comchcp 6500134⤵PID:2632
-
C:\Windows\system32\PING.EXEping -n 10 localhost34⤵
- Runs ping.exe
PID:1712 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3876 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f35⤵PID:3504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QnUd0LbzFzDI.bat" "35⤵PID:3252
-
C:\Windows\system32\chcp.comchcp 6500136⤵PID:4164
-
C:\Windows\system32\PING.EXEping -n 10 localhost36⤵
- Runs ping.exe
PID:4932 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1372 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f37⤵
- Creates scheduled task(s)
PID:4940 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s1wsgcuesQmj.bat" "37⤵PID:4984
-
C:\Windows\system32\chcp.comchcp 6500138⤵PID:2880
-
C:\Windows\system32\PING.EXEping -n 10 localhost38⤵PID:4848
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3340 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f39⤵
- Creates scheduled task(s)
PID:4844 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMu95kelxktO.bat" "39⤵PID:4340
-
C:\Windows\system32\chcp.comchcp 6500140⤵PID:5016
-
C:\Windows\system32\PING.EXEping -n 10 localhost40⤵
- Runs ping.exe
PID:4988 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4384 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f41⤵
- Creates scheduled task(s)
PID:3912 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JXL9N99BmUKL.bat" "41⤵PID:2736
-
C:\Windows\system32\chcp.comchcp 6500142⤵PID:3604
-
C:\Windows\system32\PING.EXEping -n 10 localhost42⤵
- Runs ping.exe
PID:4936 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1088 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f43⤵PID:3968
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DWuAftv5Uzpz.bat" "43⤵PID:1332
-
C:\Windows\system32\chcp.comchcp 6500144⤵PID:5104
-
C:\Windows\system32\PING.EXEping -n 10 localhost44⤵PID:1060
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2432 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f45⤵PID:3640
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mm6WKDeVe8B0.bat" "45⤵PID:1316
-
C:\Windows\system32\chcp.comchcp 6500146⤵PID:2176
-
C:\Windows\system32\PING.EXEping -n 10 localhost46⤵
- Runs ping.exe
PID:2716 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1136 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f47⤵
- Creates scheduled task(s)
PID:1296 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMtuBst5W6c3.bat" "47⤵PID:3920
-
C:\Windows\system32\chcp.comchcp 6500148⤵PID:1556
-
C:\Windows\system32\PING.EXEping -n 10 localhost48⤵
- Runs ping.exe
PID:2540 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4832 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f49⤵
- Creates scheduled task(s)
PID:3424 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7A1K1hdqGyGp.bat" "49⤵PID:1560
-
C:\Windows\system32\chcp.comchcp 6500150⤵PID:4740
-
C:\Windows\system32\PING.EXEping -n 10 localhost50⤵PID:2560
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:184 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f51⤵
- Creates scheduled task(s)
PID:1380 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lLOFUBMk98a9.bat" "51⤵PID:820
-
C:\Windows\system32\chcp.comchcp 6500152⤵PID:4768
-
C:\Windows\system32\PING.EXEping -n 10 localhost52⤵PID:3684
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1004 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f53⤵
- Creates scheduled task(s)
PID:4612 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8B0qgsTUxtpH.bat" "53⤵PID:4960
-
C:\Windows\system32\chcp.comchcp 6500154⤵PID:4580
-
C:\Windows\system32\PING.EXEping -n 10 localhost54⤵
- Runs ping.exe
PID:2664 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4236 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f55⤵
- Creates scheduled task(s)
PID:4732 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RMOodd1YfXWi.bat" "55⤵PID:4216
-
C:\Windows\system32\chcp.comchcp 6500156⤵PID:3100
-
C:\Windows\system32\PING.EXEping -n 10 localhost56⤵
- Runs ping.exe
PID:1904 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"56⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3504 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f57⤵
- Creates scheduled task(s)
PID:1704 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5tRAchK8SaCp.bat" "57⤵PID:684
-
C:\Windows\system32\chcp.comchcp 6500158⤵PID:868
-
C:\Windows\system32\PING.EXEping -n 10 localhost58⤵PID:984
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"58⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4908 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f59⤵
- Creates scheduled task(s)
PID:1928 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\olY9Ujm3csOb.bat" "59⤵PID:592
-
C:\Windows\system32\chcp.comchcp 6500160⤵PID:3980
-
C:\Windows\system32\PING.EXEping -n 10 localhost60⤵
- Runs ping.exe
PID:1244 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"60⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1160 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f61⤵PID:3912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iI7og5cXeZq6.bat" "61⤵PID:780
-
C:\Windows\system32\chcp.comchcp 6500162⤵PID:2160
-
C:\Windows\system32\PING.EXEping -n 10 localhost62⤵
- Runs ping.exe
PID:820 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"62⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1144 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f63⤵
- Creates scheduled task(s)
PID:5112 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pGr6yMO1HJM2.bat" "63⤵PID:3040
-
C:\Windows\system32\chcp.comchcp 6500164⤵PID:4888
-
C:\Windows\system32\PING.EXEping -n 10 localhost64⤵
- Runs ping.exe
PID:4560 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"64⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4508 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f65⤵PID:5036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a0st1bD2pP7c.bat" "65⤵PID:4312
-
C:\Windows\system32\chcp.comchcp 6500166⤵PID:3280
-
C:\Windows\system32\PING.EXEping -n 10 localhost66⤵
- Runs ping.exe
PID:3864 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"66⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2648 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f67⤵
- Creates scheduled task(s)
PID:4264 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkpWj0B5E6eI.bat" "67⤵PID:1904
-
C:\Windows\system32\chcp.comchcp 6500168⤵PID:3308
-
C:\Windows\system32\PING.EXEping -n 10 localhost68⤵
- Runs ping.exe
PID:2960 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"68⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1704 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f69⤵
- Creates scheduled task(s)
PID:3664 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I7HCL1ZVUrLG.bat" "69⤵PID:648
-
C:\Windows\system32\chcp.comchcp 6500170⤵PID:4916
-
C:\Windows\system32\PING.EXEping -n 10 localhost70⤵
- Runs ping.exe
PID:984 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"70⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1320 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f71⤵
- Creates scheduled task(s)
PID:3992 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RO0zp9BPxF5N.bat" "71⤵PID:4184
-
C:\Windows\system32\chcp.comchcp 6500172⤵PID:1612
-
C:\Windows\system32\PING.EXEping -n 10 localhost72⤵
- Runs ping.exe
PID:2232 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"72⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1096 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f73⤵
- Creates scheduled task(s)
PID:1380 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tPogVe1y9gvb.bat" "73⤵PID:5032
-
C:\Windows\system32\chcp.comchcp 6500174⤵PID:4016
-
C:\Windows\system32\PING.EXEping -n 10 localhost74⤵
- Runs ping.exe
PID:1156 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"74⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3668 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f75⤵
- Creates scheduled task(s)
PID:2428 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v09FuOrDQnhD.bat" "75⤵PID:4424
-
C:\Windows\system32\chcp.comchcp 6500176⤵PID:4852
-
C:\Windows\system32\PING.EXEping -n 10 localhost76⤵
- Runs ping.exe
PID:3040 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"76⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2812 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f77⤵PID:2396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QNyimXX3UWes.bat" "77⤵PID:4528
-
C:\Windows\system32\chcp.comchcp 6500178⤵PID:5076
-
C:\Windows\system32\PING.EXEping -n 10 localhost78⤵PID:4420
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"78⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1820 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f79⤵PID:764
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYjC2kZAkC1l.bat" "79⤵PID:1584
-
C:\Windows\system32\chcp.comchcp 6500180⤵PID:4116
-
C:\Windows\system32\PING.EXEping -n 10 localhost80⤵
- Runs ping.exe
PID:560 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"80⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1296 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f81⤵
- Creates scheduled task(s)
PID:1904 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAjcSsSOmWP3.bat" "81⤵PID:1540
-
C:\Windows\system32\chcp.comchcp 6500182⤵PID:224
-
C:\Windows\system32\PING.EXEping -n 10 localhost82⤵
- Runs ping.exe
PID:5108 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"82⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1808 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f83⤵PID:1456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bab0m7lPA4tA.bat" "83⤵PID:4056
-
C:\Windows\system32\chcp.comchcp 6500184⤵PID:1612
-
C:\Windows\system32\PING.EXEping -n 10 localhost84⤵
- Runs ping.exe
PID:1560 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"84⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5008 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f85⤵
- Creates scheduled task(s)
PID:3900 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eTeub1VQ80xO.bat" "85⤵PID:1092
-
C:\Windows\system32\chcp.comchcp 6500186⤵PID:1360
-
C:\Windows\system32\PING.EXEping -n 10 localhost86⤵
- Runs ping.exe
PID:4768 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"86⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3216 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f87⤵PID:688
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5rJif0f7NLm1.bat" "87⤵PID:4484
-
C:\Windows\system32\chcp.comchcp 6500188⤵PID:4764
-
C:\Windows\system32\PING.EXEping -n 10 localhost88⤵
- Runs ping.exe
PID:3744 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"88⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4424 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f89⤵PID:2844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xv3ro4xbvGnA.bat" "89⤵PID:3824
-
C:\Windows\system32\chcp.comchcp 6500190⤵PID:1940
-
C:\Windows\system32\PING.EXEping -n 10 localhost90⤵
- Runs ping.exe
PID:4420 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"90⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3688 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f91⤵
- Creates scheduled task(s)
PID:4536 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zYRNXskmIS2t.bat" "91⤵PID:3636
-
C:\Windows\system32\chcp.comchcp 6500192⤵PID:1356
-
C:\Windows\system32\PING.EXEping -n 10 localhost92⤵
- Runs ping.exe
PID:3940 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"92⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5100 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f93⤵
- Creates scheduled task(s)
PID:2480 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I14KuIZVORfg.bat" "93⤵PID:1948
-
C:\Windows\system32\chcp.comchcp 6500194⤵PID:3016
-
C:\Windows\system32\PING.EXEping -n 10 localhost94⤵
- Runs ping.exe
PID:984 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"94⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1332 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f95⤵
- Creates scheduled task(s)
PID:3020 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XMpDxhVHTM4U.bat" "95⤵PID:2264
-
C:\Windows\system32\chcp.comchcp 6500196⤵PID:1368
-
C:\Windows\system32\PING.EXEping -n 10 localhost96⤵
- Runs ping.exe
PID:2196 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"96⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4056 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f97⤵
- Creates scheduled task(s)
PID:2696 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZpqJ77GVHRje.bat" "97⤵PID:1360
-
C:\Windows\system32\chcp.comchcp 6500198⤵PID:684
-
C:\Windows\system32\PING.EXEping -n 10 localhost98⤵
- Runs ping.exe
PID:1556 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"98⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3056 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f99⤵
- Creates scheduled task(s)
PID:1212 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEpeDo5jWINd.bat" "99⤵PID:3312
-
C:\Windows\system32\chcp.comchcp 65001100⤵PID:1744
-
C:\Windows\system32\PING.EXEping -n 10 localhost100⤵
- Runs ping.exe
PID:368 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"100⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4904 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f101⤵PID:4764
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XpF8aknJbNP2.bat" "101⤵PID:4376
-
C:\Windows\system32\chcp.comchcp 65001102⤵PID:5036
-
C:\Windows\system32\PING.EXEping -n 10 localhost102⤵
- Runs ping.exe
PID:4788 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"102⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4024 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f103⤵PID:3512
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZykcNsaEEdZ1.bat" "103⤵PID:4312
-
C:\Windows\system32\chcp.comchcp 65001104⤵PID:2904
-
C:\Windows\system32\PING.EXEping -n 10 localhost104⤵PID:4428
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"104⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3940 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f105⤵
- Creates scheduled task(s)
PID:2716 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQSWa3Q8Gs8k.bat" "105⤵PID:224
-
C:\Windows\system32\chcp.comchcp 65001106⤵PID:4080
-
C:\Windows\system32\PING.EXEping -n 10 localhost106⤵
- Runs ping.exe
PID:5032 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"106⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2960 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f107⤵
- Creates scheduled task(s)
PID:2356 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bm8dmFdkYzd0.bat" "107⤵PID:1176
-
C:\Windows\system32\chcp.comchcp 65001108⤵PID:1368
-
C:\Windows\system32\PING.EXEping -n 10 localhost108⤵PID:1280
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"108⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1784 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f109⤵
- Creates scheduled task(s)
PID:4540 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clR837vKcOeg.bat" "109⤵PID:2352
-
C:\Windows\system32\chcp.comchcp 65001110⤵PID:4292
-
C:\Windows\system32\PING.EXEping -n 10 localhost110⤵
- Runs ping.exe
PID:3912 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"110⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2620 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f111⤵
- Creates scheduled task(s)
PID:2024 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M7QSLyqjcEXx.bat" "111⤵PID:820
-
C:\Windows\system32\chcp.comchcp 65001112⤵PID:4592
-
C:\Windows\system32\PING.EXEping -n 10 localhost112⤵
- Runs ping.exe
PID:4136 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"112⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1156 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f113⤵PID:1244
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwNmjQX7Dymm.bat" "113⤵PID:4580
-
C:\Windows\system32\chcp.comchcp 65001114⤵PID:4392
-
C:\Windows\system32\PING.EXEping -n 10 localhost114⤵
- Runs ping.exe
PID:2504 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"114⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2532 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f115⤵
- Creates scheduled task(s)
PID:2632 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwiCGjLp25UL.bat" "115⤵PID:4176
-
C:\Windows\system32\chcp.comchcp 65001116⤵PID:3512
-
C:\Windows\system32\PING.EXEping -n 10 localhost116⤵
- Runs ping.exe
PID:4528 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"116⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:644 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f117⤵PID:4552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tjqdt954OVRk.bat" "117⤵PID:440
-
C:\Windows\system32\chcp.comchcp 65001118⤵PID:4588
-
C:\Windows\system32\PING.EXEping -n 10 localhost118⤵
- Runs ping.exe
PID:1912 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"118⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2148 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f119⤵
- Creates scheduled task(s)
PID:3664 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oq9GOOc3RbMc.bat" "119⤵PID:1560
-
C:\Windows\system32\chcp.comchcp 65001120⤵PID:2312
-
C:\Windows\system32\PING.EXEping -n 10 localhost120⤵PID:3416
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"120⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1520 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f121⤵
- Creates scheduled task(s)
PID:2696 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i03aZjOCgreT.bat" "121⤵PID:2132
-
C:\Windows\system32\chcp.comchcp 65001122⤵PID:516
-
C:\Windows\system32\PING.EXEping -n 10 localhost122⤵
- Runs ping.exe
PID:3572 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"122⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4608 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f123⤵
- Creates scheduled task(s)
PID:1556 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skp9jQd46cO0.bat" "123⤵PID:3928
-
C:\Windows\system32\chcp.comchcp 65001124⤵PID:4340
-
C:\Windows\system32\PING.EXEping -n 10 localhost124⤵
- Runs ping.exe
PID:2204 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"124⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3252 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f125⤵
- Creates scheduled task(s)
PID:1276 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5QuUrATNmB05.bat" "125⤵PID:428
-
C:\Windows\system32\chcp.comchcp 65001126⤵PID:4884
-
C:\Windows\system32\PING.EXEping -n 10 localhost126⤵PID:3744
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"126⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4412 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f127⤵
- Creates scheduled task(s)
PID:1480 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5FF6icaE2oMN.bat" "127⤵PID:3996
-
C:\Windows\system32\chcp.comchcp 65001128⤵PID:1568
-
C:\Windows\system32\PING.EXEping -n 10 localhost128⤵
- Runs ping.exe
PID:4176 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"128⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2664 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f129⤵
- Creates scheduled task(s)
PID:4468 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hv8L6amCyDFq.bat" "129⤵PID:4636
-
C:\Windows\system32\chcp.comchcp 65001130⤵PID:3924
-
C:\Windows\system32\PING.EXEping -n 10 localhost130⤵
- Runs ping.exe
PID:2920 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"130⤵
- Checks computer location settings
PID:4868 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f131⤵
- Creates scheduled task(s)
PID:2184 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wY9pDXyfPtU9.bat" "131⤵PID:1048
-
C:\Windows\system32\chcp.comchcp 65001132⤵PID:3980
-
C:\Windows\system32\PING.EXEping -n 10 localhost132⤵
- Runs ping.exe
PID:692 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"132⤵
- Checks computer location settings
PID:2372 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f133⤵
- Creates scheduled task(s)
PID:2336 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIoQo40EpJsb.bat" "133⤵PID:4124
-
C:\Windows\system32\chcp.comchcp 65001134⤵PID:5108
-
C:\Windows\system32\PING.EXEping -n 10 localhost134⤵
- Runs ping.exe
PID:2352 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"134⤵
- Checks computer location settings
PID:2132 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f135⤵
- Creates scheduled task(s)
PID:3320 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZoPgdkKjbTG8.bat" "135⤵PID:2640
-
C:\Windows\system32\chcp.comchcp 65001136⤵PID:3132
-
C:\Windows\system32\PING.EXEping -n 10 localhost136⤵
- Runs ping.exe
PID:3964 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"136⤵
- Checks computer location settings
PID:3772 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f137⤵
- Creates scheduled task(s)
PID:3840 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F7iYci7WmYxg.bat" "137⤵PID:4624
-
C:\Windows\system32\chcp.comchcp 65001138⤵PID:2704
-
C:\Windows\system32\PING.EXEping -n 10 localhost138⤵
- Runs ping.exe
PID:428 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"138⤵
- Checks computer location settings
PID:5084 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f139⤵
- Creates scheduled task(s)
PID:1436 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M463dp4q1sui.bat" "139⤵PID:1584
-
C:\Windows\system32\chcp.comchcp 65001140⤵PID:4216
-
C:\Windows\system32\PING.EXEping -n 10 localhost140⤵
- Runs ping.exe
PID:5068 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"140⤵
- Checks computer location settings
PID:5076 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f141⤵
- Creates scheduled task(s)
PID:3996 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RDKg3mBqPxb7.bat" "141⤵PID:4804
-
C:\Windows\system32\chcp.comchcp 65001142⤵PID:2020
-
C:\Windows\system32\PING.EXEping -n 10 localhost142⤵
- Runs ping.exe
PID:1060 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"142⤵
- Checks computer location settings
PID:4364 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f143⤵
- Creates scheduled task(s)
PID:3016 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EntoGr2DrIFo.bat" "143⤵PID:2140
-
C:\Windows\system32\chcp.comchcp 65001144⤵PID:4092
-
C:\Windows\system32\PING.EXEping -n 10 localhost144⤵
- Runs ping.exe
PID:1788 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"144⤵
- Checks computer location settings
PID:4572 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f145⤵
- Creates scheduled task(s)
PID:824 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQQkp28js9Me.bat" "145⤵PID:900
-
C:\Windows\system32\chcp.comchcp 65001146⤵PID:5108
-
C:\Windows\system32\PING.EXEping -n 10 localhost146⤵
- Runs ping.exe
PID:4616 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"146⤵PID:984
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f147⤵
- Creates scheduled task(s)
PID:3576 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WjzkgoSc7SKI.bat" "147⤵PID:4292
-
C:\Windows\system32\chcp.comchcp 65001148⤵PID:2204
-
C:\Windows\system32\PING.EXEping -n 10 localhost148⤵
- Runs ping.exe
PID:3928 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"148⤵
- Checks computer location settings
PID:2176 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f149⤵
- Creates scheduled task(s)
PID:688 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PhJ6dTky4nDf.bat" "149⤵PID:1276
-
C:\Windows\system32\chcp.comchcp 65001150⤵PID:1888
-
C:\Windows\system32\PING.EXEping -n 10 localhost150⤵PID:4204
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"150⤵
- Checks computer location settings
PID:1312 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f151⤵
- Creates scheduled task(s)
PID:3152 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XzuIaMqbEnNv.bat" "151⤵PID:888
-
C:\Windows\system32\chcp.comchcp 65001152⤵PID:976
-
C:\Windows\system32\PING.EXEping -n 10 localhost152⤵PID:3444
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"152⤵PID:1876
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f153⤵
- Creates scheduled task(s)
PID:4492 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TVHlfDKSIJNd.bat" "153⤵PID:4520
-
C:\Windows\system32\chcp.comchcp 65001154⤵PID:2856
-
C:\Windows\system32\PING.EXEping -n 10 localhost154⤵PID:4924
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"154⤵
- Checks computer location settings
PID:3924 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f155⤵
- Creates scheduled task(s)
PID:1968 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ANhQVpmccVhs.bat" "155⤵PID:932
-
C:\Windows\system32\chcp.comchcp 65001156⤵PID:3972
-
C:\Windows\system32\PING.EXEping -n 10 localhost156⤵PID:3980
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"156⤵
- Checks computer location settings
PID:4644 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f157⤵
- Creates scheduled task(s)
PID:3036 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUV2NAnyHDyF.bat" "157⤵PID:1048
-
C:\Windows\system32\chcp.comchcp 65001158⤵PID:3100
-
C:\Windows\system32\PING.EXEping -n 10 localhost158⤵
- Runs ping.exe
PID:2008 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"158⤵
- Checks computer location settings
PID:3992 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f159⤵PID:5064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fgsRoHwkxFRy.bat" "159⤵PID:1304
-
C:\Windows\system32\chcp.comchcp 65001160⤵PID:780
-
C:\Windows\system32\PING.EXEping -n 10 localhost160⤵PID:404
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"160⤵
- Checks computer location settings
PID:2368 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f161⤵
- Creates scheduled task(s)
PID:3952 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l8JYJ3LW7GsA.bat" "161⤵PID:2752
-
C:\Windows\system32\chcp.comchcp 65001162⤵PID:2096
-
C:\Windows\system32\PING.EXEping -n 10 localhost162⤵
- Runs ping.exe
PID:3544 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"162⤵
- Checks computer location settings
PID:4392 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f163⤵
- Creates scheduled task(s)
PID:808 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HUgfSbEEDR8O.bat" "163⤵PID:2880
-
C:\Windows\system32\chcp.comchcp 65001164⤵PID:5056
-
C:\Windows\system32\PING.EXEping -n 10 localhost164⤵
- Runs ping.exe
PID:3976 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"164⤵PID:3864
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f165⤵PID:2480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffca7b346f8,0x7ffca7b34708,0x7ffca7b347182⤵PID:4052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,12632512858528116455,16563448713251792529,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2016 /prefetch:22⤵PID:2444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,12632512858528116455,16563448713251792529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4308 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,12632512858528116455,16563448713251792529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:82⤵PID:2272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,12632512858528116455,16563448713251792529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:3508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,12632512858528116455,16563448713251792529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵PID:4128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,12632512858528116455,16563448713251792529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:12⤵PID:4032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,12632512858528116455,16563448713251792529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:12⤵PID:544
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,12632512858528116455,16563448713251792529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:82⤵PID:4172
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,12632512858528116455,16563448713251792529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:644 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,12632512858528116455,16563448713251792529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:12⤵PID:2516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,12632512858528116455,16563448713251792529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:12⤵PID:2728
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,12632512858528116455,16563448713251792529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵PID:3432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,12632512858528116455,16563448713251792529,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3088 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:556
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4764
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
152B
MD59f44d6f922f830d04d7463189045a5a3
SHA12e9ae7188ab8f88078e83ba7f42a11a2c421cb1c
SHA2560ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a
SHA5127c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d
-
Filesize
6KB
MD5da4245f7fe40fcf4174594b7b621081c
SHA16ccb7328e41d1cc0304d0af720279ce72792e2eb
SHA2568dfb3c7bfec73dccdac6b10a8ac27a4a59f8b277c8d039a71ea9a98aed423452
SHA512aabd711cb862dce56ebdf52b9ac355268880c99b9721bf7f05b50f8a897e6b89a4e937095fdfc0120a918110b8af790e87bc7bf203ffcf4059684b3ffbfa7428
-
Filesize
6KB
MD5d60765acccd0683bde8a764bd7f97056
SHA14869b9225bc5f2f6e2c29afd34b52807bbebd0f2
SHA2562c275ad49d43ee28a414783f9612eea7a1e73277fed766ddaa335595cf188aad
SHA512f0ebd2757bf6b4a8c5ce47ce4a6d02ef4f46db70bf9a268373730a1b50e9594da07dc47cbce8341c01c0af8b32bfca4cc297cc155fff8667f2f77e97a9c7039b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5bab6fc1286a7c5812701138ef0d2ba1c
SHA1174165e63da3a8799f32d5c30f8fea6bf9d46fd6
SHA2563c85db7c72cbb6f82bda50961c918e8205a67a63e28e61cf240f8fe2b9d37d74
SHA512e0e01bcd7b9fc883b5a514d39fad9a7ceca8169652a459feba237ff6eef17116b53227e02014bb0f938c31227cb328ab49336463b055c101541049a5babdbb6b
-
Filesize
207B
MD5f60fb8aa3acbc361721bc3a91387e2f6
SHA14715abc222def7779b28cee44d1f9c2a29f8604f
SHA2562e2ab93c371e39b2ac23f2bf932f1857cb92a9b88ca2df0f972280585c2cd174
SHA5129c4e9537ccba4f66b0d72de7d8142b1e45809e48b3e1bd0da30d7e44dd5c1e9c5dcf22e9a11416f9be66373f99cf285a8e801b5cd89ece3f0fdf8dd159fe9589
-
Filesize
207B
MD5ece69f4ee6053482f020b4af355faf0a
SHA163ddb9ba47820b62022fd0c3461f61e09143cdbc
SHA25618ddd9c3ded914b817dc1382bc11edcf26edc6a51c2770a8b8b5368a84f61163
SHA5123a8aa7affeba047d42cb2791cd9e305b4b4993466c6315b8432c6047e5d131fff95ce5bad6e3987d1c8553a5bd0f52ec97f687ce1a606ccd4508f1d52f46f89b
-
Filesize
207B
MD50e3a2dbb5b51301b32e076883e4a4c4a
SHA153bf254e366cb2417b0d4cee216a4b0e895871bb
SHA256a389848dabec268340237d5637d09a937d8a4b766fa3c64fa926a3d7ce8ac3e7
SHA5123bb421a51f5f77d03437d633dd64be6953420a21e95e17fd8c0a676636553a07d487465170a0b21e2bc49cd514028cc8fe647c5a51e1095a601cca4ddb4e02f8
-
Filesize
207B
MD5b900ec11aa6c091d0fd2a26c8fbe3fe6
SHA1c3183d0ecf2508c215c9f12ac6e2eccafbcec6e9
SHA25695f2bbde928020dc8427d1e189e1c0a375ced77be71604f500e9d955fb13b3d6
SHA5129accf60dd21f903478a115dca0ef1475fac2f81f95c12288bd1327b44f4a6051dcfa9bcfb057febceefb74c951f322be072308eb2dfd2c0408cf826c63ae3130
-
Filesize
207B
MD5b5d0f6f68124c386a51e082bddb91a8d
SHA1d1ef12d6267347ef1c8279b137ac4a460570f3b6
SHA2569033a398ba91f65b4177cc2f768ccca123c889d9edfe050f1bdf46c0da77d7f2
SHA512a19f2ae879d514aa439254e2878087a93471ecbe53ee0abe1f82b4759f32d3eec33f646f4f161b7270de4a04fa5866abc2f25b8e8a95e8cf906a55619af4add7
-
Filesize
207B
MD545a40cce41054509d0bea51e18f92a89
SHA12a29cbdf41ea5a6ccf03dd2fb7dbf08a6925d22f
SHA2562c420911ff2c7078a41edbfcd5a6173a7edc08177ad1b1ee4ddfc7a873a21645
SHA5127577ce854a3c7ec5a6d2dcd1cfd30e831ce2398e2d692c362b1249d13984329ca349989bf9748525f631a3308ac893ff19a50c3ccdc24a32cb1f48c6a68b78df
-
Filesize
207B
MD50b316a400c9f586fcf1230ba8cdd237f
SHA107901c29d1db63d94dd17762af121a8acb2799a4
SHA256c60c876a20c8704638ca7c20053639e85e82364e37de4c02cca3a5b021b65af4
SHA5127ef46d4ab4c6b0281c21e878e91eb5d8b65cbcbc9e95cc2e94c940b71d5badef105bdc0331e901c112a7d9aabe9eaaaa6bd1525a13a3c3a20c32ef14d6e8c489
-
Filesize
207B
MD56f7f71d890d973504f2453b7383138d1
SHA1768710629cfe2fed8f70b98d764f678e8dd77f79
SHA2567bfae1e0835a8239663d455dc719699d15df60c48e2c0cdb76a49f4de3d5fff0
SHA512424cb54426b9b25158a500f2c6284c765797562713ae070ded1e99335938c67ec7b3d58d312dfc581f31dab8784771b48739a6364ea392a6c80516ae7dae0624
-
Filesize
207B
MD52fd1388e81e3360ce12d8f73c1636053
SHA16a7fd04f461f246f67bfeda4fec218164c33a5eb
SHA25673af8e03ea69957a648dfe07a55a175cf69e7ccbb97385afdb297bb826e8e750
SHA5129bf6735561a24307b6a1ea55d6c1bd7e8ca1b0f209cf959724ad8af68bee77ec8b75b59c39d249b7ee044c40e40efa46963e319d5f90f9ed7c6d07370f2b8d54
-
Filesize
207B
MD50457a6da93962887b616580d47166610
SHA112f2deb4f436182f23001c62e62ef10b211d6b82
SHA2562871ee8727fe13a202a6cb1058f9ca2e6ab9e28831ffbe427bb8cfa90ad79821
SHA512f8c7de61029081db0554b0d8a2048ba296346622a052d31e1b9ad987bf1aefb472a85b1e67db0f8cce3f6eb8deca78f94ee51b57e4422ae3168d570d5429af95
-
Filesize
207B
MD59a79ac709ee8be4120acbd1132de7747
SHA17d231bbdc8a57c502894fba945f25e095cadf329
SHA256ccc573a17056e5dbb9e5e540278e5018e4916af800997068f533401c47d6a04f
SHA512720219e5c17f26040aaa706a583509d26b4d44fd1c9beb771412697158579f8bb95016859249163ff4be402c135663c60405251e42aa6a5d72c3ffd1ffa6466b
-
Filesize
207B
MD5cba6a3df136ac0003662b41bbcfaa4e6
SHA1f1f213da155b935eb3e95a3be006e75e71a239b8
SHA25687488609713f13554515e81968f04c699806374aa801f22b60583fc550f7a030
SHA512f17f3a44057bce3b6f7ea86769743a4f68ccb8f0be2ee91bdaa359e88d051e1e3e0360eee6c8d9ed15b58ccfb03a05a8a6aea12344c6ef59bd972131090fc2f6
-
Filesize
207B
MD5c64985d97b1a413facfb0bcff09efafb
SHA16d47bb4cd94861981f215d6eaa1fbf126fd8d7b8
SHA25608455e8c3408b3a0fba59ce3a838a94bb002287b1f25f9a607f2737af3351fd3
SHA5120cc166ce12d9c5dfcda28c2dd43606c957cfed6b10d6c67acaf2277bc91ab5ddf8c5d444ec169c5b1849ce435ca1783d29b3fb4ebdd774d2fd5966245b98a8f4
-
Filesize
207B
MD5f519d5e7b72c060881bb6d982e5c887d
SHA1ced5b2ecbf5cfed762dad6527a2a258b862d9473
SHA256962f01cdcd765403a58d3b7124f6f9661159c9516ec20e5fe6e48bd75d5c2ce0
SHA51218185cb9fa26fb8e9a80e8f9c413289c95af7dbc2a86cf11bd35b4852ade818e1d49a7c40e9d4f888548faf268e93a4e421c9edd11c6a0eaf46ca04769c1ec1b
-
Filesize
207B
MD559495af5167be7f3ca879bdc16435f9e
SHA19fc649adea41479cf8fb79eb9a02700c3c78b2cf
SHA256bb2586e37f570436cfe58b9cab6546dd917773f093163468b01d4b2d26c182cd
SHA512a7325569c72bb6a719977104717a3b1839cdccdcd406ab7da31b709b77f99f41bcd0a81bb5092dc6a542ffa7d0f1e7b5ed9919b06025d43e8f316b5e65684da6
-
Filesize
207B
MD5cd6a471ae118a6d71a9e267ebe7b4229
SHA1876a6052477c55835846f298759476b0af1b9a5a
SHA256d3119f86f966ea7b51a1c65f7609ecd87683ffb5d48a0a8e658c1fca4bf30512
SHA51288fd0e54d53167be306e398a6540c410704466df32ca89bc15c9ed97d07b1b3ee3a763320af11691f6b665a8b48212e1e73461ae8469e23559ca9150b04e975d
-
Filesize
207B
MD5f4ea1290751a425611d87aeed032e5a8
SHA1b5568d079a9975f23ce956ac8c0eebd49c66e550
SHA256c7ecaa6abbbd96211c1bdfb43ed0cfe0912b09460364971c7c017cfcddc74aae
SHA5120a71ff113649bf81d363c4b037d2b18831dc4006ffeb6c2e24eb5c7596557de7e560f4d5698b2d35bb5b52220a5139f87911ee8eb1fca3855949708b9fe42301
-
Filesize
207B
MD5e105ede55c85e1ed0c4574ed24a6d7d2
SHA168447d14cdac9a06f682233db2950affc7928b74
SHA256fa8c6f932288de5b86492b7d0759df46c5dd60c60b32637872ef26f03d2a3447
SHA512b98ea748749d228179c80654e7efed7f4a2f10f6f99c097731763cf3304e7533088796b93a76b7c399cf27114177599a46819733a5195c8f0cbf577f8c281a98
-
Filesize
207B
MD58077dd8dbd1de92092dcf80db1ac2202
SHA13a9f446da752e87943b8b5907c6e1a8effd09c4d
SHA25615e05315426b256e19f47bf0decb5e2ffaebda4179f4f7cd128a704fb9ee16da
SHA5126693e5dbc8d127eede662e6c782c9b49e71316a3308333d0e755716a4da9e5c4314938bccf8e1cf067ad0e0f4c45bcafd8b6031d4538c12b7a7c6f6c9b3910ff
-
Filesize
207B
MD5c6ddc7b0459441f73bbf998f4c17f5c3
SHA1ea2dacafc5c525557cf3ad11d543fa4738fb0612
SHA2568fa39f796e274b8c3510fb09da81958d6a62dced1abc7d830563993f139a136b
SHA5122bc38447f9490afd0b6c7475b61df49b03ce17a73b1b13739b0d75c77b644def243314bbfa54349566becdc49ae0795d4504d26ba8fe8e402230390da866f465
-
Filesize
207B
MD56e7e21357cc8e2b37e617e388cd18d92
SHA108b20ec3b3e0055a91d9c999dc95bee9de434fec
SHA2568b08e8b57b37292068bbfe113147c9b5140b103ff10d2cf7fceadac083cdbf08
SHA5124b889283bbb8b1eb2388c8dc3e8bce61657afccbfcc10152149afca00f2cb573e8f207aa908708a404226b52fb8541561f830082073472cf3685325299d727c0
-
Filesize
207B
MD5a5e33d082b5abf3243140fee5ba0a47f
SHA1f38ff43e9fc937293354ca7a808e87eb5ca12fc4
SHA256099f3647a09b0e347a13b7adaa54307edbb8059cf33065b77a989b34b29bba0b
SHA51285d038b2391f47f86c8eb2287c954e1a247273172849d4948e8afcb5736b999143dd41177d63e79375859c13c10a51eacf4d6a87c2e1e58f7d9efc18642f93d2
-
Filesize
207B
MD5787306fe27433c5a58972f80c6f76c54
SHA138dbbf37f209bca5ee28d973103dd2f473a21fa3
SHA25657e6fa034773cb7aa8b569bfc836fd2421eb2c639643435ff0fabf7676604888
SHA512d9119493888233c389e2ec0defad026bd5d1e46e2cb4550ee855188c3150e918dc092fea05d7b1b6e1c32af2ece4368772ddac6aaaddeac9ba19f0e6f41d2f73
-
Filesize
207B
MD53df685822f8f35e7e423b5827e488efa
SHA1822a4bb85cefb1ed28c9a1f60c2d21a768847afb
SHA2564173290e8931f141c415510b3a343520c5d6e3a3e6321fc131729017925f55ba
SHA51226820db0c589ed4c150bd1d1d38f3b7e2b57f2db7914c458f5ba41d1621505cfafa29aae8968afca9b532676ccb571f25de1466e83861f8cb495cbfdc6fedca9
-
Filesize
207B
MD5f7cf48224d70b5fc460406696603a03f
SHA1d162ac2915b2a02a4fe65beaa5df3142a1a71f85
SHA256b786dfee132033ae380c0eb015475cb1a1aef5efa93c55020302c1a948d835b6
SHA512aa0679d2e16e962ca6ee9ea0ba0cc0700e2e63cb68553f95eb7cec9639f74031d70f47ce0cca67e1f82b7d197985f8f106ef8b0d53a5ef50cf71aadcdc8858bc
-
Filesize
3.1MB
MD543d43e073f37fcbce4db2a8efea58450
SHA124014a045dfda1401b81e63435fdf46963967fd4
SHA256e4c6e99ac6e6ddb98b3f0fea20d97c067b593ffdce6d2909ff693d03868e605b
SHA5129c8ca9dee9c24431ea98ce9743cf826b5ba844c339b0cc94ef4261af68f2bf89b7251e1884011e8ff58be5afbebe98b699a243d1cacf83272018baac439ca9bf
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e