quasar | 7939dbc108594835d67accfc36a503b7c1c60d8fd3b0726775d3889ba8cd733f

Analysis

max time kernel
269s
max time network
270s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
07-11-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mielda loco 12.7z
Size

922KB
MD5

441486cf8038d2f86fe265e7375390fe
SHA1

a94f83e1bc67bae7ad4088f2e35c80d956715220
SHA256

7939dbc108594835d67accfc36a503b7c1c60d8fd3b0726775d3889ba8cd733f
SHA512

7265b4f98af0a105b4cb5dc1e39f45e6e568f799898f037763dfdb72ff6851a6f66a5fd2f44e19298d9a0bdbf1b7d0938a5b86f187be87cad3d3be2a4bc1d957
SSDEEP

24576:6pdSFVQHYTE3oImE/b5Ug6Te7brnky1ffi:sGVQHYA3wgyg6o3kSfq

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

Cristopher11sa-62565.portmap.host:62565

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000045055-2.dat	family_quasar
behavioral1/memory/2888-5-0x0000000000860000-0x0000000000B84000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 26 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 30 IoCs

pid	Process
2888	mielda loco 12.exe
3080	Client.exe
1720	Client.exe
2032	Client.exe
1824	Client.exe
4304	mielda loco 12.exe
1900	Client.exe
2228	mielda loco 12.exe
4988	Client.exe
2588	Client.exe
4708	Client.exe
3532	Client.exe
2640	Client.exe
1984	Client.exe
4660	Client.exe
3724	Client.exe
3624	Client.exe
1672	Client.exe
3772	Client.exe
2472	Client.exe
1540	Client.exe
1060	Client.exe
5092	Client.exe
3168	Client.exe
3344	Client.exe
3996	Client.exe
4248	Client.exe
2380	Client.exe
220	Client.exe
5084	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 26 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4732	PING.EXE
324	PING.EXE
4912	PING.EXE
2484	PING.EXE
4824	PING.EXE
4968	PING.EXE
2560	PING.EXE
1484	PING.EXE
2028	PING.EXE
4492	PING.EXE
2020	PING.EXE
1728	PING.EXE
4264	PING.EXE
828	PING.EXE
3960	PING.EXE
3764	PING.EXE
3748	PING.EXE
3248	PING.EXE
2860	PING.EXE
4260	PING.EXE
1776	PING.EXE
1980	PING.EXE
4776	PING.EXE
1868	PING.EXE
4428	PING.EXE
4428	PING.EXE

Runs ping.exe 1 TTPs 26 IoCs

Remote System Discovery

T1018

pid	Process
324	PING.EXE
828	PING.EXE
2484	PING.EXE
3960	PING.EXE
4264	PING.EXE
4968	PING.EXE
1484	PING.EXE
4732	PING.EXE
4428	PING.EXE
1868	PING.EXE
3748	PING.EXE
2028	PING.EXE
4492	PING.EXE
4776	PING.EXE
4260	PING.EXE
1776	PING.EXE
2560	PING.EXE
4824	PING.EXE
1728	PING.EXE
2860	PING.EXE
4428	PING.EXE
3764	PING.EXE
3248	PING.EXE
1980	PING.EXE
4912	PING.EXE
2020	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 28 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4224	schtasks.exe
5100	schtasks.exe
3980	schtasks.exe
2184	schtasks.exe
3564	schtasks.exe
1044	schtasks.exe
1836	schtasks.exe
4608	schtasks.exe
1628	schtasks.exe
1740	schtasks.exe
1140	schtasks.exe
688	schtasks.exe
1556	schtasks.exe
324	schtasks.exe
1932	schtasks.exe
1348	schtasks.exe
5084	schtasks.exe
3788	schtasks.exe
2432	schtasks.exe
1792	schtasks.exe
3244	schtasks.exe
2576	schtasks.exe
4732	schtasks.exe
644	schtasks.exe
4452	schtasks.exe
860	schtasks.exe
2576	schtasks.exe
2448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2228	mielda loco 12.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1928	7zFM.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeRestorePrivilege	1928	7zFM.exe
Token: 35	1928	7zFM.exe
Token: SeSecurityPrivilege	1928	7zFM.exe
Token: SeDebugPrivilege	2888	mielda loco 12.exe
Token: SeDebugPrivilege	3080	Client.exe
Token: SeDebugPrivilege	1720	Client.exe
Token: SeDebugPrivilege	2032	Client.exe
Token: SeDebugPrivilege	1824	Client.exe
Token: SeDebugPrivilege	4304	mielda loco 12.exe
Token: SeDebugPrivilege	1900	Client.exe
Token: SeDebugPrivilege	2228	mielda loco 12.exe
Token: SeDebugPrivilege	4988	Client.exe
Token: SeDebugPrivilege	2588	Client.exe
Token: SeDebugPrivilege	4708	Client.exe
Token: SeDebugPrivilege	3532	Client.exe
Token: SeDebugPrivilege	2640	Client.exe
Token: SeDebugPrivilege	1984	Client.exe
Token: SeDebugPrivilege	4660	Client.exe
Token: SeDebugPrivilege	3724	Client.exe
Token: SeDebugPrivilege	3624	Client.exe
Token: SeDebugPrivilege	1672	Client.exe
Token: SeDebugPrivilege	3772	Client.exe
Token: SeDebugPrivilege	2472	Client.exe
Token: SeDebugPrivilege	1540	Client.exe
Token: SeDebugPrivilege	1060	Client.exe
Token: SeDebugPrivilege	5092	Client.exe
Token: SeDebugPrivilege	3168	Client.exe
Token: SeDebugPrivilege	3344	Client.exe
Token: SeDebugPrivilege	3996	Client.exe
Token: SeDebugPrivilege	4248	Client.exe
Token: SeDebugPrivilege	2380	Client.exe
Token: SeDebugPrivilege	220	Client.exe
Token: SeDebugPrivilege	5084	Client.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1928	7zFM.exe
1928	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1672	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 324	2888	mielda loco 12.exe	93
PID 2888 wrote to memory of 324	2888	mielda loco 12.exe	93
PID 2888 wrote to memory of 3080	2888	mielda loco 12.exe	95
PID 2888 wrote to memory of 3080	2888	mielda loco 12.exe	95
PID 3080 wrote to memory of 1140	3080	Client.exe	96
PID 3080 wrote to memory of 1140	3080	Client.exe	96
PID 3080 wrote to memory of 1884	3080	Client.exe	98
PID 3080 wrote to memory of 1884	3080	Client.exe	98
PID 1884 wrote to memory of 1804	1884	cmd.exe	100
PID 1884 wrote to memory of 1804	1884	cmd.exe	100
PID 1884 wrote to memory of 4968	1884	cmd.exe	101
PID 1884 wrote to memory of 4968	1884	cmd.exe	101
PID 1884 wrote to memory of 1720	1884	cmd.exe	102
PID 1884 wrote to memory of 1720	1884	cmd.exe	102
PID 1720 wrote to memory of 1348	1720	Client.exe	103
PID 1720 wrote to memory of 1348	1720	Client.exe	103
PID 1720 wrote to memory of 3060	1720	Client.exe	105
PID 1720 wrote to memory of 3060	1720	Client.exe	105
PID 3060 wrote to memory of 1604	3060	cmd.exe	107
PID 3060 wrote to memory of 1604	3060	cmd.exe	107
PID 3060 wrote to memory of 4260	3060	cmd.exe	108
PID 3060 wrote to memory of 4260	3060	cmd.exe	108
PID 3060 wrote to memory of 2032	3060	cmd.exe	110
PID 3060 wrote to memory of 2032	3060	cmd.exe	110
PID 2032 wrote to memory of 4732	2032	Client.exe	111
PID 2032 wrote to memory of 4732	2032	Client.exe	111
PID 2032 wrote to memory of 1304	2032	Client.exe	113
PID 2032 wrote to memory of 1304	2032	Client.exe	113
PID 1304 wrote to memory of 2180	1304	cmd.exe	115
PID 1304 wrote to memory of 2180	1304	cmd.exe	115
PID 1304 wrote to memory of 1776	1304	cmd.exe	116
PID 1304 wrote to memory of 1776	1304	cmd.exe	116
PID 1304 wrote to memory of 1824	1304	cmd.exe	117
PID 1304 wrote to memory of 1824	1304	cmd.exe	117
PID 1824 wrote to memory of 3564	1824	Client.exe	118
PID 1824 wrote to memory of 3564	1824	Client.exe	118
PID 1824 wrote to memory of 3596	1824	Client.exe	120
PID 1824 wrote to memory of 3596	1824	Client.exe	120
PID 3596 wrote to memory of 4688	3596	cmd.exe	122
PID 3596 wrote to memory of 4688	3596	cmd.exe	122
PID 3596 wrote to memory of 2560	3596	cmd.exe	123
PID 3596 wrote to memory of 2560	3596	cmd.exe	123
PID 4304 wrote to memory of 5100	4304	mielda loco 12.exe	125
PID 4304 wrote to memory of 5100	4304	mielda loco 12.exe	125
PID 4304 wrote to memory of 1900	4304	mielda loco 12.exe	127
PID 4304 wrote to memory of 1900	4304	mielda loco 12.exe	127
PID 1900 wrote to memory of 1932	1900	Client.exe	128
PID 1900 wrote to memory of 1932	1900	Client.exe	128
PID 1900 wrote to memory of 3948	1900	Client.exe	131
PID 1900 wrote to memory of 3948	1900	Client.exe	131
PID 3948 wrote to memory of 3888	3948	cmd.exe	133
PID 3948 wrote to memory of 3888	3948	cmd.exe	133
PID 3948 wrote to memory of 1868	3948	cmd.exe	134
PID 3948 wrote to memory of 1868	3948	cmd.exe	134
PID 3596 wrote to memory of 4988	3596	cmd.exe	135
PID 3596 wrote to memory of 4988	3596	cmd.exe	135
PID 3948 wrote to memory of 2588	3948	cmd.exe	136
PID 3948 wrote to memory of 2588	3948	cmd.exe	136
PID 2588 wrote to memory of 644	2588	Client.exe	137
PID 2588 wrote to memory of 644	2588	Client.exe	137
PID 2588 wrote to memory of 4840	2588	Client.exe	139
PID 2588 wrote to memory of 4840	2588	Client.exe	139
PID 4840 wrote to memory of 2972	4840	cmd.exe	141
PID 4840 wrote to memory of 2972	4840	cmd.exe	141

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\mielda loco 12.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1928

C:\Users\Admin\Desktop\mielda loco 12.exe
"C:\Users\Admin\Desktop\mielda loco 12.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:324
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1Kl4lrhJ9MNq.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1804
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4968
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1348
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgvfQm2dovaP.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3060
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1604
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4260
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0fUxBiROOYEe.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2180
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1776
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQXGeNqPEC7F.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988

C:\Users\Admin\Desktop\mielda loco 12.exe
"C:\Users\Admin\Desktop\mielda loco 12.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5100
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NjwU2Zndin48.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3888
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1868
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:644
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TrHIAX1F3yTH.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4840
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2972
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1484
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2drRfrMgpJls.bat" "
        7⤵
        
        PID:3060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4732
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xalf48pGko4L.bat" "
        9⤵
        
        PID:1304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fqKuTCBh8JZl.bat" "
        11⤵
        
        PID:3012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:324
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X7acD4N1cNUz.bat" "
        13⤵
        
        PID:4252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4912
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Qi1YqKd5KVpA.bat" "
        15⤵
        
        PID:3028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:828
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3724
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kLeHgn19ifHG.bat" "
        17⤵
        
        PID:1572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:520
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8XcwDSMOu4IP.bat" "
        19⤵
        
        PID:2688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4824
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8ssEWvaunBa7.bat" "
        21⤵
        
        PID:1136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUqIj0VONBpe.bat" "
        23⤵
        
        PID:4248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3748
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A35WKwTM9yvL.bat" "
        25⤵
        
        PID:4820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4428
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAZTile6f4LO.bat" "
        27⤵
        
        PID:4628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cwJoU1b8OLbG.bat" "
        29⤵
        
        PID:1624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3960
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pT2bxRHrH1B3.bat" "
        31⤵
        
        PID:4708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4264
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dxLmVq5SNx6M.bat" "
        33⤵
        
        PID:2760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:2680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3764
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3344
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROefF2sIwwBd.bat" "
        35⤵
        
        PID:4452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:3564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqEtgbnalNcm.bat" "
        37⤵
        
        PID:5008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:4900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4492
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\whu1iGKxuJLs.bat" "
        39⤵
        
        PID:984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:1632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4428
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ahdB50znTG83.bat" "
        41⤵
        
        PID:4636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:2124
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4776
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        43⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5Jh6IHbpvdeJ.bat" "
        43⤵
        
        PID:4664
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:2168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3248
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        45⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MSnASxyhYF7O.bat" "
        45⤵
        
        PID:1620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:4456
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2860

C:\Users\Admin\Desktop\mielda loco 12.exe
"C:\Users\Admin\Desktop\mielda loco 12.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
7787ce173dfface746f5a9cf5477883d

SHA1
4587d870e914785b3a8fb017fec0c0f1c7ec0004

SHA256
c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

SHA512
3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mielda loco 12.exe.log

Filesize
1KB

MD5
b08c36ce99a5ed11891ef6fc6d8647e9

SHA1
db95af417857221948eb1882e60f98ab2914bf1d

SHA256
cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

SHA512
07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fUxBiROOYEe.bat

Filesize
207B

MD5
f49bebdaa21f3878b33b457af5421a6e

SHA1
8614d564493ec1a790a33aefac2f94508e24fdc4

SHA256
9a469bfe64e32b981a5545fb70dd664f152befe3df1efa5fdaf576126847ffb4

SHA512
f5190bd9144767acc24035f093e531aa67ec4dd388f624aa6db0a6940e6e20df036d8b40c29421acda751fed0e64ee7f187a6b12d8d9cf071e4b6d9501bbb180

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Kl4lrhJ9MNq.bat

Filesize
207B

MD5
b0956c92225a52d91eec790d79f727b7

SHA1
a65adb2a1e7c5de771aa3fd44c3d716bf7277131

SHA256
438f9bb952bc4c5ec1cd272e9961bf79cdd363ca6707f03df6addcab0adcc362

SHA512
99300606715ea68ad0c692db724f7c74d71de2efc33d1060bdff463db32d4515836452a5cbec1d3adab772cff4b014355bedcda5b38a9998759b39721ad74943

Download Submit
C:\Users\Admin\AppData\Local\Temp\2drRfrMgpJls.bat

Filesize
207B

MD5
b8060ada4f89e2782c7f6e05276fd7d4

SHA1
06af02c877fc0c239ffe9ba14b337f8431b482a7

SHA256
b999553e7530cd077b1893c644bb87dc848a11849ca629483adcf3b36ddcaf45

SHA512
0b73aff0f6b48183899c4069ef977b148b7655269ace7ea2d78719f22bcaf500edd5a4ef6029113634799631bd3c88e1426c7575b159e66e6445808ffad5ae98

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Jh6IHbpvdeJ.bat

Filesize
207B

MD5
e1633624c1773a0cab614a7b44366c38

SHA1
6bfdba2b4dbde332bccf3f8e40fcbb4bc67f0fed

SHA256
9090adac92eb1e6707a51a71afbdab9d4531b95c4af07478530fcffd91a3b321

SHA512
9018d11fc2aed819a1f3815289d087d5cf0f0f0d3050096ca5a0e0e800c88219a7ce145b4e0efd473bec7599855ad2ea195397567ce2de854f524ef74469177a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8XcwDSMOu4IP.bat

Filesize
207B

MD5
5abf0ce4582506fb126159c911a8591c

SHA1
6a298cc04254ba1bfa5af49b64817aa8769df6d0

SHA256
a57b73d65b5651cbb31afaed4f1a21a31797a33d68943dec25811d8de006c7a4

SHA512
c1fcf4d47024706e832673ff0efbff12cbcf4895c0956852ea7669a93d3cfa74e6e5b98c0c033b84752d0149b5cfd062e5c942ab6e1901267776c69232ddf73d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ssEWvaunBa7.bat

Filesize
207B

MD5
9a5c9747234230277d06285fbe4bcfd0

SHA1
e71c33ea81426f0ef4555d3dbcf1d16a5e82feb5

SHA256
75d34e0be1dfb5e3728203cc81e7033d6ab50b6aab170c6aa55f6c2e39a6d783

SHA512
7a56d1efe180dc0164420eaeb71224626b55a13c2dfbd88074b4cb9160bd59c3d7fa33970f56792fa92cc9a74f9161a0b482e5acc7a2bfa37bf9058ac18d0cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\A35WKwTM9yvL.bat

Filesize
207B

MD5
c6849c7f4fd433678999a0c3b4a25e93

SHA1
bd491256aa32a1ecf4411a9491e1c7d697302103

SHA256
750112cd8b74f6a5d5cbb5b98ffbfe5dd6a075a41b0a8cf7f30d61e51ce1af09

SHA512
d51d11e307baff856dd46ca8539368ad2b07fa4f033bd556fe5fdde00ae8f8038d5a5662ca2a34629caa584f9d724bc4d22041f0fa9a950affb3b2dffe77962a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSnASxyhYF7O.bat

Filesize
207B

MD5
8eee77dcd01a2eb0d530ea80b8709488

SHA1
eff0e06fe8a09ae6a926d2a1be3df880c3c0653f

SHA256
85f90d6bfd64d0f202e77c5fdd6980527d28c1dfcfc38972c05b2b24f38188b6

SHA512
f42c61c31b32dd7520c8c6a964b1b894d01d5c3d8b616d3b4059cc3424a0cec0f251a1bce340dd762f218c7452024efda00e36ad5f3920d141522d90aa852589

Download Submit
C:\Users\Admin\AppData\Local\Temp\NUqIj0VONBpe.bat

Filesize
207B

MD5
73dff22684e220453e2d63fd404a3fe4

SHA1
ff14d4b6ff4ddfd6e8409764fafc9035a7384961

SHA256
237c408697d2664ca931064a980f01ecfd71d630038d040ee14ac6d2b324d18c

SHA512
a78ab87448ff5985979969d4672b9fd8cdccff01e97e7512fd0d2ef6d0a479c230687f760182ec956489de850e9e28ad474b9a879d43dff2a5092031301ccdf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\NjwU2Zndin48.bat

Filesize
207B

MD5
06cc67cd33a47075860c1ae45c52f60f

SHA1
c3e448523e6f8d7cb4d0cee78e4608b64da5a00f

SHA256
fe9100046b669035f98fc687b79ac619d9726ea2bbf000a2821216dd241a6d7e

SHA512
a91690447a074ecce2380dbdfcfc690ef32880e008fb92113cf7be4fc78ffeaa8c5d976de129c78db10cbff36a9c90d1f67165f5cf2462fb9cad7129fad09499

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qi1YqKd5KVpA.bat

Filesize
207B

MD5
3e42ee52cb7c52c7f5e31738ef2344e2

SHA1
7eedb36becd0ac194312821cb3628e411f3584e9

SHA256
f203ab03d03768d5bf0c97ee579504a8e8a8c1cfc2bfadcbd3132524ba07b9f1

SHA512
cf3ec402c4479394a687832e0844d3799fef35255b5d730a3dadfe6b2dccb018a9e38c6b4b6b32b2f6e58cf35699e24b5e161619169b012073d2ca85646320e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ROefF2sIwwBd.bat

Filesize
207B

MD5
292b0c3dcb37581a6af4136752a9ed79

SHA1
bb54b6d5b3f8de8f794d587522db145a410f40e9

SHA256
59c20a02ee0cee32060e81f55b1572afbe2ff125347901830629531856cc560c

SHA512
99e44b3ef31908378e7a97a6cd6f4aef7af3db517c9df78b0755f5f790e44a236e5f4f3bb424ee5c205b8efaa7be47d8ac3ef511076c0247a17a443017bf7458

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrHIAX1F3yTH.bat

Filesize
207B

MD5
2a4540a29e00ca9d200b5b90cce25b28

SHA1
edb84a0072eb72893ba2378be71203ccea589004

SHA256
64ba1ae5d8cecedec18b44150bf4ac608347d80360095ccc60a60bdda6ae2294

SHA512
5372b2b5570d2f23a06a9b18e56a442b39b1ce5a8956a0c2f14e2b2dd87e855b0f5eb0d29ed6e55b330b6e381873262ea5e75c771963980fb0ed6d0d0d14aa48

Download Submit
C:\Users\Admin\AppData\Local\Temp\WgvfQm2dovaP.bat

Filesize
207B

MD5
4811a8d4952bef6915d94229260bc885

SHA1
0063fb58fd8f5a895bf488e0566c435966ba0d18

SHA256
9978473394a5001940af06e4f179c66cf8b7a6a6184a7b01d3dd65bb779f7d1a

SHA512
ae8e50ab3a7d8a5bed5397b797aeb24002b087421c7d0551e77ab1d1b89c36f8d184d450a768dd536500098559aec42184babacbf26a6e66903fba9625f38d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\X7acD4N1cNUz.bat

Filesize
207B

MD5
4760924968b377affe7d0b518cf32a69

SHA1
9361fd148b314e9eab3927f6a04e81c7c54a315a

SHA256
909d9fec2a83e5bde2054e95aa33f84e46a5aba8e9d3db1980cee7020e6b9f99

SHA512
dc407ceb0979b70942147c27518f24ad7b027b2a5504e9857ec0bd4924a3cda2aa2c4085c596520a1db64a06c04ae5ede419601f9a2fb3e1757fb8376cdccc1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xalf48pGko4L.bat

Filesize
207B

MD5
afc3e2bdd0ea598a770c57c690cba528

SHA1
5814d353d83bc89903f4018c6e3b3947644e3840

SHA256
91d2ee955b7e86ca2a2c85df71614c338e50180a4842afe1751b685c3ca206aa

SHA512
146e1ce826b3ed7de47ad6cba941f0cae62188d9a270a174f62614e324a1bfe1b12831637aad35a5b0dae06bf056f88a57a11d032dd37752570b4b5fadd01817

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAZTile6f4LO.bat

Filesize
207B

MD5
ce10bf5da0b609e5da4d4e270a1e1dea

SHA1
e6c42b2b112798dc944f662d97f4cbc1749ea0c6

SHA256
24946eb880aac0d3a92656c6bdae486d4d807c5758242b0c869ad7482f262358

SHA512
befdefdbdb45e282aba797d4d46749acbec8d92cb520e1e12b710ae6e343b97bc91de238545422fca22a4c8f07efdb02ea6eef0cf48d8777ecff7ed15eda886c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aQXGeNqPEC7F.bat

Filesize
207B

MD5
6a32db9c6d38b987c0845b08ff80c70a

SHA1
37efaa3b83830761b1317633138a4f75ec8b4f44

SHA256
ffe5af05b145bdac023ede09d8b3fcc0de328b7295a5b7608e992b839545c8e0

SHA512
4d917d8c8fa2085d547c4fd74770a20a4f726371452c60a5c1fbe865ef1e3c30ecbed227ea345303024b282121ef6f17a5af8908518dedb920cb9d9e9f81de7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahdB50znTG83.bat

Filesize
207B

MD5
df3f166609f99232f18653499b19de3a

SHA1
e9558f045bfb6d29249506c2b48caab481b4e173

SHA256
4b2868d4279eec7504a04fed2bb6ef9d8c9645bb5d39870ab3398b30e9f411fe

SHA512
451492efc701f38e2cf047c3e7bf672d0d90b50806b4b6040032ae1c29b4b46abefe9c88cd5884bd6ad7ecaf167b822cfa446a85a8b12c6de50d02f278712c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwJoU1b8OLbG.bat

Filesize
207B

MD5
92457100f89fdf85a2b5ee8ba2cf670c

SHA1
05b9341d709d378c2aec8c09bb5f28d39823f0de

SHA256
39bf02c3744b4c38d7d718cd4799e40a71de7b3768608f4ffde450da36f386e6

SHA512
3b0debe42f7a7f705d43344ae8aa769aa869a121d21fd38c0030124ea370eeb60aa6d3d305448b5f657c30615a0367ed569e172a759e01ff18b128c5cb76bdcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxLmVq5SNx6M.bat

Filesize
207B

MD5
98089c4848fe181ece7202628da6f9ee

SHA1
1bf67a627aefdf359960bd1991fc033f765dbdac

SHA256
5a6f748906f600de2c63ed9eb75cf2c08e04c9c74d09c5bb69287e8cfcc50f8b

SHA512
de351b3a572b0bd6ac5ab66914d3b1de6060f47b2b45e01f66f73d84cf9730a682c564d2a9731954f93a05a3baab6e812a4bf69891723fc2247f6700c6b70941

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqKuTCBh8JZl.bat

Filesize
207B

MD5
32f294ecfadd78710679aa9d399241dc

SHA1
8ae5770d96066031286dbcff9eeb640a5116eb38

SHA256
d0581447ac9735438802fa1fd4a7f19f3394ee01a0f6373348aa747762a6320c

SHA512
c3e78fe0196e8739c0ff1bebeb9911cfd496e4209b64e4cef04a79a5a4f31f9a7eac233f611845b6965b247eb0500e1985ee566aed8b7d880799ac41b670e862

Download Submit
C:\Users\Admin\AppData\Local\Temp\kLeHgn19ifHG.bat

Filesize
207B

MD5
6f8f46f73d479181a56c623cbb31921b

SHA1
4c797eb37e831ad38abfd9b4eb13fb486fe5171d

SHA256
2900d31e918b1e014b5358abef49b7e0e5a8fde5c5987c48e0af095b4f80ad41

SHA512
8d8390b2c0e2f217978bfc64b9d23610b845de10d1d729711aeaec8c83b0c413cd1833079862c4748e19c636e2abea79d8018c9fa02f86256501ea3620e8f269

Download Submit
C:\Users\Admin\AppData\Local\Temp\pT2bxRHrH1B3.bat

Filesize
207B

MD5
852e319356e466a522f0891e802b734e

SHA1
e74a62f1cc9a27e0c6352e05e36bbf21cc9dc9bd

SHA256
fc757fabd58645daa4b8e804f078c0e40728de9178d0459b6fb01559c222e0d1

SHA512
cc7ecdc44cd9313b128bc1535efbfa94dc8f1a64943198ddf71828a831a104a386bd70be2b6039f87863651ec84b154a0ffcb808defa16d1367dab3243721182

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqEtgbnalNcm.bat

Filesize
207B

MD5
75b355d0fe496d2a0ec15c398da5b4e5

SHA1
7a8de1567dbaa4f7c7d987d0b81f555e2c44df3b

SHA256
0b236dbf00db9f1371d119618ca264696e354ce45af7eb110fa0435fb8941fdc

SHA512
617062bd00a881860a5e0bedd6e0363128049fe4f10bd17bff30918884e50322618b287a6027ac0edc3c2984f13077389e0b1b96628b412dffa00e469891156d

Download Submit
C:\Users\Admin\AppData\Local\Temp\whu1iGKxuJLs.bat

Filesize
207B

MD5
18984e9ea5d3c317e704bfca377bacb1

SHA1
3493d9f5b29ad4efc92884192a54ef3ba6ea69e7

SHA256
6f0c992b5c5972ef4e249b122d4a14a7c5c9fc894c854152d367bc09d236c585

SHA512
3e4bedfb50c331255323a537f9a49eada1d9dae9f751530afe3e62e6254eb5e4882c67a293266ccc854cb9efc9e0ffec5cf1adb883c9f8301b2990ea445a9a16

Download Submit
C:\Users\Admin\Desktop\mielda loco 12.exe

Filesize
3.1MB

MD5
4ae7ab9b981922837aae1c86c7f726a3

SHA1
1783e0788fb2a103d71bc9a05ae2fb85c0d70ee9

SHA256
b1b8ad9032b829e2ac3956ce8f302745802cd2d5ae686c700796e2f2ee81b0f7

SHA512
79c4bf39ae1761414b5f37186c2483a4b8755168824d6e783ea9cab26e7c0118f391b6417c622b65ea3ac3924ae745a6abe4838ca1d87671898ad90ae9a18e58

Download Submit
memory/2888-9-0x00007FF98F7A0000-0x00007FF990262000-memory.dmp

Filesize
10.8MB

Download
memory/2888-5-0x0000000000860000-0x0000000000B84000-memory.dmp

Filesize
3.1MB

Download
memory/2888-6-0x00007FF98F7A0000-0x00007FF990262000-memory.dmp

Filesize
10.8MB

Download
memory/2888-4-0x00007FF98F7A3000-0x00007FF98F7A5000-memory.dmp

Filesize
8KB

Download
memory/3080-10-0x000000001B490000-0x000000001B4E0000-memory.dmp

Filesize
320KB

Download
memory/3080-11-0x000000001C5C0000-0x000000001C672000-memory.dmp

Filesize
712KB

Download