quasar | d398dbc7050f5f465a6c25d09df0aefd90a877c9b235318a1829c9ce5139c034

Analysis

max time kernel
1047s
max time network
444s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11/11/2024, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

el nuevo buildeamos iejg.exe
Size

3.1MB
MD5

b6968e0331d2b8da011ef8fec9ea377f
SHA1

3219222763a3ef6f2c07a047c00ba9e4eb01c533
SHA256

d398dbc7050f5f465a6c25d09df0aefd90a877c9b235318a1829c9ce5139c034
SHA512

8df4f22da3a9950341df9c37661130f59a7d757b88066e8129bec09ef678bba22efd74ec2309eaeddf96008c80b838f32afc00b80f47ac932f441635ac78f828
SSDEEP

49152:7v+lL26AaNeWgPhlmVqvMQ7XSKSScpEIoGdF0THHB72eh2NT:7vuL26AaNeWgPhlmVqkQ7XSKSScpl1

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

https://a007-190-104-116-8.ngrok-free.app:4782

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3976-1-0x0000000000040000-0x0000000000364000-memory.dmp	family_quasar
behavioral1/files/0x002800000004504e-3.dat	family_quasar

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 64 IoCs

pid	Process
2588	Client.exe
1612	Client.exe
2364	Client.exe
4260	Client.exe
4524	Client.exe
3876	Client.exe
3780	Client.exe
4296	Client.exe
3168	Client.exe
1396	Client.exe
3208	Client.exe
4760	Client.exe
3904	Client.exe
4644	Client.exe
2224	Client.exe
3588	Client.exe
1592	Client.exe
1584	Client.exe
776	Client.exe
3796	Client.exe
3836	Client.exe
2684	Client.exe
3056	Client.exe
4256	Client.exe
5096	Client.exe
3244	Client.exe
216	Client.exe
4216	Client.exe
4372	Client.exe
4808	Client.exe
3424	Client.exe
2168	Client.exe
3284	Client.exe
4908	Client.exe
2940	Client.exe
960	Client.exe
388	Client.exe
1432	Client.exe
2388	Client.exe
5092	Client.exe
2468	Client.exe
3364	Client.exe
1760	Client.exe
4040	Client.exe
3728	Client.exe
1716	Client.exe
1960	Client.exe
1916	Client.exe
2756	Client.exe
3088	Client.exe
4480	Client.exe
1160	Client.exe
1604	Client.exe
5096	Client.exe
476	Client.exe
3688	Client.exe
3124	Client.exe
2820	Client.exe
3044	Client.exe
1888	Client.exe
1264	Client.exe
2808	Client.exe
2804	Client.exe
2140	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2220	PING.EXE
716	PING.EXE
4520	PING.EXE
3056	PING.EXE
4600	PING.EXE
4516	PING.EXE
4420	PING.EXE
2140	PING.EXE
4784	PING.EXE
4104	PING.EXE
5020	PING.EXE
1656	PING.EXE
4612	PING.EXE
1672	PING.EXE
4736	PING.EXE
4684	PING.EXE
2072	PING.EXE
4396	PING.EXE
4760	PING.EXE
4384	PING.EXE
2756	PING.EXE
3372	PING.EXE
4428	PING.EXE
1704	PING.EXE
3784	PING.EXE
3572	PING.EXE
1676	PING.EXE
2808	PING.EXE
2148	PING.EXE
4180	PING.EXE
632	PING.EXE
1820	PING.EXE
3124	PING.EXE
3512	PING.EXE
1156	PING.EXE
408	PING.EXE
2244	PING.EXE
4764	PING.EXE
2540	PING.EXE
1076	PING.EXE
2456	PING.EXE
2204	PING.EXE
4276	PING.EXE
4836	PING.EXE
4480	PING.EXE
5104	PING.EXE
4648	PING.EXE
5040	PING.EXE
1076	PING.EXE
556	PING.EXE
1232	PING.EXE
2140	PING.EXE
2808	PING.EXE
672	PING.EXE
1588	PING.EXE
4276	PING.EXE
3796	PING.EXE
3820	PING.EXE
4720	PING.EXE
1128	PING.EXE
1648	PING.EXE
2940	PING.EXE
1452	PING.EXE
4756	PING.EXE

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
1888	PING.EXE
3784	PING.EXE
4612	PING.EXE
3680	PING.EXE
3808	PING.EXE
4916	PING.EXE
4276	PING.EXE
3124	PING.EXE
2028	PING.EXE
4264	PING.EXE
1676	PING.EXE
5104	PING.EXE
4816	PING.EXE
1076	PING.EXE
4764	PING.EXE
1128	PING.EXE
4248	PING.EXE
4104	PING.EXE
3572	PING.EXE
2220	PING.EXE
1232	PING.EXE
2140	PING.EXE
956	PING.EXE
2140	PING.EXE
4384	PING.EXE
632	PING.EXE
1452	PING.EXE
4428	PING.EXE
4600	PING.EXE
4396	PING.EXE
4964	PING.EXE
1676	PING.EXE
2532	PING.EXE
1204	PING.EXE
2072	PING.EXE
5020	PING.EXE
4276	PING.EXE
1076	PING.EXE
3648	PING.EXE
4524	PING.EXE
2572	PING.EXE
3272	PING.EXE
3192	PING.EXE
556	PING.EXE
2940	PING.EXE
1992	PING.EXE
4704	PING.EXE
1092	PING.EXE
2668	PING.EXE
3512	PING.EXE
1156	PING.EXE
2756	PING.EXE
4420	PING.EXE
4384	PING.EXE
3372	PING.EXE
64	PING.EXE
2808	PING.EXE
3680	PING.EXE
4760	PING.EXE
4120	PING.EXE
2476	PING.EXE
4516	PING.EXE
4520	PING.EXE
4684	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4496	schtasks.exe
1580	schtasks.exe
4752	schtasks.exe
1108	schtasks.exe
912	schtasks.exe
4232	schtasks.exe
4592	schtasks.exe
2472	schtasks.exe
3672	schtasks.exe
1792	schtasks.exe
4496	schtasks.exe
4092	schtasks.exe
1532	schtasks.exe
2068	schtasks.exe
1148	schtasks.exe
4836	schtasks.exe
3372	schtasks.exe
4948	schtasks.exe
1096	schtasks.exe
1656	schtasks.exe
2932	schtasks.exe
396	schtasks.exe
1672	schtasks.exe
4464	schtasks.exe
2784	schtasks.exe
3660	schtasks.exe
2204	schtasks.exe
552	schtasks.exe
4936	schtasks.exe
2948	schtasks.exe
1824	schtasks.exe
3336	schtasks.exe
4832	schtasks.exe
4684	schtasks.exe
1760	schtasks.exe
5084	schtasks.exe
3572	schtasks.exe
760	schtasks.exe
4496	schtasks.exe
2576	schtasks.exe
2212	schtasks.exe
3512	schtasks.exe
1160	schtasks.exe
2936	schtasks.exe
2996	schtasks.exe
4964	schtasks.exe
1996	schtasks.exe
1400	schtasks.exe
4624	schtasks.exe
2524	schtasks.exe
4520	schtasks.exe
4476	schtasks.exe
3192	schtasks.exe
4480	schtasks.exe
2560	schtasks.exe
228	schtasks.exe
1608	schtasks.exe
4176	schtasks.exe
2936	schtasks.exe
3676	schtasks.exe
3184	schtasks.exe
1452	schtasks.exe
4776	schtasks.exe
4180	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3976	el nuevo buildeamos iejg.exe
Token: SeDebugPrivilege	2588	Client.exe
Token: SeDebugPrivilege	1612	Client.exe
Token: SeDebugPrivilege	2364	Client.exe
Token: SeDebugPrivilege	4260	Client.exe
Token: SeDebugPrivilege	4524	Client.exe
Token: SeDebugPrivilege	3876	Client.exe
Token: SeDebugPrivilege	3780	Client.exe
Token: SeDebugPrivilege	4296	Client.exe
Token: SeDebugPrivilege	3168	Client.exe
Token: SeDebugPrivilege	1396	Client.exe
Token: SeDebugPrivilege	3208	Client.exe
Token: SeDebugPrivilege	4760	Client.exe
Token: SeDebugPrivilege	3904	Client.exe
Token: SeDebugPrivilege	4644	Client.exe
Token: SeDebugPrivilege	2224	Client.exe
Token: SeDebugPrivilege	3588	Client.exe
Token: SeDebugPrivilege	1592	Client.exe
Token: SeDebugPrivilege	1584	Client.exe
Token: SeDebugPrivilege	776	Client.exe
Token: SeDebugPrivilege	3796	Client.exe
Token: SeDebugPrivilege	3836	Client.exe
Token: SeDebugPrivilege	2684	Client.exe
Token: SeDebugPrivilege	3056	Client.exe
Token: SeDebugPrivilege	4256	Client.exe
Token: SeDebugPrivilege	5096	Client.exe
Token: SeDebugPrivilege	3244	Client.exe
Token: SeDebugPrivilege	216	Client.exe
Token: SeDebugPrivilege	4216	Client.exe
Token: SeDebugPrivilege	4372	Client.exe
Token: SeDebugPrivilege	4808	Client.exe
Token: SeDebugPrivilege	3424	Client.exe
Token: SeDebugPrivilege	2168	Client.exe
Token: SeDebugPrivilege	3284	Client.exe
Token: SeDebugPrivilege	4908	Client.exe
Token: SeDebugPrivilege	2940	Client.exe
Token: SeDebugPrivilege	960	Client.exe
Token: SeDebugPrivilege	388	Client.exe
Token: SeDebugPrivilege	1432	Client.exe
Token: SeDebugPrivilege	2388	Client.exe
Token: SeDebugPrivilege	5092	Client.exe
Token: SeDebugPrivilege	2468	Client.exe
Token: SeDebugPrivilege	3364	Client.exe
Token: SeDebugPrivilege	1760	Client.exe
Token: SeDebugPrivilege	4040	Client.exe
Token: SeDebugPrivilege	3728	Client.exe
Token: SeDebugPrivilege	1716	Client.exe
Token: SeDebugPrivilege	1960	Client.exe
Token: SeDebugPrivilege	1916	Client.exe
Token: SeDebugPrivilege	2756	Client.exe
Token: SeDebugPrivilege	3088	Client.exe
Token: SeDebugPrivilege	4480	Client.exe
Token: SeDebugPrivilege	1160	Client.exe
Token: SeDebugPrivilege	1604	Client.exe
Token: SeDebugPrivilege	5096	Client.exe
Token: SeDebugPrivilege	476	Client.exe
Token: SeDebugPrivilege	3688	Client.exe
Token: SeDebugPrivilege	3124	Client.exe
Token: SeDebugPrivilege	2820	Client.exe
Token: SeDebugPrivilege	3044	Client.exe
Token: SeDebugPrivilege	1888	Client.exe
Token: SeDebugPrivilege	1264	Client.exe
Token: SeDebugPrivilege	2808	Client.exe
Token: SeDebugPrivilege	2804	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 3336	3976	el nuevo buildeamos iejg.exe	83
PID 3976 wrote to memory of 3336	3976	el nuevo buildeamos iejg.exe	83
PID 3976 wrote to memory of 2588	3976	el nuevo buildeamos iejg.exe	85
PID 3976 wrote to memory of 2588	3976	el nuevo buildeamos iejg.exe	85
PID 2588 wrote to memory of 3192	2588	Client.exe	86
PID 2588 wrote to memory of 3192	2588	Client.exe	86
PID 2588 wrote to memory of 420	2588	Client.exe	90
PID 2588 wrote to memory of 420	2588	Client.exe	90
PID 420 wrote to memory of 3560	420	cmd.exe	92
PID 420 wrote to memory of 3560	420	cmd.exe	92
PID 420 wrote to memory of 2140	420	cmd.exe	93
PID 420 wrote to memory of 2140	420	cmd.exe	93
PID 420 wrote to memory of 1612	420	cmd.exe	99
PID 420 wrote to memory of 1612	420	cmd.exe	99
PID 1612 wrote to memory of 2068	1612	Client.exe	100
PID 1612 wrote to memory of 2068	1612	Client.exe	100
PID 1612 wrote to memory of 1044	1612	Client.exe	102
PID 1612 wrote to memory of 1044	1612	Client.exe	102
PID 1044 wrote to memory of 2820	1044	cmd.exe	104
PID 1044 wrote to memory of 2820	1044	cmd.exe	104
PID 1044 wrote to memory of 1924	1044	cmd.exe	105
PID 1044 wrote to memory of 1924	1044	cmd.exe	105
PID 1044 wrote to memory of 2364	1044	cmd.exe	106
PID 1044 wrote to memory of 2364	1044	cmd.exe	106
PID 2364 wrote to memory of 912	2364	Client.exe	107
PID 2364 wrote to memory of 912	2364	Client.exe	107
PID 2364 wrote to memory of 1888	2364	Client.exe	109
PID 2364 wrote to memory of 1888	2364	Client.exe	109
PID 1888 wrote to memory of 1036	1888	cmd.exe	111
PID 1888 wrote to memory of 1036	1888	cmd.exe	111
PID 1888 wrote to memory of 3124	1888	cmd.exe	112
PID 1888 wrote to memory of 3124	1888	cmd.exe	112
PID 1888 wrote to memory of 4260	1888	cmd.exe	114
PID 1888 wrote to memory of 4260	1888	cmd.exe	114
PID 4260 wrote to memory of 1672	4260	Client.exe	115
PID 4260 wrote to memory of 1672	4260	Client.exe	115
PID 4260 wrote to memory of 3516	4260	Client.exe	117
PID 4260 wrote to memory of 3516	4260	Client.exe	117
PID 3516 wrote to memory of 4780	3516	cmd.exe	119
PID 3516 wrote to memory of 4780	3516	cmd.exe	119
PID 3516 wrote to memory of 2380	3516	cmd.exe	120
PID 3516 wrote to memory of 2380	3516	cmd.exe	120
PID 3516 wrote to memory of 4524	3516	cmd.exe	121
PID 3516 wrote to memory of 4524	3516	cmd.exe	121
PID 4524 wrote to memory of 4832	4524	Client.exe	122
PID 4524 wrote to memory of 4832	4524	Client.exe	122
PID 4524 wrote to memory of 5056	4524	Client.exe	124
PID 4524 wrote to memory of 5056	4524	Client.exe	124
PID 5056 wrote to memory of 1920	5056	cmd.exe	126
PID 5056 wrote to memory of 1920	5056	cmd.exe	126
PID 5056 wrote to memory of 3192	5056	cmd.exe	127
PID 5056 wrote to memory of 3192	5056	cmd.exe	127
PID 5056 wrote to memory of 3876	5056	cmd.exe	128
PID 5056 wrote to memory of 3876	5056	cmd.exe	128
PID 3876 wrote to memory of 4232	3876	Client.exe	129
PID 3876 wrote to memory of 4232	3876	Client.exe	129
PID 3876 wrote to memory of 840	3876	Client.exe	131
PID 3876 wrote to memory of 840	3876	Client.exe	131
PID 840 wrote to memory of 908	840	cmd.exe	133
PID 840 wrote to memory of 908	840	cmd.exe	133
PID 840 wrote to memory of 4396	840	cmd.exe	134
PID 840 wrote to memory of 4396	840	cmd.exe	134
PID 840 wrote to memory of 3780	840	cmd.exe	135
PID 840 wrote to memory of 3780	840	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\el nuevo buildeamos iejg.exe
"C:\Users\Admin\AppData\Local\Temp\el nuevo buildeamos iejg.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3336
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fRZO0AHUPYQX.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:420
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3560
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2140
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sUAEuHJzUgNc.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1044
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2820
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        
        PID:1924
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8pDcCjr3fq9k.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3124
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cbMHz8EhbqoC.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4eo9iSClXyHc.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        Runs ping.exe
        
        PID:3192
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NioSaWfEEpMj.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4396
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d4kpnvx0gPAF.bat" "
        15⤵
        
        PID:4264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2204
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        
        PID:2812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C36g3uJGpw6g.bat" "
        17⤵
        
        PID:2852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2808
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        
        PID:1032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vHO6l9ab41YE.bat" "
        19⤵
        
        PID:1576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4380
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        Runs ping.exe
        
        PID:1888
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dytPftNmU71t.bat" "
        21⤵
        
        PID:4464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4756
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rx8mLwkYbwyj.bat" "
        23⤵
        
        PID:3728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        Runs ping.exe
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gHxV2fxTNGc7.bat" "
        25⤵
        
        PID:3672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:672
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r7am4aURip9U.bat" "
        27⤵
        
        PID:1728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3512
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zo0f5aMDqa5V.bat" "
        29⤵
        
        PID:4120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1588
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        
        PID:2312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i3H9Bf79DZ1r.bat" "
        31⤵
        
        PID:3944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        Runs ping.exe
        
        PID:4248
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TRBYJdkpkwRM.bat" "
        33⤵
        
        PID:4728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:4376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4720
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        35⤵
        
        PID:3284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ceZb75aXP1d.bat" "
        35⤵
        
        PID:4956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:4368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4276
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zoghuEmwL5Px.bat" "
        37⤵
        
        PID:1620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:4924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4784
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        39⤵
        
        PID:660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d9RRY8d4pR0T.bat" "
        39⤵
        
        PID:4080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:552
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4760
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3796
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZzWHKjV7RQjd.bat" "
        41⤵
        
        PID:4836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:4408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4104
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        43⤵
        
        PID:2068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMpiPsWYhekv.bat" "
        43⤵
        
        PID:668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:1988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1076
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        45⤵
        
        PID:2204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VbbJmF9Rojaw.bat" "
        45⤵
        
        PID:832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        Runs ping.exe
        
        PID:4120
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        47⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkjukXDjikh1.bat" "
        47⤵
        
        PID:2808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:2080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5020
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WXFLkwkISKOs.bat" "
        49⤵
        
        PID:1676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:2004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        51⤵
        
        PID:4736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jo8EHAeTK8aR.bat" "
        51⤵
        
        PID:1028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:4908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3784
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        53⤵
        
        PID:4592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WHNbiTTA5rPW.bat" "
        53⤵
        
        PID:3976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:3024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        54⤵
        Runs ping.exe
        
        PID:4964
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        55⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A9iJ1Kyzws9q.bat" "
        55⤵
        
        PID:3796
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:1716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        Runs ping.exe
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        57⤵
        
        PID:4036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QdnRn0dcqaO1.bat" "
        57⤵
        
        PID:3608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:1844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        58⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        59⤵
        
        PID:1432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q4bx4p6Q7pMC.bat" "
        59⤵
        
        PID:4936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4384
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        61⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yD2HsAz18PsJ.bat" "
        61⤵
        
        PID:3088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:2172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        62⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4612
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3424
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        63⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xadzCVbnjaeq.bat" "
        63⤵
        
        PID:4064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:1104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        64⤵
        Runs ping.exe
        
        PID:3648
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        65⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8JQfR6IkE9ta.bat" "
        65⤵
        
        PID:3588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:2004
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4516
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        66⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3284
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        67⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0tvrovUsAMZL.bat" "
        67⤵
        
        PID:3228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        68⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:408
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        68⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        69⤵
        
        PID:956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKs4bPatv1Kc.bat" "
        69⤵
        
        PID:4208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:1232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        70⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        70⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        71⤵
        
        PID:1148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOA0yL3iBcqs.bat" "
        71⤵
        
        PID:2244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        72⤵
        Runs ping.exe
        
        PID:3680
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        72⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        73⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OwTSBCmjX6D4.bat" "
        73⤵
        
        PID:2476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        74⤵
        
        PID:3788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        74⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        74⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        75⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lsJHhTes6yrx.bat" "
        75⤵
        
        PID:2896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        76⤵
        
        PID:2540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        76⤵
        Runs ping.exe
        
        PID:3808
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        76⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        77⤵
        
        PID:4608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wB5o2B0G191H.bat" "
        77⤵
        
        PID:716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        78⤵
        
        PID:3100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        78⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3572
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        78⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        79⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H1IS1yR3WGef.bat" "
        79⤵
        
        PID:4692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        80⤵
        
        PID:2360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        80⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        80⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        81⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgqrRsqgwhN9.bat" "
        81⤵
        
        PID:2132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        82⤵
        
        PID:3372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        82⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        82⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        83⤵
        
        PID:2352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\alpTFf8XTTye.bat" "
        83⤵
        
        PID:1160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        84⤵
        
        PID:4932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        84⤵
        Runs ping.exe
        
        PID:4916
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        84⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        85⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fyla0Nq8Av5r.bat" "
        85⤵
        
        PID:3568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        86⤵
        
        PID:972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        86⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        86⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        87⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lL76mjaVFxaI.bat" "
        87⤵
        
        PID:5096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        88⤵
        
        PID:4768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        88⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4276
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        88⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        89⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\za7IhWeQdIwi.bat" "
        89⤵
        
        PID:4360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        90⤵
        
        PID:4060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        90⤵
        Runs ping.exe
        
        PID:4524
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        90⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        91⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEkNVEDHMWIS.bat" "
        91⤵
        
        PID:3120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        92⤵
        
        PID:4092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        92⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2244
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        92⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        93⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ctv1HX4qnZxs.bat" "
        93⤵
        
        PID:3676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        94⤵
        
        PID:912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        94⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4836
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        94⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        95⤵
        
        PID:1852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZXsibrmgDatT.bat" "
        95⤵
        
        PID:2696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        96⤵
        
        PID:3808
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        96⤵
        Runs ping.exe
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        96⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        97⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXgj6XUab3MF.bat" "
        97⤵
        
        PID:4936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        98⤵
        
        PID:1404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        98⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:716
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        98⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        99⤵
        
        PID:4624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ViHPQxJbsU8q.bat" "
        99⤵
        
        PID:2536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        100⤵
        
        PID:5064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        100⤵
        Runs ping.exe
        
        PID:5104
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        100⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3088
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        101⤵
        
        PID:5084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bp9av9LlkFl6.bat" "
        101⤵
        
        PID:4904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        102⤵
        
        PID:1264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        102⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4520
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        102⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4480
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        103⤵
        
        PID:4296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A5nv0W0WornN.bat" "
        103⤵
        
        PID:1108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        104⤵
        
        PID:2780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        104⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2808
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        104⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        105⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9XRzpvplDl3c.bat" "
        105⤵
        
        PID:908
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        106⤵
        
        PID:4728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        106⤵
        Runs ping.exe
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        106⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        107⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z7Zwf9MM8oLI.bat" "
        107⤵
        
        PID:1532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        108⤵
        
        PID:3400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        108⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:556
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        108⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        109⤵
        
        PID:5100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h0j38WxEK0Vy.bat" "
        109⤵
        
        PID:4824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        110⤵
        
        PID:2216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        110⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        110⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:476
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        111⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMj0CZ5dlOIW.bat" "
        111⤵
        
        PID:4724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        112⤵
        
        PID:4008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        112⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4180
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        112⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        113⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKlRSd1EiGJ1.bat" "
        113⤵
        
        PID:3704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        114⤵
        
        PID:4488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        114⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:632
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        114⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        115⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wVKiM7ElYSyk.bat" "
        115⤵
        
        PID:1960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        116⤵
        
        PID:2072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        116⤵
        Runs ping.exe
        
        PID:2668
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        116⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        117⤵
        
        PID:2596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xb6jBRYUTiGg.bat" "
        117⤵
        
        PID:1144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        118⤵
        
        PID:892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        118⤵
        Runs ping.exe
        
        PID:2572
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        118⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        119⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuitaR6ilweI.bat" "
        119⤵
        
        PID:4160
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        120⤵
        
        PID:2368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        120⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2756
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        120⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        121⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AFqFSAUb8atK.bat" "
        121⤵
        
        PID:1000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        122⤵
        
        PID:3356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        122⤵
        Runs ping.exe
        
        PID:2028
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        122⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        123⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGove1N7eoxt.bat" "
        123⤵
        
        PID:4212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        124⤵
        
        PID:2984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        124⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4480
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        124⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        125⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FHqU7Cr7SXF6.bat" "
        125⤵
        
        PID:1400
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        126⤵
        
        PID:2832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        126⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        126⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        127⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LfHsTL0wIG5e.bat" "
        127⤵
        
        PID:1760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        128⤵
        
        PID:2088
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        128⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        128⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        129⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y7iySfMfJJxg.bat" "
        129⤵
        
        PID:4832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        130⤵
        
        PID:1800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        130⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1232
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        130⤵
        Checks computer location settings
        
        PID:5096
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        131⤵
        
        PID:4312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOqsL5Ir8QcM.bat" "
        131⤵
        
        PID:672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        132⤵
        
        PID:2332
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        132⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2148
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        132⤵
        Checks computer location settings
        
        PID:4000
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        133⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4zNd1WRehKfz.bat" "
        133⤵
        
        PID:960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        134⤵
        
        PID:2680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        134⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3796
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        134⤵
        Checks computer location settings
        
        PID:1912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        135⤵
        
        PID:4488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L5u4jPEgzQ48.bat" "
        135⤵
        
        PID:1236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        136⤵
        
        PID:2968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        136⤵
        Runs ping.exe
        
        PID:4816
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        136⤵
        Checks computer location settings
        
        PID:4112
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        137⤵
        
        PID:4464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dgm1ynn1pn26.bat" "
        137⤵
        
        PID:1988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        138⤵
        
        PID:4812
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        138⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4420
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        138⤵
        
        PID:4760
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        139⤵
        
        PID:892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TrO3N00Sinc5.bat" "
        139⤵
        
        PID:1080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        140⤵
        
        PID:5000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        140⤵
        Runs ping.exe
        
        PID:4384
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        140⤵
        
        PID:2684
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        141⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tg5VM4B9vrcU.bat" "
        141⤵
        
        PID:472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        142⤵
        
        PID:3008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        142⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5104
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        142⤵
        Checks computer location settings
        
        PID:448
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        143⤵
        
        PID:2316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fh7vt81cvK4e.bat" "
        143⤵
        
        PID:1140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        144⤵
        
        PID:5116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        144⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3372
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        144⤵
        Checks computer location settings
        
        PID:2748
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        145⤵
        
        PID:4224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CH16mPuyO2Zl.bat" "
        145⤵
        
        PID:2132
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        146⤵
        
        PID:572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        146⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        146⤵
        Checks computer location settings
        
        PID:5056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        147⤵
        
        PID:232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4TLyUnYuXv4h.bat" "
        147⤵
        
        PID:3712
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        148⤵
        
        PID:3864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        148⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4736
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        148⤵
        Checks computer location settings
        
        PID:4776
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        149⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HzrXXeHTuM95.bat" "
        149⤵
        
        PID:3764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        150⤵
        
        PID:3824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        150⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        150⤵
        Checks computer location settings
        
        PID:1124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        151⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vc7DBbOLMdrr.bat" "
        151⤵
        
        PID:3204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        152⤵
        
        PID:4968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        152⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        152⤵
        Checks computer location settings
        
        PID:3784
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        153⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cvFIUCQP7ORp.bat" "
        153⤵
        
        PID:2052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        154⤵
        
        PID:4740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        154⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        154⤵
        
        PID:4080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        155⤵
        
        PID:408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\K9h4hzrm2ZHq.bat" "
        155⤵
        
        PID:348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        156⤵
        
        PID:4920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        156⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1452
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        156⤵
        Checks computer location settings
        
        PID:3652
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        157⤵
        
        PID:1652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5uEcLI3Y27YM.bat" "
        157⤵
        
        PID:3964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        158⤵
        
        PID:2696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        158⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        158⤵
        Checks computer location settings
        
        PID:3288
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        159⤵
        
        PID:3436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m11mR6Q1KKtQ.bat" "
        159⤵
        
        PID:1404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        160⤵
        
        PID:3928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        160⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4684
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        160⤵
        
        PID:1224
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        161⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeZCAFEA3JCC.bat" "
        161⤵
        
        PID:1092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        162⤵
        
        PID:1952
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        162⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1076
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        162⤵
        Checks computer location settings
        
        PID:2224
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        163⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TxIasEeo8aB4.bat" "
        163⤵
        
        PID:2456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        164⤵
        
        PID:4284
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        164⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4428
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        164⤵
        
        PID:4504
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        165⤵
        
        PID:1280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8OXpAQR3xkFx.bat" "
        165⤵
        
        PID:5020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        166⤵
        
        PID:2352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        166⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1704
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        166⤵
        
        PID:4932
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        167⤵
        
        PID:3184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UvIYdlT4LkXu.bat" "
        167⤵
        
        PID:2808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        168⤵
        
        PID:1640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        168⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3820
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        168⤵
        
        PID:3756
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        169⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3lWJh5q9k6Ek.bat" "
        169⤵
        
        PID:3936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        170⤵
        
        PID:4588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        170⤵
        Runs ping.exe
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        170⤵
        Checks computer location settings
        
        PID:1552
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        171⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kimXwsP1aSVQ.bat" "
        171⤵
        
        PID:4500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        172⤵
        
        PID:2464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        172⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        172⤵
        Checks computer location settings
        
        PID:4708
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        173⤵
        
        PID:4968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fh9x0nyIdbY9.bat" "
        173⤵
        
        PID:2228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        174⤵
        
        PID:4044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        174⤵
        Runs ping.exe
        
        PID:4704
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        174⤵
        
        PID:228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        175⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cmmf8Fkgx2UA.bat" "
        175⤵
        
        PID:4840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        176⤵
        
        PID:4400
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        176⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        176⤵
        Checks computer location settings
        
        PID:912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        177⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FHPDaEMrPe6Q.bat" "
        177⤵
        
        PID:4656
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        178⤵
        
        PID:1216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        178⤵
        Runs ping.exe
        
        PID:4264
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        178⤵
        Checks computer location settings
        
        PID:4852
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        179⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkeYBymRBSu8.bat" "
        179⤵
        
        PID:4700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        180⤵
        
        PID:2596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        180⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        180⤵
        
        PID:2868
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        181⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n3Elb3LmNfMz.bat" "
        181⤵
        
        PID:1848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        182⤵
        
        PID:4324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        182⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4764
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        182⤵
        Checks computer location settings
        
        PID:5060
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        183⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5BXqtIEo5sDC.bat" "
        183⤵
        
        PID:2468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        184⤵
        
        PID:2204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        184⤵
        Runs ping.exe
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        184⤵
        
        PID:2524
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        185⤵
        
        PID:1564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eiSFgqruKS9e.bat" "
        185⤵
        
        PID:2224
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        186⤵
        
        PID:4612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        186⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        186⤵
        Checks computer location settings
        
        PID:3372
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        187⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WM5ZXB2eb4XH.bat" "
        187⤵
        
        PID:3384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        188⤵
        
        PID:2108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        188⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        188⤵
        Checks computer location settings
        
        PID:4348
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        189⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baUFIpUFCgyb.bat" "
        189⤵
        
        PID:1820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        190⤵
        
        PID:4728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        190⤵
        Runs ping.exe
        
        PID:64
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        190⤵
        Checks computer location settings
        
        PID:3284
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        191⤵
        
        PID:3712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\erw7c52CaKB9.bat" "
        191⤵
        
        PID:2324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        192⤵
        
        PID:3564
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        192⤵
        Runs ping.exe
        
        PID:956
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        192⤵
        Checks computer location settings
        
        PID:2932
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        193⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PbOxsOhrhcnL.bat" "
        193⤵
        
        PID:2432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        194⤵
        
        PID:552
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        194⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1672
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        194⤵
        
        PID:4312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        195⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a1QXj3uOWYKw.bat" "
        195⤵
        
        PID:4044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        196⤵
        
        PID:4232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        196⤵
        Runs ping.exe
        
        PID:3680
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        196⤵
        Checks computer location settings
        
        PID:2332
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        197⤵
        
        PID:4008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fl3ZEO9TVCEy.bat" "
        197⤵
        
        PID:4180
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        198⤵
        
        PID:2136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        198⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4600
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        198⤵
        
        PID:1908
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        199⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ssxj2A3kKPpG.bat" "
        199⤵
        
        PID:4200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        200⤵
        
        PID:3604
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        200⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        200⤵
        
        PID:2668
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        201⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GIJgVxRJBVlx.bat" "
        201⤵
        
        PID:4604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        202⤵
        
        PID:4260
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        202⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4648
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        202⤵
        
        PID:3100
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        203⤵
        
        PID:1328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkQWcOm6uXct.bat" "
        203⤵
        
        PID:3772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        204⤵
        
        PID:4764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        204⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5040
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        204⤵
        
        PID:1708
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        205⤵
        
        PID:1224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSukNsbqR81D.bat" "
        205⤵
        
        PID:1676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        206⤵
        
        PID:4620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        206⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        206⤵
        
        PID:3356
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        207⤵
        
        PID:1564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUC1UUWGjzV9.bat" "
        207⤵
        
        PID:4148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        208⤵
        
        PID:4428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        208⤵
        Runs ping.exe
        
        PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
7787ce173dfface746f5a9cf5477883d

SHA1
4587d870e914785b3a8fb017fec0c0f1c7ec0004

SHA256
c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

SHA512
3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\0tvrovUsAMZL.bat

Filesize
207B

MD5
c4648bc512076a12897fb1a5688ccbff

SHA1
4d94d8ea926bd15912bb7518dcb1dc78280105e4

SHA256
c43f97c5b08b2667daebc0aaa26d0f3896ebba600983adeb9ee78bfbcbc4dd75

SHA512
7f8ebe5cb56d7fb1304b8ad22c42f309698a94995282d07b3c0df06a501d30c064593506d9b48ff6f4761d1bbffde276130307954306496871ea3950160dadf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3lWJh5q9k6Ek.bat

Filesize
207B

MD5
36fbfe3acd08c3011c328c9e2af03fb6

SHA1
ed253a42c041544c6151b68ab274a747b9cd10b2

SHA256
1172410efc1486f359e18710d3fc268f3def17b6be0eb82fff41f242ef116b9a

SHA512
027a89a99fe1dac1f2da4fa445aaeeefa39dd5ad3c569599fc049594137efde35b378bf0a68003c6aeec633d186759e256c71a2047742e10e18996379eb9aa82

Download Submit
C:\Users\Admin\AppData\Local\Temp\4TLyUnYuXv4h.bat

Filesize
207B

MD5
fe342a3f9a531067a70ec3fc2e997bd4

SHA1
7f4dda28c3f58cafe1452fbd0c7dc99fcc23d20f

SHA256
917104b66f9b895800a2f122b5fdc47ffacc46d5e5b5fcc217970501508e93fd

SHA512
54dfb37d80496b225d193db2ccc4d6422246566a44363b2a0601352e0b1fcfd8678cf4372fdc2c22415f91979947409511900ddf9eb647111e1aaad2ba35c04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4eo9iSClXyHc.bat

Filesize
207B

MD5
1a6de6172d524aadf71b633fdcb54da6

SHA1
8f64d67ea3304529fda5cfd83a46d01520fab70a

SHA256
646d310a6c6c7de973d8eb08c99c5ea8faa02274d6fe33ad9dc0d1cf04626528

SHA512
8fbd0b34b0fc8a9e124300a3199c2b0c1b35176723b7e0901f2e02740db270661f302d6eec310119eac9f98dd2c11723da227f8bf0d719a868c406f7f03e6864

Download Submit
C:\Users\Admin\AppData\Local\Temp\4zNd1WRehKfz.bat

Filesize
207B

MD5
91a59ab7ad3164bd31a13ceb8419ee33

SHA1
8ae74001485ae7d1ad243bb7d047178a722ed8d4

SHA256
2384e154419298395398da647b944e61ab2f6452b91184787375a349504c06b1

SHA512
caa0868c1c564e0197746b3309f21cda72336a9e73db035dd21b631f653733afd38d09372fabdcd40d9a5b21518bb245245161b75b507e0c4d5cfe99d5fc6bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5BXqtIEo5sDC.bat

Filesize
207B

MD5
401db890fde6b6627995b92b0fea32e0

SHA1
68e063df103439aeabf98e851d005d373319fe40

SHA256
5676976a55d0ac2bd7d2f9241f27b23115651e2325573471bebb6b8dd010ce39

SHA512
345a472b08c64eca5c5838c1e7b630b3d39d778204f84c061ce60e321792de495d1b2f85ae9dafc684d950105a28e0e7cfc96e9a56d409b803c00c52bf7ca978

Download Submit
C:\Users\Admin\AppData\Local\Temp\5uEcLI3Y27YM.bat

Filesize
207B

MD5
daa6849f6c4a3a47ac54d958760e6b41

SHA1
5fb8c5b1256fed37ce23f280d7d4df41891ffb46

SHA256
f11ecad798c13ec8690069dc45862aa64bd98a7ee87c65c7a0baae9c9aca9679

SHA512
7a9053e6ed3172131f29bb7d01d37b6f7119adb581eac75fc71e38c747a26776d2e262478975f4a9165a68aa6aaaf6bcef25b660fa60610e11f9943c071fbf8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ceZb75aXP1d.bat

Filesize
207B

MD5
a348b8fdefb3ca26829ed30f414525fa

SHA1
f7ed461e91079dc5f91ff57cab3910f1fa2117e5

SHA256
6ad9ec2475a33ea4a02f2ccbd95f8a8bfcb214efed1f1c72a8e99bea26a34bee

SHA512
f26948b4b4296d88a1a6a0ebc9c8a68bb91f369e54878912e42b4191ca9dbccefa1fb2bd64aa31be7c7f1573904d4131f7753a42f7cf164f3e0bea10d9a02777

Download Submit
C:\Users\Admin\AppData\Local\Temp\8JQfR6IkE9ta.bat

Filesize
207B

MD5
551d2263111eacffee0f0ea92180ea5a

SHA1
b7bda11459fcd421ce4cd5d54d046e4e8ace7ec3

SHA256
c8516a562cf93718d916bea3d0e52f3437e61cf3483495054dba6ca975152165

SHA512
54846ac9195f19979b22551bf2d1477adc907be850642f67f5c098728ea0e16ff9934bf61c438e603f833e423509e698f1947eb36086004cfb2dc8159fe358bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8OXpAQR3xkFx.bat

Filesize
207B

MD5
a422cd3e3fda7c2263924b76a7fa81ae

SHA1
502aee8ed3adfd8a58ab3aea6079dcdd42b15b68

SHA256
584627171166db9b640f323f23de5e106c8bc2ece420f858e518b6f948d98cd5

SHA512
a76f3599074804551da871cd40bbdfb62e804d9ba652ec158b496dda2a0ab3d09a62da04351d656c1bfc82adaf7b9181965311bd57f9e9610089dbe23c10e09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pDcCjr3fq9k.bat

Filesize
207B

MD5
4fe29bd9cd39652f7f43fe6855ebfcb3

SHA1
434a6e28994fbab22c51545b9cb4349bab0a9657

SHA256
a48f37e7860de8db26c5c2e9edca59a237ddf7a5ae46bea042d1c742a40cf4b9

SHA512
18b74243cc4ae35e93a753f8f197022d7ac628dfaef2dfef623d900af331b820f7909b10afa4ec9975185026e2fd0ff1ccaab4271faa206bc2420a8fc7036106

Download Submit
C:\Users\Admin\AppData\Local\Temp\9XRzpvplDl3c.bat

Filesize
207B

MD5
bb5899a5fc3c25f7f9ce8db8bcaad592

SHA1
1a32da5b4456f8e69511e510ca558707f038e510

SHA256
8bc151f5f30d3e6b8b87b6a3f12b4d0c7854204d84301c953da06be0d700376f

SHA512
317a28df8a6e15700bcf59f7432a092c4c0c5847ef4d4f628a1ea4c5c68b7b0089e3b68e9ab21a39ddce26838be3d025979aff92a18668c31eaa79f5e036d640

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5nv0W0WornN.bat

Filesize
207B

MD5
59f8d404e15899dae3aff9b2f72848b2

SHA1
9ffe0524295f15c5091a9de82223cee40845a551

SHA256
3106c1c401222b42c35abc69f198b80039e2e97c8a9423dbcb75b22c2f5afce1

SHA512
0cd45d3026cb4ca9b07063ba0fe899065f10a7f1e3d8befc00ac7a37eec928018464448f6b4196ca91215076d123f0940909e520f0a1175fedf3bd9c86f13465

Download Submit
C:\Users\Admin\AppData\Local\Temp\A9iJ1Kyzws9q.bat

Filesize
207B

MD5
a5df8918ec827896b828e9979224e82f

SHA1
b9734f20cc954fc2ce8e7b389b13ba53c0fbd347

SHA256
381b67d535213aab5666d844eee2e6e77ff99a3cbfb5afd2e198ef39aee6e3f7

SHA512
1f31cf5cbe6b82d1b65a4fd10edd106e59956edff4e02154bfd2029215721c97044af00140edfd3505db2ba3910ae9073f84cc811498c7142b4dd88984834b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AFqFSAUb8atK.bat

Filesize
207B

MD5
a95aa08abd608cdd6b2f2a4860d03413

SHA1
a8b6a04479eba4178ff65988eaabdd0579d0289c

SHA256
9b166d9744aad92ce70ae7ba704252688e636ba51bab9eeb824edf92170210e3

SHA512
c2c712f00a3678dfd9ce461726f639006e3130c89c36b2778a6c7fc3765f6617d1b992a93913462b29f4db758bd3ee11a6ed1f80494e7130369e50e8f7b8b7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bp9av9LlkFl6.bat

Filesize
207B

MD5
f5c5e4d5aea206cfda2ac7e232fed621

SHA1
f0d08429f97bede617c98c18a44a88cb0cb9e5fd

SHA256
08a06d779ec2b4de27bb21688e5b28df249da092997928447f08a21b487a838b

SHA512
0a90af89122d5750c895486ce92fbc0038d3af45920e0d4666d6219f232cc2adbe65861127e5724370982e4baae6953ac2d17cf395b60fe7105600693733c95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C36g3uJGpw6g.bat

Filesize
207B

MD5
64c3f575a548cd9899e716686d6fe005

SHA1
74845e96e006c627964fb83026848ed541c8ec22

SHA256
ba2722621222dce689eb69b3ab752fc4032e4c295b3e7df28c59feb6cef3c558

SHA512
4ee14a5f4404da79e39765865149ad7450bbd0433f70bd27c751b6a5d859444040b3e5d5f1a2b8c87ccdeb38b00408462c6d9e9ce4ac64a0fecab6d0786a99c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CH16mPuyO2Zl.bat

Filesize
207B

MD5
49d8b53f4ddc4be90bd3ab244d447623

SHA1
6a33926663772986e5bd71a730bb9bcd37cdb5ad

SHA256
4e5bbbcc248f4706ec163342f825d5f40f6da83a41a882dbe11b35b6f4c5c86a

SHA512
f1d8d6db1784be39712027deb587ef4eea52614ef3e76fbb832c1c17c4b5d53f66694bd706e1d37b7115aa054baa8289ae77002148c404238b65e77a7e2f969b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cmmf8Fkgx2UA.bat

Filesize
207B

MD5
02b7ea6da2be1bd73c6a8a5d9a86fb8d

SHA1
e93eb07815b9aa328e1645fd1884b8f5c37f8c5b

SHA256
d7abe6e5d076ce0dd6759f89aaae33ef5d29d2eb0dd02d04fe79f64844ded45b

SHA512
c2c814812f531a9c6fa93ffc987fa99dbcfc93367467677107d9a4954345a75430fcb119f8f15e8927eb46145527a8ad90d85c4f5a4a5e28a1322575aeeb9be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dgm1ynn1pn26.bat

Filesize
207B

MD5
ae1f40274f32e04b55afb6d988d6b7e8

SHA1
a7aab19a0f28517427f9e4e4df4cac183ea72698

SHA256
85ab4c5975ef9b6a504c7026b3419f698a9ac415de43930482347fd04fc7629f

SHA512
3fa691841d98446e3a4105919ad0446581ecf234b9d615ffe34e639b1bad3ee2e533681d70b30fa0ef853ed7bf1b1aeac1fe15e9f1a974bd1faf8125c5ea2e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DgqrRsqgwhN9.bat

Filesize
207B

MD5
417b01fbd337c91d8c7c11bf1070ba01

SHA1
75e6b0e33e50f45399016bed6bea9e8e88b81c6c

SHA256
fd4eaaa191a7cf34943ec69f066b140f222f952c0d10ed07c91254d555c2b11f

SHA512
c546a8b5399d2ea9497dacd7c4d1af8b021c354f3081150432ec39091ab0fb8fca29b728f3aacbbf4ce62eb36d9695bad2799d6f01ee4b082025bc26aa1f8cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXgj6XUab3MF.bat

Filesize
207B

MD5
2f5377abdd2b2aaeaea5a2dcbba55f1b

SHA1
da805ce19465144131388be8af1f8ddb38a70a04

SHA256
d95cb04231a1e68d36274c6f5084527bbe9e7cdaeaebb7d4bfc2def469287a93

SHA512
d5e1b427dba45d9dfd5eb140d519e2177b91ede14c81bee5a6a58f682911cdb4d44e3726314048d3f2610caa30611760087c4829ea986d8bce84b5405cd67b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHPDaEMrPe6Q.bat

Filesize
207B

MD5
025eb86e9a6502bf7511fc01424938c4

SHA1
777347e5fca77bfdaac7b14006e335db9d88ec75

SHA256
2502e597ef5d63b7f4bf57ef46e301e120a1c867a009645d3c896b690755313a

SHA512
351978e672b314e311c36a6e5d4227d33f1140108d362ef72ad6be4a1e26f50e4519ef0837658655426abff74115ac3664078a5c494d5628ac7d30ffd13dfcf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FHqU7Cr7SXF6.bat

Filesize
207B

MD5
365ac74a551732efcbc5ef0b53c1091e

SHA1
d59a65f2b6d97f398fabdebfb6f92345e1e85090

SHA256
529179208be7b328ae36d49dc962c0731699e2ee1ff18004590680e64e53fb7f

SHA512
b89dc93cae0bc1a74e1a92defaff21f600e431efc5a211af473d2a0ba2479e4124bd23580ac6daeee72633d602b461453784a91007c36b7e90e465b47b2f648b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fh7vt81cvK4e.bat

Filesize
207B

MD5
a29c7ac267591f6eb28091e8d090fc69

SHA1
d75cc309ba163e92789054ebc242b3dd06cdcfa2

SHA256
65ddee01c80a4915fef211e40de05864f1f2cf245f549304fa6233efef624eb0

SHA512
bb94dc793112154b0315e7b884fa5557ebe3ba23549685291b1e9da6ddc3a18fa5bb375df2749a91d9e52060ed47a2fdb7a2ffbc0a9b5fdc466b7e19014ba2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fh9x0nyIdbY9.bat

Filesize
207B

MD5
19d30d894dc7daf6ffd042c31c12855c

SHA1
8627e63a75853a2ba7b9e30ea02808a6043e832c

SHA256
120184c3ee74001ab694c319613dfc2e90e587b39252fb1306c90167c9d4a229

SHA512
0f9898159056b6bdedb42530e266feef340c400846abadb61fbd2faf70a2dc2926170ed49bb65b9d3cb61d280b9cc751b3ce6af7822d97c01d3a91c598c436ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fl3ZEO9TVCEy.bat

Filesize
207B

MD5
b25404b0f94a7de59c3e0d4da35c8cf6

SHA1
faae6a19dd8439c52d8aca919e7c832abd394396

SHA256
bea5c9dec49766876acfc0aa9ad6dba52d595f48dc0f53d1006eeeab941aa479

SHA512
1bec18c690dae579ba5fdf1ef799d2b0c97528339b0235e974cb1627bfc472b403457d4399333d3623f22ae0f82c6b58b7ddcb8901f4f3fda36b4a93ecc089da

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIJgVxRJBVlx.bat

Filesize
207B

MD5
23aeb304b63f417d4d1e5b3cbdd3d2ca

SHA1
dda9695e11592d45a9c60d4547c576a6d867fe0a

SHA256
3522490ae9426e1df2528e8a5014953f5575d617eed400dc09ad37fa8af6ca4f

SHA512
bfd6771bd5fe2778cbf399c356f39755e39341033309f816a9355c1fba3e491b5c8f585fb1e2023d523d361d4c83c10472b6c07fc3a7fb306b88e6fcded687a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\H1IS1yR3WGef.bat

Filesize
207B

MD5
3227dc84902d5aa7b8d64e8df6202839

SHA1
e05a28279e6c1c3dbb013e8b49c7bde1aa19ed86

SHA256
c1ed6c68b4677ce064892a15e84dccf3dddfd4c993c5e96118d370e7ad3b5e70

SHA512
f8bbb1ffcd1d7a8fe2275554665f1a506d19e7104bf107ac222bf3dbe13ef25f7d45e443ba0fd72ed486dde63d7fc8cf5d7587eb2fad4d3357968a50cf0bc4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HzrXXeHTuM95.bat

Filesize
207B

MD5
83e700f6c67b3864364af180c4544572

SHA1
ffcb799518a98f91f4f3b7865d413d3a45868304

SHA256
b117e354a9bf3b9b0509b66667e4648a6916d558d49e019d3f7db9de2dc9993e

SHA512
7fd2cc17fa5a3c86398fc5a6df5680f24a3c82c1923cc26b36cd0682b2721999b310cdd3092ced2a23035a8e949a7081be6174ab28110dffff9a24ac79379726

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUC1UUWGjzV9.bat

Filesize
207B

MD5
0250551a555f9081935db0769eb0911d

SHA1
1ac7b12fff5869f40b2a2a450079b4eb3980e500

SHA256
183e1950b6cce2dea919970c9b69a62e3223db3fecc192ed874c7883be5cd295

SHA512
879521977ffc32604a7772ece9f19283d371bb012ebf9307fd115840432672d46ab2e7f107a433957d13d41f2d62b831db19fa82bf557cf9881c41fef38d3890

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jo8EHAeTK8aR.bat

Filesize
207B

MD5
4fffa37f55fad6a00496fe90ec6e9abc

SHA1
68b0c761354fe6502f458997a006dd90e4b49f1b

SHA256
7d1686fc1be1391469c1ca33f2b12ab0c81bbc578b720e208f77f3296a4250f7

SHA512
d5e18bcf288c5a398b8d4e7ef74515d7a1272358cbaa2b241812444a8369fc355d6e989dc9dffb8fc5a6daa6143f175568fcc287dbe3a0b121bf3975a15ad7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\K9h4hzrm2ZHq.bat

Filesize
207B

MD5
2a0d9c6b21965d6b6310563bacbcdbd6

SHA1
ec333856dd344e9d7fc3974afb5edc1dbb847f51

SHA256
591fd98c3551399ba9dcf38118467e19c076d553a908c9604e9d16e6aa352cd0

SHA512
242560a0a751e249af2d3a8a54ddab5d56240ddf5452d86d5a7cfdd465b969b88f9b4dd01c9caa1ed837319faaff23dbcd2c24bcb661f18657f9675e55b585dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\L5u4jPEgzQ48.bat

Filesize
207B

MD5
3532144c809c6f01e5485c5b335b3a3f

SHA1
ff2b2573a0aaca4a32047fac2b98c9c689d65ca4

SHA256
bdbebc78284215411868cd82506ee54f5cf465ac9b7e8f88fe2a3c7c6c910a5d

SHA512
022ac2d812d3c3f786292fce1cc8b9f2de95618cf7c47a77a00257299ca2e6157754ed73bbc40b686544bc27186182a66ea9edd933ba4872b747939ef2810a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\LfHsTL0wIG5e.bat

Filesize
207B

MD5
d9456fbb2a1771690c45f433c9109a6a

SHA1
4daa69b9d60969c28275d531d0e8f2269ce279a4

SHA256
fccbce441e07d8dbb4d675a33415d704bcd81bdf21a0f019bfa90e817133993d

SHA512
c2fb545a8e8031fe85cfc369a49fbb3e03f3b91de219d4a58bfaf0ca497d44739ea77146285560ec192c2c3ddc31b80ade2ba0caf8a7735cee4413fe0ebdba3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NioSaWfEEpMj.bat

Filesize
207B

MD5
7904f508af5703e80f1b3dfee941d44c

SHA1
be6352f8aebfd9c908055f67ae87861334a4b360

SHA256
92e7f73beb35081d55fafd1db2327c353a45cf95572523a7a86c7d162302e6e3

SHA512
59b25f779e096847b4e8dc01c15b71b49056d2b0d4d2cac1ca2c1ebed3ba9beac77f5096669110fae4efe077f451915cdc72fbfb70587d27e6ef681361ae0de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OwTSBCmjX6D4.bat

Filesize
207B

MD5
0ceaa8f29ec48c8342fbfec7de828318

SHA1
f820121ccac4545a5e9b968324e2b1265bfbfb0a

SHA256
1f298772846c09ea0b087dcecbfb5f803c58f4e45bc4bb7ccfd2ddcf7b321577

SHA512
f9fa79db24f437fb22469cf1ff9b64ccb9044f3b382d223c8e71d2cc725f5818a3a0394b61cfb8142480ebc482c295c8003a6c27d622b70c2fe724145c492c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\PbOxsOhrhcnL.bat

Filesize
207B

MD5
0181a0b495d6f7940760753665e76309

SHA1
affda841904f5ae300a64e59e5056dd5d95aeca2

SHA256
61138a88e2128c055eac31dd5a2cf2774ffb33170dd61aa44cea43c6c31abba2

SHA512
9b09f804d1a7f11d53cd8b8419358778cf26bc70a569faea24f02a48c0c5dae9fac10b6fc2c308aa09a504cd0f606bcdf1f42c7bbbb0b81dd0c6298f649260f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q4bx4p6Q7pMC.bat

Filesize
207B

MD5
e2c1230fb403e496a14d403e8462f08a

SHA1
9f88ef8e51b68cf54c2666d7b21ada994d391e11

SHA256
389b6ed4c01db6614dd8f9f9cf8a46766e9d894fde736f13dc4f1dfc32cec019

SHA512
c50de395332917c37deb13cea52b8bee1d65d08ba26174df2c0db7eb63ab01b44d59e65ec881d728a6318bd9c77ea6d8e77018a30042523222a138e76a2155b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QdnRn0dcqaO1.bat

Filesize
207B

MD5
321ae3724ba1bf67694f1fa19d5846f0

SHA1
4dc71e33ee8bfdb96e15a6359f405be47cf0b152

SHA256
587ee086149516fa4754a397d8eb6ef4ffdb7390b37d33807ce88061b074151f

SHA512
03063c57be8d8bfafb609f2a06f600a1037f79d3d91a514638b7afe9b7e4bd04b2be229df140a0d56c48cecefe64f4c90c5992becdadf816c6ac2ad3bc5b0473

Download Submit
C:\Users\Admin\AppData\Local\Temp\QeZCAFEA3JCC.bat

Filesize
207B

MD5
37cf935e22e6d8eeb100ed25f530d1ab

SHA1
41ebac596ab337a3858d2e395105a59227ad689f

SHA256
55bb29695e6d156d88291fd967070afd362c0ab6ebd4d16af92b8d7950be00d2

SHA512
3191770e337d2212ede110b5619fcd4ccb19612a4ee6be557fc797db464bcc8434bfa1acfdd93c9593493a23226f2aee7eedccdcb158dda7bd7bfd2086e4ed2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuitaR6ilweI.bat

Filesize
207B

MD5
638c583d3ecf14e5a7f72fedbeba3aca

SHA1
aed1df0691c7171a87a3760df21c38a6033b1e0c

SHA256
7acd500f1201ef700bc9bd1a2532ae9f095b2b87da5519eb385f1c04fe9a5c81

SHA512
1c435cb208c526f71080e4842674d54a3cb1a4f79a8c5a105760822af7558e09bb2319206bb4d26fd6fc641b343ff33a7ca77e56909610a4572a5ade39731243

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkjukXDjikh1.bat

Filesize
207B

MD5
aa97cc651d3435303690805226497ecd

SHA1
1d6f464640e352a5213cdf1d7e3ec2f9ee31610a

SHA256
7142f6ec719baf94d1c3abf4f907afb8a8efa4914be683819289f4baa07bd376

SHA512
b5f9f0fbbf01ca61b893cf3612ddb3656bba9dbf9c45d306926c71b933b5871755187a89d2fd93a76e69ae5e309ba133c0b51075131acab5d7ecba8e81767767

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ssxj2A3kKPpG.bat

Filesize
207B

MD5
0603e6d97760a956145f9732b9ccf06f

SHA1
6e86dc9ec22533b2d2b7057484d2da58c0d04d17

SHA256
0bd63c59173780dcb8d17fbc64dcbae905c7a7099f9955f4a95d075fca962be6

SHA512
0fc545b72039c39dffe944eaf756b741e1e4c66ea92c444baee91ba0309d891257bc5de3ff95c4f2be26d1b86ace6d94233ded5d563778996b184b1388083bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TRBYJdkpkwRM.bat

Filesize
207B

MD5
8dfb7fe21d84f3a58985afa4a45fc1ea

SHA1
fd333c6e3fd62226950e80123e1555b9e45e8700

SHA256
b084918543b5978c54369fae2ed69436d5a2bd0450ef6e3538d1d484a55ee40c

SHA512
59ec099cf0029e9f79b2568fec173458733e7211eb6de28a119b89c6bb75a65e8b8445e925fa4ff94935c3cf694619f0bd928b922c482451abeb7509709801d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TSukNsbqR81D.bat

Filesize
207B

MD5
f9889d9e5dafbb04d8eed3ca63aa4fcb

SHA1
f4c3245093058613f5aa7b54ff26a937d7d85720

SHA256
b207c9c4e6487652459da9ad12eac33005f5902e489ebe4bf9ad8b0a6c30208e

SHA512
e078092293d0f0238076f491028c66b8c374ff31105fad8ceb9b26a101a255315da88509d58a7fa1a6196b5456b50d91192eccea9b3ab4f041438b72ed973937

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tg5VM4B9vrcU.bat

Filesize
207B

MD5
f0bae6156a5bc9a451ce1f215df17cc6

SHA1
7aaf267764c95ba8dfea4e1b35794a8721432622

SHA256
a51e0f15600cf252d09aacf3485552b3c61ee1efe9e58c723449cc4f74e22c2f

SHA512
af824507c8532c48d95c1febb494605f5792729bf563588a39fa10b519565c83893536029b30a1afcdaf8d5f4d10494bb4caf96b523160525a79d8a5292980d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrO3N00Sinc5.bat

Filesize
207B

MD5
bd4085c3d01fee0643288c85ff40f0a8

SHA1
26d3fbd89b416fa21a8ce166b275e2ce915849b6

SHA256
889e52699d552bab77bf3d03edbf5f352dff341223ea147e1e8f9dce0af2e82f

SHA512
65b35574851cfe4e81b39f42a3353d9f053dd025c85b05c9506faed84e918baa14f35e5dc01b82a305bfb5b510eceb2140f3fc6007caf0c4d1c4d309498ffe2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TxIasEeo8aB4.bat

Filesize
207B

MD5
02ec822fb468afa21f0adbe235140505

SHA1
5da41cde375d6c2bb265a53770e9836bdca052fc

SHA256
b1666915ef67c7932c2458f074c88738d07e0e3748d9de8fd0efd0ce50695c5b

SHA512
661d7bc7a2da9dd1e615ff54500f4839119d3e1c5809c477c4e716e6da39eeb60cd461c6fab4b8ce653796ffea3b38f74543160d3d6111d686d199c24238a56c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UvIYdlT4LkXu.bat

Filesize
207B

MD5
6f64790ed12a6a4cd80e7cf6b3c2586c

SHA1
37a857b00caf355f1e5079f31a1f5add012cb16f

SHA256
0838fc0cd9e418c65b2bc9a927e7f5fa9115abb3732fae36f79b0e7dcd37e163

SHA512
34f2c4a9b2ed4fb569b9ba97abbebabc200b054cf5afbc95ac2c62f5dc87dfbd668ca33bc4c6d018b066bd392ee320216a9f2bf0006224165ed3a38594575615

Download Submit
C:\Users\Admin\AppData\Local\Temp\VbbJmF9Rojaw.bat

Filesize
207B

MD5
156e816735316370a6b0460cc6799e1d

SHA1
4a98e739218df6f861072d9e747b50968190f1ad

SHA256
0f13e52729996c93b9d9a7149884c30f79b2903f2aeaa0c33d9a78b97bba6853

SHA512
1dde9a0bc099287e261d3ed26c86a2c0c1ec4c41cb78b3d22e871561a698c1cb7f4aecbf26a53e219a50dba35e828e7ea9537ae816b2f929a857c47d9cfa41b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ViHPQxJbsU8q.bat

Filesize
207B

MD5
63e687433522757e4c95c0600b6e1b7c

SHA1
7b0e31f8bc7e1c5b80aabc8a77d97b3ddc08bbc8

SHA256
f72904d247c83bc7b42ae6dc1df831d0f41b4b53ff4eb648bb8296d985dbf0e8

SHA512
0b6ab88c1477d3ccaea4eb476032512a8526ffec89a9699685b5e8d6c61c56264a96632284340a6e4a6d26803ec9566fca77157a4d96daad8dd1fc425e5965d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEkNVEDHMWIS.bat

Filesize
207B

MD5
32a5aa3d8fa9106bda7ac0a6682d18d9

SHA1
06c14e144e4dbed1287b9468fa5bd0f583cc6b9e

SHA256
4889acce0df853f9416d20f44307f28500cd6f900f574f0303cb45cc8739fc27

SHA512
5da3bf1fdba2728972b9bd343295a68b0928c66a5ab3d2d13df4b73bb8e62207970340d64cb847151f1b0fa87147a3c5daa1842ef9915a559bd1a994dc42926e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WHNbiTTA5rPW.bat

Filesize
207B

MD5
59cd07398f9933af85073215c7da4e8e

SHA1
34f0549671c3278af268f8dd1ad9b885648fb551

SHA256
3b79f8903a7a9b0c21444fee7217009316bc9be3510fa5469a0b151fc49154be

SHA512
53c8d419acd85cf88f0d21b493afc864d1fa0639f762f1d0378280e6a20019e5626819862c6aa84c5f68aa97f3a5335f78575c0a0c253fd4867035321d9cd3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\WM5ZXB2eb4XH.bat

Filesize
207B

MD5
ceee5b8e5985b8baba98f3d09f4861d4

SHA1
8b9b17a444f43224fc5e0c1b591f162c8eb004b9

SHA256
bf8b1eb4dae3bea7170b38a1840f24874fa5b1265a96b6a30b1606e10d768dcb

SHA512
7750cf69f973174e9d0f4fd9cb68d835bf79c680cb6e835b6f37ab862c6aabd98d4877d8425ea1c2ce42058a24c972c324b305e5341feaa54a89cd6045e321cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXFLkwkISKOs.bat

Filesize
207B

MD5
b10b7d133fb339fcbc508ae4ba906ef6

SHA1
56e06b8395eb2c8d349b3e842b7ad8901e53d008

SHA256
635f887ebf2cfecfdd396a345df0121831f8b87415f60213a66d194863a4e2a0

SHA512
e60d86b274f3c9b21127b584b61cd0ae916efd4992219079e10aaef3e0fe65d514fe605ef9e91f467d0effab73ea1353346e539b727a7aa0cb339d46fbe71f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xb6jBRYUTiGg.bat

Filesize
207B

MD5
b1d17566bf86fa17bf895abc3d4b8025

SHA1
b636c78dd30bf240b10fb220c06a16faaa4174da

SHA256
458e63ff1e604f71985db48319ce7c949ab2af2b95deed53625d3ec0233dc5df

SHA512
802ffac636402b831d434c334b09d701c4fc7496664b71a5daeb0a4897c243f3157f9bff9d8d9feda462c8e85793be07cfe8dac0844170db9dcc52dd3900bc78

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkQWcOm6uXct.bat

Filesize
207B

MD5
e9338cb5e2a9232d79f7910fb2a1564f

SHA1
c499879baa53f778dea7a6247e0dae33ad319c0f

SHA256
e82d3e051cb649a7e69e463f1a226aab538f78b25ca6826a7d4a9d22d64c1825

SHA512
ce5de185bb4012c965d3dd6ed0973b68503fc366f853097dc625362cdabd48fb8c8c043f27021bd4556490e740c6d65ef7ea83e4e0e811090cfb5bb46e14a329

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z7Zwf9MM8oLI.bat

Filesize
207B

MD5
2fc8b7c66a8f641602c5250fabad2053

SHA1
f03f2478e5ed342ea3a05192b79165a0124cfecf

SHA256
5b536d69f0c7e1f58eb5e4f2a3882c9b0f3bf167b1149201d6f82398e44555c8

SHA512
fab65712d9ad5657f812d45d162292969b6bcc47e6adc3d345369d5a5bdd0a2c1b688737a627bbddce64f45cf95049228dd718b0429bbe84dcc274cc9fa978f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZXsibrmgDatT.bat

Filesize
207B

MD5
bb6c72ff2d9433684a3429e72b2c5163

SHA1
6e30661e152d0494e241f9da460e99839ba77c74

SHA256
a2898c2b40ffe69aa6b70f6e26f3bd3cacf34110850aa049dd4e8bf502fec836

SHA512
029490120c7bd12e16064d196052578da1394846eb6d626f5c037ebc91d6e342587bc1efe91c31b48aa1605ddba12ba37761f5f6c9bdd8f16a91ac1ea53ea3a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZzWHKjV7RQjd.bat

Filesize
207B

MD5
d9983c3aecf95e128e4a0b25dfc00313

SHA1
42794a1824b6c283d44bab331ad647dc644250a5

SHA256
fdc9d98bf21da7f94309feb46083e2cf0de211669b562a38ab0f331f16cf2aa7

SHA512
b1dad5399ec655dee1cb5f7298a8db6f22d7d7e8433554dc8ce7e7029ca2120d8519b6f73221d61f9634c8d46874df5a8aa0dcef5d22a62033bfcf5c5ac914ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1QXj3uOWYKw.bat

Filesize
207B

MD5
f2aa1340e7e45e57d4121b7ac2188d04

SHA1
f094d5916df557c2bb4b5766503f92b8d10fe1f7

SHA256
898c5f11609e5df7b910c2c7f51097cbb063ab772a5aa8bf9b512d7fb9e43b68

SHA512
4d25aeae7d21b16bcd7f1faa5789e8f151f11eda5f9a44afbb2e081d94f612408d672f10abc32d1f8240a7d1f9c0c6725679b853190d7289b46701bdbc27d0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMj0CZ5dlOIW.bat

Filesize
207B

MD5
9d2c907a2a086f7d02faeba2fccf3358

SHA1
ff96985f29b70f1d1f68be17494ac2e0c2b73846

SHA256
46ce2932d835acce2fd4d5405d9e8c6d13b0b7bfbd78bb8bc036df25e2071140

SHA512
64644cbd02b1b28f2217ca3cf74eb2bb3ad3c7c8af96d8ab293725fc483ae1ed64a495ad562567f125ab5529b6f0b7aeb60d8faa86869f27ef9a605a49c2af58

Download Submit
C:\Users\Admin\AppData\Local\Temp\alpTFf8XTTye.bat

Filesize
207B

MD5
a554876916de041cfd8a7808c5966644

SHA1
e274c2c3c3522577b180d4887e55dcdeb7edc32f

SHA256
98588f2dfa7706d524085f7675713bfa6130e40448beda7eb96b40481b0a205d

SHA512
e3f388e2f6a9b7d4b1158476597a00e6b9a1b92529121e7da58c840251c839a364c3a593557e6fdc2950ea289e57a2ad67bdd73037368df9804b7bf1a87f7d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGove1N7eoxt.bat

Filesize
207B

MD5
38dc04a99f474bf504abc1fdb245f0a3

SHA1
f5e5ce8d05249b6a698e17f5dcaa6f8ce531de26

SHA256
2d1d16f461174a16b30788e61a147edd98ab2add6459679372797cb28a551e5a

SHA512
2d0cbced36b3c00261cd23c6ced207de94189b7f88afe74d661d0e507a0a2e5d2017e245416af4e5d9c2bf51f12a24a9646adc137f5ac31ebe1440e0d4bc2abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\baUFIpUFCgyb.bat

Filesize
207B

MD5
8923412ff6ba5a34841d6480f340794d

SHA1
4fee3fc680f64f2427338f3ab0b30ca725a2edea

SHA256
8dad0a3d7531ed6aa414e33d62535f39c79996fa788097b0c7f69e82fcbd3baf

SHA512
259bb66378844edcf9efad38bbc9f268ec72dd0f44ae854f6b5e56825e761864251b1b78956e5322cedb25539fae5d1b36664dec6b5639f3c21f0ffc71d35387

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbMHz8EhbqoC.bat

Filesize
207B

MD5
138de31489d22442d793f703916f67c9

SHA1
861a090a949876a258779398ccaeaf7535691285

SHA256
4cac422b647c55aa9d1d698340015b540b01a0ab7f0dfeb860956dd3178aa6a2

SHA512
e1c1191aaa1a3c4cf7d12febe310723ff882baf234a22a4eb100e0134ac20be3ba7a63db63c019499db95293c1cff6dba55726280c1af2b96e685daee2be9a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctv1HX4qnZxs.bat

Filesize
207B

MD5
fdad5f82fc99a39cd8d8e480d88bb49e

SHA1
c1134068332ee93c925040f65af5fa21713a1863

SHA256
3ad228552328e264df037c0694b225fc37089fb9a667992bc64873c9dfbe38b8

SHA512
a65b97bd65f62003a5c5e9d4c0e9704113f14d7cadd3331987cefe11d9e13112e41565caf495b75468c95f5feddb9451ab866b2560897104e6cab3418dcdc187

Download Submit
C:\Users\Admin\AppData\Local\Temp\cvFIUCQP7ORp.bat

Filesize
207B

MD5
926c1d11460a3414d4fb2d662610f115

SHA1
e02f8729ab59a1455fd675b4a718968be5e01f6e

SHA256
7b7b08525a3fa00f060912501511866558d7e19811fdb7f529001d2cf727c353

SHA512
9b28398f60a752d007b5738cf58ea37b29aeb9f289ec0e03e4099f9749e326970d76b0740f70f3aca0f55e0d3a2c078def138c39dd3de279e192cce18cee1f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4kpnvx0gPAF.bat

Filesize
207B

MD5
917031d280c3055d4e3658f5989dea80

SHA1
58c5365e07c84533780307c0807df063763bb5fb

SHA256
4dfcb36841f4a4c459ee45c7f1a82e0850d13faeb4fda2f00f648faad0d8eaa6

SHA512
34e28c828b6e90bc59634dd7b22ca13aa05f66567b35815b9f9ac598f9b55f08ce2cb24f4ee7995f1ea57e4643e5e855e91e045dbb177394c157836aecf6f4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9RRY8d4pR0T.bat

Filesize
207B

MD5
bb46604fdb1d933e3d6cebcb3cdcd991

SHA1
16d466f7c05a6714a7cc472c789f641bbffdb7a9

SHA256
0c95ae54b31670bdf90d2eac2ec8190a1a2b6bfa20f57a6580510b3844c0cda1

SHA512
98add6c7476154381fffa4ff14fcd4e8f79568c6d599c600535546620c52391e1aec7f37a0bc07c86de3b09d47b329d1fc6c68b474438d84373ea5fbec6512c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dytPftNmU71t.bat

Filesize
207B

MD5
b375340f73946335288af03378c6852d

SHA1
fa3c10b02fc2a95a85d5f676c8dab2cfe3667b95

SHA256
6f68b62ab53dcf707988604510c41b2d8b81e777a1f1043f5ac082eecb058897

SHA512
b0d164cb015cbf5766b92e9b284a6d566825b77b83eb4375c0f5ea875bff7a3932e264b46f07e201bcc79c76561cefdd56b78e665b218486d9436572cb930116

Download Submit
C:\Users\Admin\AppData\Local\Temp\eiSFgqruKS9e.bat

Filesize
207B

MD5
3be3a40998ea449628b9dc69a26b63a6

SHA1
07ff37ee0cb6dc95a057fd436581478960fa0948

SHA256
e3a77f08c6b6c20a209b949b16b3364187c7f2cf0295dea4cfbb2c73591cef7f

SHA512
a5e31ffad6c0e9c0eefdb8446acd6a21a6ee1434756ebd5b4135b33ad14861bec55ba33c022b509931ed00319501042349e7ed36b3043a44a04929841949eeb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\erw7c52CaKB9.bat

Filesize
207B

MD5
5ffa2748afd4d8fe297a862b1d983bce

SHA1
b27cbda47d8200776969b1419073b8dff92e9e25

SHA256
900604875e4166d3e89a25c134024cf17d2eca6247c9ca052d0b52722d1f852c

SHA512
a37ee68b5e7682628f798b3a2ed324130526a23ce502594543b09aa2ae2e1a82692c33387a80175e101cd19131d23cb02ccfdaac65636bdc2507d07fa6fc41dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fOqsL5Ir8QcM.bat

Filesize
207B

MD5
e20c5fb75411ba711557da3e8461fd92

SHA1
47f2ff2f0cc39edd48ded031a8e392a3bbe3e983

SHA256
3757340e73572f6416955f62a918b90d6a2950e0aa1a3cefcbcf5ae45328c99c

SHA512
44132ff83ebd2b2849816d1c459a7c0be97fe919d13c19e6bfb18e1c5202988d20e90e47795361a1939e5ac42716891ee8e5389fc3801c5b407fd531868750db

Download Submit
C:\Users\Admin\AppData\Local\Temp\fRZO0AHUPYQX.bat

Filesize
207B

MD5
5b5b89ab3b637d9060ab420eb4bd1bb3

SHA1
1c131afcb6ea87dc4812e10fb31f09cc05bf4d70

SHA256
dec18af7028980d22c490151fee579ddccfe3211ab69fd073ff9f558e5e6c228

SHA512
0dc9c936b4c7c01428572d627d5882dcf2e45c0579e0fcf77e939dd4c561bbd5dc128aa6aa5109a4fff284c3cc5dbf65216b12f0c2a78af20935a9b8696d8c8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fyla0Nq8Av5r.bat

Filesize
207B

MD5
3a727153fd8f4d0be3e5bd3c0047aef0

SHA1
e51d35677b78c5a2086cc0154e69a31b7338516c

SHA256
7298ef7e1a40804f2d117b5700a40786719d69d52d737fdc5dd78aee3d3dbc3a

SHA512
64551324a00da99e917961704e6093ebd33a843fea8703f86eac51c566e4835d43e8bd8adaa0ebf854a2586f26512895e0efacc9b1f2b1f0501ee7b264622fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gHxV2fxTNGc7.bat

Filesize
207B

MD5
21ec711d7041036eff5a711e36f9184b

SHA1
09b00fb3dfd33df7b53ef6c5ab7ee57f86b3f780

SHA256
8e64002db5ad11d3d41063fc3121838ede16ed1f0ca727146885519ceecc221f

SHA512
0d2b7c87b87066b4e080da3f05b96e811909f43cea29f65fd05b6cc5c68c01378c79d9940c5f268dba368c25ce7aaf9070e7ec0dcfe6f2103622d41aad2daf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\h0j38WxEK0Vy.bat

Filesize
207B

MD5
b0b39877354fcf463a2ab47b545efba5

SHA1
bfe02a58d9c3491fbc9c8a3d4a18b015751d7c02

SHA256
1366d85109c4f79d3a89192bd1b6e0be089b48dd0f6b8cb363cda6b183f9ba4d

SHA512
ef418899bbbaa9ece26ab2df6cd3905cfefdf3e119ea5aaa6b4a6d28577c35bc5c88d27ec35c5432822acf561da9362f199c1013aa6dac009c913abd514a4c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\hKlRSd1EiGJ1.bat

Filesize
207B

MD5
f485d56764a765225ba09c4f47ea5c50

SHA1
b172e07a6cdb7eccd3413d5c94e4d4c2662ff206

SHA256
e357e6036f15c41d10ab75d4cc728e1a5066ef4068e427d4b34be46f4bf2bb8c

SHA512
ed45da56db2f2c57dafe80eb5c87b77b0c8ecd4081fcbe9c940147cb472655f1f70570461a5a5b640fa631ae57ab65fd1a70650c9e0e9546a212c0ed46402ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\i3H9Bf79DZ1r.bat

Filesize
207B

MD5
b3784aa98504b7a3a33f605aa411b9f6

SHA1
5ff19c20f7c13cd8ffb072967246c4872a8f31bc

SHA256
256776c4af38e31cb4e151e1e4ee2b0e9065e250c84726b3bf9fbf064bfb233a

SHA512
ade13ad732957846554bfb5048fde12c9f5cdc46beb48c3c379b7b19b453021c0bafa8c49012208b34ec4779ad6c1f72b6eb9d1956927f091d657e06b6bdad1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOA0yL3iBcqs.bat

Filesize
207B

MD5
df3a0a89c9bbad24ff453f72dd955807

SHA1
1d07f416bae862f11c187cd3a40125a8c3f90d3d

SHA256
b1a969b07980d404e9d06973904e593451379eab5c0cef995e88dfb00efa89c0

SHA512
4d8bc51078566ccaf56b2537afa139b41388ca45d02d7288d5dd9ed7fc52dd20f42f912e9364487fb8ab53dd504aa258e8c4cb0388d95419903e9c3de34e8e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kimXwsP1aSVQ.bat

Filesize
207B

MD5
babde13593354feee1c4e98968362372

SHA1
ea4eea487b90a1f256f3bedc35644d26e91329bf

SHA256
cd23d53828beeb5c18719d9cf5e106bb8499b6d87c1b080955329b7234fa915d

SHA512
25003dab6c4da3f96927c94f574c9a0fd8580e0adc0300136f995b874fb0c584bd7a1477e715fce62ddf82f8d860a13f5e13de97e900223a4124f76945563fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\lL76mjaVFxaI.bat

Filesize
207B

MD5
10de96c911456e340f21c535ec944a4b

SHA1
39b1f0ae2e2af773515a0af9da3fc14e2bc336cc

SHA256
009b9d6fde1fe79bb5a595857e97481e0b726489b7008bed1e91572eb2c8db72

SHA512
887ed6f70ab52fd8cf59e00b53d6db54fbe821e5345b9fab11d6d79cbe78b2909edbc3891f29908a959a175b8cde57e5a43221cf41f3c4cd47e0885851590f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\lsJHhTes6yrx.bat

Filesize
207B

MD5
9cf8b2d0f47d65f809475931139d54cc

SHA1
436da5fc69dd9909eb3dd8980bb96c6f57fb8aaa

SHA256
b575f32d5ef73fdde4e418fd7744a635020d9434b73d8f683ab7e1f551c9a7d3

SHA512
154b56f2359f1764f6065437be72a0b6be7f355ef2dfd5d18618738e6f27199c09cc88d554281a717d1451905a1b51260576f1ff64460f22f9507e4ac1bb5451

Download Submit
C:\Users\Admin\AppData\Local\Temp\m11mR6Q1KKtQ.bat

Filesize
207B

MD5
e6dcc908576716af3a388b6da65e5c3b

SHA1
99c28ad7b4d63e4f5e7a49bb7f4bad654033f994

SHA256
c242fbf2fd98a105452b21e23a9bc0e79c91c9be63b7df029acac23a96f42c69

SHA512
a65abfed480757d007f795268c881285af6df6acf6bee61256ecc5a5b2c86fe1e624a7f6c1f7df36bba41a1b24cedcc2cd66f89d76f118a7d2231f7be93b0e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3Elb3LmNfMz.bat

Filesize
207B

MD5
8be25fe7b055bd7e1b660a417ecd79bb

SHA1
d22e79d0c2517c5556b9a791bdb911d51a13deb9

SHA256
6dd181049abef7996a17cec3abf849124e9b3f4a2d881a2686803ac4e5496bf1

SHA512
3691c68306c3dd45925e4e7a18f880a1344e59758e229ef8cbd6040255faade32ebdaf9209713ca091b0741cc99edbb9190c50092785ea19d947f402691c9f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\r7am4aURip9U.bat

Filesize
207B

MD5
3d4bc8f66bc794d4571de7a00fd9beed

SHA1
92262625513e7ce2f8fc2b04ba96f1c9230c69fe

SHA256
030c7cb25a68ed8fdb548988ffe857ae05a75f544226cd58bbfec3750b972451

SHA512
8376c53688d1304ac1fa815671f72aaec6100687b43052bc482bd2dd785df9dc7fcb60e33f7df682af5fe2ec0655b7c24a25f86d658b8d69a9220facfdf38e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\rx8mLwkYbwyj.bat

Filesize
207B

MD5
be8029126ff00087cdb6c412d9b75740

SHA1
7d1fa5e74ae5b93a66d658e4ff9dcb637b9e358e

SHA256
02ee60b66dea46f3e6e250183227b98c7259f3fe0e5c783fe02bf3b7557a3de0

SHA512
6cd2381a4f296f5aaf65dee78b6d863b73487fd0974e0ab64a7b966a9839ed3a97d49a5e0bb63e7f50caaa17751ad3aa52b1eb6864823874386a7e35e2919065

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUAEuHJzUgNc.bat

Filesize
207B

MD5
7193cbfcfd42899bfbdded9c5bf99c1e

SHA1
8574f46f6022f66b3c329414ae7ccdcaaad2fa91

SHA256
6cea6e9a3634f072cceae8ebc69cb052511f8004143288585e4614158397e86e

SHA512
87ee4e43ef49c3de4dda8545b529754edf358ef4b958231fb69dc67fd20fe934bcd87f312072296c513bd3fbb369548d3415c572d5f98c599f9e12d5079e98f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMpiPsWYhekv.bat

Filesize
207B

MD5
88c81594d7d0fa43a50ef1aaf265befc

SHA1
d742eb903d6f836dcbff652ae5dc9249b8bd40eb

SHA256
c0344a241d721f226299905517e84e1c3d40055a7bf101e2b7942ff8b16ad1a6

SHA512
01c8c735a0505198e81e8de18ab435c507fbe207b9bd962b059912b4ccc72d6f25c07ef3d65b39d58f9feede2c3e20d60f35de2f68103e77425fcfa81d9ff74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vHO6l9ab41YE.bat

Filesize
207B

MD5
65981b5a2cfa9ed78ff16111b6c212d7

SHA1
f0d076bbfdd170da5542c41492a470d60e87fe2b

SHA256
a9e5fe1d3a00468efcad1734857a20eab41bf4035e76fd4cec5a892ef898bd64

SHA512
d0318c04ffa0364a6679b488d5725a5559e63b9a8ac3650ac8c49e2a577e6d97d07f8ade04e86c7abeaa91c8e4f9d36953d87b66b474d309bd5ff0ad2535acb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vc7DBbOLMdrr.bat

Filesize
207B

MD5
f55a16500fb78e57b62057785a878204

SHA1
56c000bd7a9edda47bb0b0ee866bc564d1e815c3

SHA256
7537ea0181df3790d1d1a1f53bdfbfae1040f12b1a58ed0e5416b49370afc495

SHA512
7e4ecb8ac7bba1a09342115d2551942257bdc0ec6d5e6c53754cdf606fa1564db3206a51e25b62129b005509238ed0c5b6edc2087af677cd755e048434bd666b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wB5o2B0G191H.bat

Filesize
207B

MD5
e3608bad0320604d728adeaae1ddcbbd

SHA1
16a1309cb9c372bd1fc1fd0af75f5d1bee1eed30

SHA256
817b700402220f358eaa8286bd7b2e0047ba6b7567cd6aa56f96937d6e76a074

SHA512
c315726f69e1fbe493b6f3f2d462b657596c4e8e738972a989ecf35769959eef60a496a00357c061026bd9cf07892063f9441070d16686315c92436a91258602

Download Submit
C:\Users\Admin\AppData\Local\Temp\wVKiM7ElYSyk.bat

Filesize
207B

MD5
b064aede657980d8dd90aace067d4074

SHA1
f446da66e1eed2034abd9275caecdc8c7b3511e9

SHA256
7c5441504563e6fcdbfe423f9ed7de9f0f544c7dccb893ecddc79d132feb919f

SHA512
1cdee36ca9486a4906699e656c7f0cd507df1ea10db25fc068a2683212bd085fa2ac970de6c463b1c3bf75d0a21a866c0c4580959860e43aba5b7c19366e748f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xKs4bPatv1Kc.bat

Filesize
207B

MD5
9f54d2f01ce7fb4b95d16fd0d55e69e9

SHA1
5b3376fced16abff9109bdcc6ab02dfbd0620851

SHA256
508851a33e15bf40029c11c24207875c29f4c6e79b890bdb8c2857813c4dd45d

SHA512
094ae4484af851f6d1893791bf18e121e1cf280d7fb60b62e0e0c756383423b9be8889a9b74c5c99e6f696021fc5e8be439fd7e91f2d3c3dc88127823b46285b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xadzCVbnjaeq.bat

Filesize
207B

MD5
7441e846cbb44a03e7380a954000efa0

SHA1
d7eac9b47dbbd9345abe28d747c4e5a47a58c142

SHA256
1606d136fce80392cc71602396ee496b6e9e31bbf22b91d03123769519c3d316

SHA512
2a80a74cdf0c79089713c0b2d9ecd8b523db09e972e33d2cc23e96f8165a7864271925d81f4d4c700da7e5d961438f2da966e6f19b5f10290af24f25b26b1aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\y7iySfMfJJxg.bat

Filesize
207B

MD5
f6d477b2c65cd966b2d0a9145d8cfde0

SHA1
1eece56f0defb15c71b7f45443cbfa564135308a

SHA256
3270e5b8b68b930884f8480edb2b5ca27568a9b8fd474f747c8fe02f11e44ee2

SHA512
31c68137e98affef2ca05efefa451a157f2730c7bc209df8638f7ee898f827b0de3986d493832ade4cc8c4e5f3399232c8a43deff67169a7b3194961229ec50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yD2HsAz18PsJ.bat

Filesize
207B

MD5
8431cbec80a17b0efdf7062aac99b26b

SHA1
22cdc5c28de70c2d62c38a3559a497c502957e58

SHA256
1be32154a5c90553ea3c0fbeee38dfd244721f0cb9bdb97cee35b28e5dd684a6

SHA512
af39234487f5bbdbe5a23641e337c72be82246ff2ef73f71542ae4e3602a4c5d4b667802e403ab315a04260529147735e0e2f114633e0ee530eb2eba4f79fb3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\za7IhWeQdIwi.bat

Filesize
207B

MD5
5a57d4ea2cbd6269da458b817ce33e3b

SHA1
05810046f710943f1060c468099cd69d86ae6542

SHA256
b58d01af59328e17eedadbd795aa26e39ee000e149f12af3beb2d5b06cae4ec7

SHA512
7fbf93481313120a4d9b6e68282553e89ad569424a0cf2a28e494483affa996ba7d7b7b610cdd6c5492314c642b571dce08fe5cec3191361f0da7a8b549cf130

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkeYBymRBSu8.bat

Filesize
207B

MD5
f29931db4143031fcf7e330b36afad6b

SHA1
1c52d01c2d0449e5ddb5600135bcb4f55c93cba8

SHA256
28286614b210631615850353e19b7a2689d5f169a323b7089da8061aedb04165

SHA512
61658ae9e83c0bf82c23bc90c4a6fa7af60ba875883543771668af679d262052055be6948cdc3ec13c0308ad20bc76ab1ad347c3d2ca11c2a8e6fc6490df2f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\zo0f5aMDqa5V.bat

Filesize
207B

MD5
4293cca9293e4b3f825cc97c4d2dba5b

SHA1
92575fad37a1e538e9cff7c3ec02efd32c36e4a7

SHA256
6e8b1706b0b9a627169023e0430406cf44ccc515156cfc4f20497cc8a816db82

SHA512
3f2f78a7b94e62914f2d42b12fd9f0048cea6ac5efdfbc5cea40705e344bca1aec1026771e49e6e842e6d0230abac2a79c034b45b3b4a50acba0a44d3d7bf0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zoghuEmwL5Px.bat

Filesize
207B

MD5
1b9650ac4e38542ea9affae19757bc89

SHA1
d06e21041b27aff0eaa25d1122e7b0a58b4055a1

SHA256
c3d1d3ea0dc73206b486d1dd684541254daacc44c725e5b751383a40e783cf28

SHA512
89256b06dddcf99463c45711434f5cb71f006e37cc49e93a25f504850d7716de443d2c498b3c0d5d1c5928074a0bb01316bbb35e1362cb65b2d1f96da4c54374

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
b6968e0331d2b8da011ef8fec9ea377f

SHA1
3219222763a3ef6f2c07a047c00ba9e4eb01c533

SHA256
d398dbc7050f5f465a6c25d09df0aefd90a877c9b235318a1829c9ce5139c034

SHA512
8df4f22da3a9950341df9c37661130f59a7d757b88066e8129bec09ef678bba22efd74ec2309eaeddf96008c80b838f32afc00b80f47ac932f441635ac78f828

Download Submit
memory/2588-8-0x000000001B8A0000-0x000000001B8F0000-memory.dmp

Filesize
320KB

Download
memory/2588-9-0x000000001CDD0000-0x000000001CE82000-memory.dmp

Filesize
712KB

Download
memory/2588-7-0x00007FFD52E30000-0x00007FFD538F2000-memory.dmp

Filesize
10.8MB

Download
memory/2588-5-0x00007FFD52E30000-0x00007FFD538F2000-memory.dmp

Filesize
10.8MB

Download
memory/2588-17-0x00007FFD52E30000-0x00007FFD538F2000-memory.dmp

Filesize
10.8MB

Download
memory/3976-0-0x00007FFD52E33000-0x00007FFD52E35000-memory.dmp

Filesize
8KB

Download
memory/3976-6-0x00007FFD52E30000-0x00007FFD538F2000-memory.dmp

Filesize
10.8MB

Download
memory/3976-2-0x00007FFD52E30000-0x00007FFD538F2000-memory.dmp

Filesize
10.8MB

Download
memory/3976-1-0x0000000000040000-0x0000000000364000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads