quasar | d235809f999353ba99369eb3f2df5a32c400954bbd852f6842edf8cd5ad1a8d6

Analysis

max time kernel
898s
max time network
460s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
11/01/2025, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

bc1d1f704a0f37aaa31d8da25618926d
SHA1

f4660775a087c298f06ea418ed31d678eea08922
SHA256

d235809f999353ba99369eb3f2df5a32c400954bbd852f6842edf8cd5ad1a8d6
SHA512

84316eab0534d14ab956f52117a156071c7a930a670a5a77c109b7bb09df08b6d1b9871e97e4b4e844dcc9211f8883af9ed87ae96fa422082ecf0a7f99defee1
SSDEEP

49152:KvmI22SsaNYfdPBldt698dBcjHvVRJ61bR3LoGdZxTHHB72eh2NT:Kvr22SsaNYfdPBldt6+dBcjHvVRJ6H

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.77:4782

Mutex

a45d6a9d-6557-4b6f-b798-0ec5ffcaa226

Attributes

encryption_key
312B6A0B5118D6087CCF93301A6FDB0B736544CA
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/4744-1-0x0000000000F30000-0x0000000001254000-memory.dmp	family_quasar
behavioral1/files/0x001a00000002abc0-6.dat	family_quasar

Executes dropped EXE 64 IoCs

pid	Process
4104	Client.exe
1128	Client.exe
2264	Client.exe
1964	Client.exe
424	Client.exe
3360	Client.exe
852	Client.exe
2408	Client.exe
4656	Client.exe
3740	Client.exe
3392	Client.exe
2328	Client.exe
4144	Client.exe
1560	Client.exe
2032	Client.exe
776	Client.exe
3216	Client.exe
2548	Client.exe
3276	Client.exe
1428	Client.exe
4604	Client.exe
3256	Client.exe
1656	Client.exe
2220	Client.exe
4360	Client.exe
2816	Client.exe
4828	Client.exe
2056	Client.exe
4436	Client.exe
1148	Client.exe
1632	Client.exe
3848	Client.exe
4296	Client.exe
912	Client.exe
4856	Client.exe
336	Client.exe
608	Client.exe
2344	Client.exe
3128	Client.exe
1168	Client.exe
2824	Client.exe
4556	Client.exe
2156	Client.exe
1508	Client.exe
1528	Client.exe
864	Client.exe
1420	Client.exe
4828	Client.exe
2056	Client.exe
1172	Client.exe
968	Client.exe
4356	Client.exe
956	Client.exe
4296	Client.exe
4376	Client.exe
3548	Client.exe
2988	Client.exe
4248	Client.exe
4504	Client.exe
4164	Client.exe
4144	Client.exe
2228	Client.exe
4604	Client.exe
2584	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
228	PING.EXE
4372	PING.EXE
2500	PING.EXE
2076	PING.EXE
3472	PING.EXE
4092	PING.EXE
4164	PING.EXE
1560	PING.EXE
1844	PING.EXE
1468	PING.EXE
2720	PING.EXE
3680	PING.EXE
1652	PING.EXE
3576	PING.EXE
3536	PING.EXE
2512	PING.EXE
2684	PING.EXE
4208	PING.EXE
1112	PING.EXE
4752	PING.EXE
4424	PING.EXE
5028	PING.EXE
4016	PING.EXE
3940	PING.EXE
1160	PING.EXE
1892	PING.EXE
396	PING.EXE
2296	PING.EXE
2152	PING.EXE
4992	PING.EXE
1272	PING.EXE
4912	PING.EXE
3400	PING.EXE
2236	PING.EXE
4104	PING.EXE
4124	PING.EXE
1216	PING.EXE
1300	PING.EXE
1232	PING.EXE
2348	PING.EXE
1936	PING.EXE
4904	PING.EXE
1908	PING.EXE
3416	PING.EXE
3248	PING.EXE
2424	PING.EXE
2488	PING.EXE
4256	PING.EXE
3116	PING.EXE
4540	PING.EXE
2392	PING.EXE
608	PING.EXE
896	PING.EXE
1396	PING.EXE
764	PING.EXE
4824	PING.EXE
2268	PING.EXE
4896	PING.EXE
1764	PING.EXE
1920	PING.EXE
2616	PING.EXE
1856	PING.EXE
4632	PING.EXE
2480	PING.EXE

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
1396	PING.EXE
1468	PING.EXE
4824	PING.EXE
1272	PING.EXE
1764	PING.EXE
1300	PING.EXE
2392	PING.EXE
3248	PING.EXE
3296	PING.EXE
3472	PING.EXE
5084	PING.EXE
1732	PING.EXE
2640	PING.EXE
1436	PING.EXE
1968	PING.EXE
4124	PING.EXE
3400	PING.EXE
3124	PING.EXE
4752	PING.EXE
1856	PING.EXE
4164	PING.EXE
2076	PING.EXE
2348	PING.EXE
896	PING.EXE
1652	PING.EXE
1036	PING.EXE
3576	PING.EXE
2500	PING.EXE
3116	PING.EXE
1908	PING.EXE
1216	PING.EXE
2196	PING.EXE
2336	PING.EXE
4992	PING.EXE
972	PING.EXE
4424	PING.EXE
2616	PING.EXE
4904	PING.EXE
3680	PING.EXE
608	PING.EXE
5028	PING.EXE
1920	PING.EXE
2720	PING.EXE
396	PING.EXE
4092	PING.EXE
4104	PING.EXE
1232	PING.EXE
2424	PING.EXE
4256	PING.EXE
4632	PING.EXE
4196	PING.EXE
2720	PING.EXE
3536	PING.EXE
2684	PING.EXE
2624	PING.EXE
1112	PING.EXE
2480	PING.EXE
764	PING.EXE
1696	PING.EXE
2172	PING.EXE
2152	PING.EXE
4016	PING.EXE
3416	PING.EXE
2144	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4424	schtasks.exe
4656	schtasks.exe
4916	schtasks.exe
2684	schtasks.exe
5000	schtasks.exe
4848	schtasks.exe
968	schtasks.exe
1400	schtasks.exe
2692	schtasks.exe
1368	schtasks.exe
4392	schtasks.exe
1184	schtasks.exe
1748	schtasks.exe
2268	schtasks.exe
432	schtasks.exe
4540	schtasks.exe
3448	schtasks.exe
1760	schtasks.exe
2564	schtasks.exe
1812	schtasks.exe
3320	schtasks.exe
1084	schtasks.exe
4988	schtasks.exe
2924	schtasks.exe
4628	schtasks.exe
3140	schtasks.exe
3244	schtasks.exe
1588	schtasks.exe
1640	schtasks.exe
972	schtasks.exe
3720	schtasks.exe
380	schtasks.exe
2148	schtasks.exe
4104	schtasks.exe
3584	schtasks.exe
3308	schtasks.exe
4912	schtasks.exe
988	schtasks.exe
3492	schtasks.exe
1168	schtasks.exe
4636	schtasks.exe
2220	schtasks.exe
1928	schtasks.exe
3400	schtasks.exe
4604	schtasks.exe
2852	schtasks.exe
4720	schtasks.exe
2072	schtasks.exe
2956	schtasks.exe
1556	schtasks.exe
4756	schtasks.exe
3740	schtasks.exe
988	schtasks.exe
1496	schtasks.exe
2548	schtasks.exe
4952	schtasks.exe
3216	schtasks.exe
1936	schtasks.exe
4192	schtasks.exe
4176	schtasks.exe
2316	schtasks.exe
2404	schtasks.exe
1616	schtasks.exe
3484	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	Client-built.exe
Token: SeDebugPrivilege	4104	Client.exe
Token: SeDebugPrivilege	1128	Client.exe
Token: SeDebugPrivilege	2264	Client.exe
Token: SeDebugPrivilege	1964	Client.exe
Token: SeDebugPrivilege	424	Client.exe
Token: SeDebugPrivilege	3360	Client.exe
Token: SeDebugPrivilege	852	Client.exe
Token: SeDebugPrivilege	2408	Client.exe
Token: SeDebugPrivilege	4656	Client.exe
Token: SeDebugPrivilege	3740	Client.exe
Token: SeDebugPrivilege	3392	Client.exe
Token: SeDebugPrivilege	2328	Client.exe
Token: SeDebugPrivilege	4144	Client.exe
Token: SeDebugPrivilege	1560	Client.exe
Token: SeDebugPrivilege	2032	Client.exe
Token: SeDebugPrivilege	776	Client.exe
Token: SeDebugPrivilege	3216	Client.exe
Token: SeDebugPrivilege	2548	Client.exe
Token: SeDebugPrivilege	3276	Client.exe
Token: SeDebugPrivilege	1428	Client.exe
Token: SeDebugPrivilege	4604	Client.exe
Token: SeDebugPrivilege	3256	Client.exe
Token: SeDebugPrivilege	1656	Client.exe
Token: SeDebugPrivilege	2220	Client.exe
Token: SeDebugPrivilege	4360	Client.exe
Token: SeDebugPrivilege	2816	Client.exe
Token: SeDebugPrivilege	4828	Client.exe
Token: SeDebugPrivilege	2056	Client.exe
Token: SeDebugPrivilege	4436	Client.exe
Token: SeDebugPrivilege	1148	Client.exe
Token: SeDebugPrivilege	1632	Client.exe
Token: SeDebugPrivilege	3848	Client.exe
Token: SeDebugPrivilege	4296	Client.exe
Token: SeDebugPrivilege	912	Client.exe
Token: SeDebugPrivilege	4856	Client.exe
Token: SeDebugPrivilege	336	Client.exe
Token: SeDebugPrivilege	608	Client.exe
Token: SeDebugPrivilege	2344	Client.exe
Token: SeDebugPrivilege	3128	Client.exe
Token: SeDebugPrivilege	1168	Client.exe
Token: SeDebugPrivilege	2824	Client.exe
Token: SeDebugPrivilege	4556	Client.exe
Token: SeDebugPrivilege	2156	Client.exe
Token: SeDebugPrivilege	1508	Client.exe
Token: SeDebugPrivilege	1528	Client.exe
Token: SeDebugPrivilege	864	Client.exe
Token: SeDebugPrivilege	1420	Client.exe
Token: SeDebugPrivilege	4828	Client.exe
Token: SeDebugPrivilege	2056	Client.exe
Token: SeDebugPrivilege	1172	Client.exe
Token: SeDebugPrivilege	968	Client.exe
Token: SeDebugPrivilege	4356	Client.exe
Token: SeDebugPrivilege	956	Client.exe
Token: SeDebugPrivilege	4296	Client.exe
Token: SeDebugPrivilege	4376	Client.exe
Token: SeDebugPrivilege	3548	Client.exe
Token: SeDebugPrivilege	2988	Client.exe
Token: SeDebugPrivilege	4248	Client.exe
Token: SeDebugPrivilege	4504	Client.exe
Token: SeDebugPrivilege	4164	Client.exe
Token: SeDebugPrivilege	4144	Client.exe
Token: SeDebugPrivilege	2228	Client.exe
Token: SeDebugPrivilege	4604	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 4916	4744	Client-built.exe	77
PID 4744 wrote to memory of 4916	4744	Client-built.exe	77
PID 4744 wrote to memory of 4104	4744	Client-built.exe	79
PID 4744 wrote to memory of 4104	4744	Client-built.exe	79
PID 4104 wrote to memory of 3492	4104	Client.exe	80
PID 4104 wrote to memory of 3492	4104	Client.exe	80
PID 4104 wrote to memory of 1080	4104	Client.exe	82
PID 4104 wrote to memory of 1080	4104	Client.exe	82
PID 1080 wrote to memory of 4008	1080	cmd.exe	84
PID 1080 wrote to memory of 4008	1080	cmd.exe	84
PID 1080 wrote to memory of 4164	1080	cmd.exe	85
PID 1080 wrote to memory of 4164	1080	cmd.exe	85
PID 1080 wrote to memory of 1128	1080	cmd.exe	86
PID 1080 wrote to memory of 1128	1080	cmd.exe	86
PID 1128 wrote to memory of 3484	1128	Client.exe	87
PID 1128 wrote to memory of 3484	1128	Client.exe	87
PID 1128 wrote to memory of 1148	1128	Client.exe	89
PID 1128 wrote to memory of 1148	1128	Client.exe	89
PID 1148 wrote to memory of 5104	1148	cmd.exe	91
PID 1148 wrote to memory of 5104	1148	cmd.exe	91
PID 1148 wrote to memory of 1232	1148	cmd.exe	92
PID 1148 wrote to memory of 1232	1148	cmd.exe	92
PID 1148 wrote to memory of 2264	1148	cmd.exe	93
PID 1148 wrote to memory of 2264	1148	cmd.exe	93
PID 2264 wrote to memory of 2328	2264	Client.exe	94
PID 2264 wrote to memory of 2328	2264	Client.exe	94
PID 2264 wrote to memory of 3744	2264	Client.exe	96
PID 2264 wrote to memory of 3744	2264	Client.exe	96
PID 3744 wrote to memory of 3304	3744	cmd.exe	98
PID 3744 wrote to memory of 3304	3744	cmd.exe	98
PID 3744 wrote to memory of 2512	3744	cmd.exe	99
PID 3744 wrote to memory of 2512	3744	cmd.exe	99
PID 3744 wrote to memory of 1964	3744	cmd.exe	100
PID 3744 wrote to memory of 1964	3744	cmd.exe	100
PID 1964 wrote to memory of 2692	1964	Client.exe	101
PID 1964 wrote to memory of 2692	1964	Client.exe	101
PID 1964 wrote to memory of 4832	1964	Client.exe	103
PID 1964 wrote to memory of 4832	1964	Client.exe	103
PID 4832 wrote to memory of 3568	4832	cmd.exe	105
PID 4832 wrote to memory of 3568	4832	cmd.exe	105
PID 4832 wrote to memory of 2076	4832	cmd.exe	106
PID 4832 wrote to memory of 2076	4832	cmd.exe	106
PID 4832 wrote to memory of 424	4832	cmd.exe	107
PID 4832 wrote to memory of 424	4832	cmd.exe	107
PID 424 wrote to memory of 2684	424	Client.exe	108
PID 424 wrote to memory of 2684	424	Client.exe	108
PID 424 wrote to memory of 3852	424	Client.exe	110
PID 424 wrote to memory of 3852	424	Client.exe	110
PID 3852 wrote to memory of 2656	3852	cmd.exe	112
PID 3852 wrote to memory of 2656	3852	cmd.exe	112
PID 3852 wrote to memory of 1560	3852	cmd.exe	113
PID 3852 wrote to memory of 1560	3852	cmd.exe	113
PID 3852 wrote to memory of 3360	3852	cmd.exe	114
PID 3852 wrote to memory of 3360	3852	cmd.exe	114
PID 3360 wrote to memory of 1948	3360	Client.exe	115
PID 3360 wrote to memory of 1948	3360	Client.exe	115
PID 3360 wrote to memory of 4000	3360	Client.exe	117
PID 3360 wrote to memory of 4000	3360	Client.exe	117
PID 4000 wrote to memory of 1184	4000	cmd.exe	119
PID 4000 wrote to memory of 1184	4000	cmd.exe	119
PID 4000 wrote to memory of 1968	4000	cmd.exe	120
PID 4000 wrote to memory of 1968	4000	cmd.exe	120
PID 4000 wrote to memory of 852	4000	cmd.exe	121
PID 4000 wrote to memory of 852	4000	cmd.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4916
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d7YhbKASz19Q.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4008
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4164
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1128
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3484
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7dqpSz4jLqCj.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1148
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5104
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1232
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        
        PID:2328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6OEdasb1aU3d.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SexQE0hhaVE9.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:424
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dDSpgO4jp521.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1560
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        
        PID:1948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3PnEFhpEllTQ.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        Runs ping.exe
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jr3ColEIaU7l.bat" "
        15⤵
        
        PID:4428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gs5MbUdMmwjb.bat" "
        17⤵
        
        PID:5028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4912
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ms3PryM5NCY.bat" "
        19⤵
        
        PID:4744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:5036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4016
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4mJFuXf2LwoL.bat" "
        21⤵
        
        PID:1020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3392
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wRa8YHHBXqR8.bat" "
        23⤵
        
        PID:2432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E527SZwGKZGr.bat" "
        25⤵
        
        PID:4168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3116
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4144
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        
        PID:956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xcxq8wqaBiNu.bat" "
        27⤵
        
        PID:2076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        Runs ping.exe
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMGQHSaC8FDC.bat" "
        29⤵
        
        PID:2756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4124
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmXLtwuJ14k2.bat" "
        31⤵
        
        PID:2924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        33⤵
        
        PID:4228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\detpjePYOAX6.bat" "
        33⤵
        
        PID:2780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:4428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Is0Xx4mehK2h.bat" "
        35⤵
        
        PID:5112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:4824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGK07MhtZEIV.bat" "
        37⤵
        
        PID:4924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:4016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3276
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWf9gUds4GgD.bat" "
        39⤵
        
        PID:3740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:1464
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SP39gc3b7xgd.bat" "
        41⤵
        
        PID:1084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:4184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        Runs ping.exe
        
        PID:4196
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4604
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        43⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e7VPVNB85xrU.bat" "
        43⤵
        
        PID:568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:200
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4904
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3256
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        45⤵
        
        PID:1040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G6ylAHOFuWkM.bat" "
        45⤵
        
        PID:2276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:2496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        47⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m9CPCGAk7iHa.bat" "
        47⤵
        
        PID:4968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:2404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1468
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A114auVi9UsQ.bat" "
        49⤵
        
        PID:2008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:3324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        Runs ping.exe
        
        PID:3124
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        51⤵
        
        PID:3492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tZL0qxG3BXmS.bat" "
        51⤵
        
        PID:2636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:3064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3400
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rJgUkrph8n6k.bat" "
        53⤵
        
        PID:3428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:2212
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3472
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        55⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2QQN3grsLq8Q.bat" "
        55⤵
        
        PID:4692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:2344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        57⤵
        
        PID:4380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqRYZnq7zfXn.bat" "
        57⤵
        
        PID:3956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:1592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        58⤵
        Runs ping.exe
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        59⤵
        
        PID:1680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z78AGDDkSzvt.bat" "
        59⤵
        
        PID:2984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:2676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        61⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HThoAjWnRS4v.bat" "
        61⤵
        
        PID:1156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:2656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        62⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3940
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        63⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WogJdl4MwAfL.bat" "
        63⤵
        
        PID:5100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:3432
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        64⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4540
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        65⤵
        
        PID:4808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqaQtbu0R5X4.bat" "
        65⤵
        
        PID:1040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:3256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1160
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        66⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        67⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4cFP8McDPixk.bat" "
        67⤵
        
        PID:1008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:3104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        68⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        68⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        69⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S6lV5UAEi3R9.bat" "
        69⤵
        
        PID:1564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:3156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        70⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3680
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        70⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4856
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        71⤵
        
        PID:4572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rP15vOawZ3C3.bat" "
        71⤵
        
        PID:3064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        72⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3416
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        72⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        73⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0Z0ZvJfhZgC6.bat" "
        73⤵
        
        PID:112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        74⤵
        
        PID:1300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        74⤵
        Runs ping.exe
        
        PID:5084
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        74⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        75⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qb2V6JrRoBe2.bat" "
        75⤵
        
        PID:3060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        76⤵
        
        PID:1480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        76⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4824
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        76⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        77⤵
        
        PID:5088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M8nJsej6PQQr.bat" "
        77⤵
        
        PID:3000
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        78⤵
        
        PID:8
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        78⤵
        Runs ping.exe
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        78⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        79⤵
        
        PID:1932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ev6Tq4q6iHpE.bat" "
        79⤵
        
        PID:1652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        80⤵
        
        PID:3276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        80⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4208
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        80⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        81⤵
        
        PID:1748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3HFBzRs66PMu.bat" "
        81⤵
        
        PID:2384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        82⤵
        
        PID:4408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        82⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3248
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        82⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        83⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0iftW5J1iifL.bat" "
        83⤵
        
        PID:4812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        84⤵
        
        PID:4920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        84⤵
        Runs ping.exe
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        84⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        85⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xatU07CAnGCd.bat" "
        85⤵
        
        PID:1244
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        86⤵
        
        PID:3116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        86⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        86⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        87⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h4cRdaSNfLq3.bat" "
        87⤵
        
        PID:564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        88⤵
        
        PID:2256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        88⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1112
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        88⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        89⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mq5scTvcJNkq.bat" "
        89⤵
        
        PID:2076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        90⤵
        
        PID:2616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        90⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1892
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        90⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        91⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XjHJ0SCGv8Z9.bat" "
        91⤵
        
        PID:2768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        92⤵
        
        PID:1524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        92⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1216
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        92⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        93⤵
        
        PID:2876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lezSdfIscHBu.bat" "
        93⤵
        
        PID:2780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        94⤵
        
        PID:3028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        94⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4752
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        94⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        95⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G3yNajPMaBIk.bat" "
        95⤵
        
        PID:4912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        96⤵
        
        PID:3556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        96⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:608
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        96⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        97⤵
        
        PID:4896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQj3XRo13Xgf.bat" "
        97⤵
        
        PID:2100
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        98⤵
        
        PID:4784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        98⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:896
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        98⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        99⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1xZBSCqmcXvW.bat" "
        99⤵
        
        PID:2928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        100⤵
        
        PID:3540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        100⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        100⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        101⤵
        
        PID:1124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZFJbclVlWByd.bat" "
        101⤵
        
        PID:2036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        102⤵
        
        PID:3504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        102⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        102⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        103⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nC8FEGaPMPh2.bat" "
        103⤵
        
        PID:332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        104⤵
        
        PID:3308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        104⤵
        Runs ping.exe
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        104⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        105⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YMYnRVq5iWra.bat" "
        105⤵
        
        PID:2192
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        106⤵
        
        PID:1984
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        106⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:228
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        106⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        107⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M2gj2iOFeUHJ.bat" "
        107⤵
        
        PID:4024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        108⤵
        
        PID:1040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        108⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        108⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        109⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkBIonzttidc.bat" "
        109⤵
        
        PID:4708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        110⤵
        
        PID:3444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        110⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        110⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4376
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        111⤵
        
        PID:3124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FbKVibCC6JAc.bat" "
        111⤵
        
        PID:1396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        112⤵
        
        PID:1260
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        112⤵
        Runs ping.exe
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        112⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        113⤵
        
        PID:2924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N331yb2tYfLO.bat" "
        113⤵
        
        PID:2700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        114⤵
        
        PID:1416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        114⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        114⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        115⤵
        
        PID:3288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OvquOKSk8A37.bat" "
        115⤵
        
        PID:2780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        116⤵
        
        PID:1100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        116⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        116⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        117⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WbhlL4CrFfGN.bat" "
        117⤵
        
        PID:3300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        118⤵
        
        PID:1844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        118⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4896
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        118⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        119⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8TE2xcCO6buG.bat" "
        119⤵
        
        PID:3480
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        120⤵
        
        PID:2356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        120⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4992
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        120⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        121⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIqdJZz2QMT7.bat" "
        121⤵
        
        PID:2704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        122⤵
        
        PID:2720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        122⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        122⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4144
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        123⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgzKlrMaJAMk.bat" "
        123⤵
        
        PID:4372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        124⤵
        
        PID:4948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        124⤵
        Runs ping.exe
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        124⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        125⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7mccErQtaaz6.bat" "
        125⤵
        
        PID:2240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        126⤵
        
        PID:4568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        126⤵
        Runs ping.exe
        
        PID:1036
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        126⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4604
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        127⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AcbLNRT2eSHq.bat" "
        127⤵
        
        PID:2216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        128⤵
        
        PID:228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        128⤵
        Runs ping.exe
        
        PID:3296
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        128⤵
        Executes dropped EXE
        
        PID:2584
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        129⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9jygXV7uFv2R.bat" "
        129⤵
        
        PID:1812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        130⤵
        
        PID:4168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        130⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4256
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        130⤵
        
        PID:3084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        131⤵
        
        PID:4928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rrV3zLWvQReR.bat" "
        131⤵
        
        PID:3444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        132⤵
        
        PID:3040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        132⤵
        Runs ping.exe
        
        PID:972
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        132⤵
        
        PID:1892
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        133⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RUmoBpN9acnN.bat" "
        133⤵
        
        PID:1260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        134⤵
        
        PID:3324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        134⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        134⤵
        
        PID:4572
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        135⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s1exPhjMihna.bat" "
        135⤵
        
        PID:4696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        136⤵
        
        PID:4736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        136⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1300
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        136⤵
        
        PID:4244
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        137⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QTUWrI92vHrI.bat" "
        137⤵
        
        PID:2956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        138⤵
        
        PID:2204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        138⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        138⤵
        
        PID:4204
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        139⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p8BnGCd4XqPM.bat" "
        139⤵
        
        PID:1884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        140⤵
        
        PID:3300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        140⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1272
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        140⤵
        
        PID:3860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        141⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UZT9rEkFWJYj.bat" "
        141⤵
        
        PID:1596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        142⤵
        
        PID:1828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        142⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        142⤵
        
        PID:4992
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        143⤵
        
        PID:3480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZFaPOqFpE56F.bat" "
        143⤵
        
        PID:3552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        144⤵
        
        PID:4164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        144⤵
        Runs ping.exe
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        144⤵
        
        PID:1652
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        145⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dPaV4APzWwdH.bat" "
        145⤵
        
        PID:4144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        146⤵
        
        PID:5104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        146⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4372
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        146⤵
        
        PID:5044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        147⤵
        
        PID:4184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEwNWbURFpfv.bat" "
        147⤵
        
        PID:332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        148⤵
        
        PID:4716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        148⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        148⤵
        
        PID:4880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        149⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nXtqKuUk0tfU.bat" "
        149⤵
        
        PID:5080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        150⤵
        
        PID:1872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        150⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:396
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        150⤵
        
        PID:4300
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        151⤵
        
        PID:2692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuHQ2LABf2PH.bat" "
        151⤵
        
        PID:4080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        152⤵
        
        PID:4792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        152⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4092
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        152⤵
        
        PID:3820
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        153⤵
        
        PID:3244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cH3pk5X1uHo3.bat" "
        153⤵
        
        PID:3444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        154⤵
        
        PID:916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        154⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2616
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        154⤵
        
        PID:4860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        155⤵
        
        PID:4376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\URDMB4jSXauW.bat" "
        155⤵
        
        PID:4272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        156⤵
        
        PID:2688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        156⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3576
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        156⤵
        
        PID:2844
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        157⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LyuyyKT8zO1a.bat" "
        157⤵
        
        PID:1936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        158⤵
        
        PID:2988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        158⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1856
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        158⤵
        
        PID:2488
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        159⤵
        
        PID:3924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kW7Vr66WJn5n.bat" "
        159⤵
        
        PID:2780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        160⤵
        
        PID:4192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        160⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        160⤵
        
        PID:804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        161⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucsjkH1dBwc9.bat" "
        161⤵
        
        PID:688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        162⤵
        
        PID:1512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        162⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4104
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        162⤵
        
        PID:2548
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        163⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J0ba2oXZumdD.bat" "
        163⤵
        
        PID:3012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        164⤵
        
        PID:452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        164⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3536
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        164⤵
        
        PID:1840
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        165⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgTwMa5NZq5K.bat" "
        165⤵
        
        PID:684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        166⤵
        
        PID:1948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        166⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4632
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        166⤵
        
        PID:1172
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        167⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eLY0yTK5OYgG.bat" "
        167⤵
        
        PID:2832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        168⤵
        
        PID:3248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        168⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2480
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        168⤵
        
        PID:1036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        169⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fYDObQ44oauL.bat" "
        169⤵
        
        PID:3136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        170⤵
        
        PID:4816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        170⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5028
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        170⤵
        
        PID:228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        171⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xxpFHgyOAk9p.bat" "
        171⤵
        
        PID:464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        172⤵
        
        PID:1120
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        172⤵
        Runs ping.exe
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        172⤵
        
        PID:2692
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        173⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XIarUw9Crq9F.bat" "
        173⤵
        
        PID:3056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        174⤵
        
        PID:3008
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        174⤵
        Runs ping.exe
        
        PID:1436
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        174⤵
        
        PID:3244
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        175⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N8deHaTInqJn.bat" "
        175⤵
        
        PID:3680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        176⤵
        
        PID:1448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        176⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1396
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        176⤵
        
        PID:3064
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        177⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xSrSqDYE7qmN.bat" "
        177⤵
        
        PID:2032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        178⤵
        
        PID:1404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        178⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        178⤵
        
        PID:932
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        179⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Da2DobchDzdf.bat" "
        179⤵
        
        PID:4752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        180⤵
        
        PID:796
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        180⤵
        
        PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
15eab799098760706ed95d314e75449d

SHA1
273fb07e40148d5c267ca53f958c5075d24c4444

SHA256
45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

SHA512
50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2QQN3grsLq8Q.bat

Filesize
207B

MD5
4e5fe88901dab5a87e3b7a04560332cb

SHA1
123e28ccfe3516c4c5eb1507de213013298c7f1c

SHA256
052298405c1d26e6366fe12f914f1b162da08ad7ef75a98e38d11282d184b95b

SHA512
72f79e908540fe19a23dec9e234ad2475b4fff3528ce727d0be4c73c99f8816a1184049d3b1298eb0eb62e6fac30f32242629d5a16e39fac45c6ec467d03da04

Download Submit
C:\Users\Admin\AppData\Local\Temp\3PnEFhpEllTQ.bat

Filesize
207B

MD5
926e63bfc5d0c81b442bd1e6786f2fdf

SHA1
5f766c239920210e9c7af153c653f199107efcd3

SHA256
02094d00327995dd15bcc4983d3faeaca7217108342f3c4e23089b414e946544

SHA512
01c6c043bc98ebdcf807392f0a7109eb76db70bdc4ef08140916f929f59f22f4a439b2633f554a96f3fe939100c256ad8e06d4b6e80dd6ab3cef007fbfa3edd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4mJFuXf2LwoL.bat

Filesize
207B

MD5
8994a51d439af8ad0b9450c1ed7e7e30

SHA1
0d69fa7e56f733d05a783971a14cd0045f9621e1

SHA256
3240af92d58a71be959c95c0b394fa6ed95fabddbd45fc1f045052a9c94ae5d6

SHA512
d063e1ed950a527504bfd014a75b4f5afe1f08f0a9ef655c2a07cfc4ad809dfba3870f1621948ae7a9568414389fad453c7dfcff79c8d6a0e7ed96b863e8b8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\6OEdasb1aU3d.bat

Filesize
207B

MD5
69a5b28425a019e6d9e7171ef00b415d

SHA1
d9658a02769e8c8f80643457fc9924e37d6cb598

SHA256
162aee17e414f60a5c6cde6c1637fea569e66f960e921eb1f7238d99a1dec132

SHA512
1857e257120cc66e5940e7b88736a43fba28d6cb993ff7e0a27ec7dfb61fc9386090f1073280a24e37211a219a4a2d29161e2fb6f9b78fa2c776123706652b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ms3PryM5NCY.bat

Filesize
207B

MD5
0fb1f89fcacaa38c34c71dd5dff65167

SHA1
2dcfdb168d0102ba68f158f115344385e73adc02

SHA256
415b2b82d062a42dbe7794ca68c5926cc1e9ac0ba9fbe246e5b10c758a77ca78

SHA512
d68a061eee76064376fbace045f4cb82b713aeb56da22775375e436a3b5924f7ecbf8093d12dd40762f0e1f76601a06810b2c713dd741aef069d103a5b81e763

Download Submit
C:\Users\Admin\AppData\Local\Temp\7dqpSz4jLqCj.bat

Filesize
207B

MD5
e36575bbf0f56235ffadb0a791b1714e

SHA1
9c745cc1a03265718413b6837746c2bb74726227

SHA256
5b3e11ee1d7146cff74d3b94d0e199edd3ba888c734ef97b8f4358b601d94bc4

SHA512
4aa7729a14a875108a3edd12ba61e8440f70633aebd10feae470958066cac65f97e1c1842b2f14742cb4213cc9e6eda381daf9cefca133e4bac119848e636574

Download Submit
C:\Users\Admin\AppData\Local\Temp\A114auVi9UsQ.bat

Filesize
207B

MD5
92891ec4f3a2191d6831d9be54fac20f

SHA1
55bb620c1207b9155e85bf9be19de8ccd369a987

SHA256
89d324303619efe21994f1fe0637208009a8cbde7f508d1fa99826b3efc8c855

SHA512
6695a7df349d8a56be732c7ac5b2bf9235d45558bb4bde82f30c6b8ae3be493f6e20f87c14f20614edfd66f267faee1da63b30c0affc42de95d9405a0d5db1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E527SZwGKZGr.bat

Filesize
207B

MD5
46ebc3073cd63bbf398f8835463e46fa

SHA1
f25cd0f351c34a3da64bbc122bacea15024f8733

SHA256
c4c8c24172912272686a74f328e30d77f11948bbeb08c8385fab1b3f4b9a88c1

SHA512
b9b33b06a9c3f229e96e377865e2233778a94d9df040ef4db344c29e95414f517f36f351b0c244de25e0710b77da457c253b609322292715d7417ac4a7aeadb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\G6ylAHOFuWkM.bat

Filesize
207B

MD5
9f8856eff50af9e73b8fa26c89ad7c3b

SHA1
57b9becf220440725bab7b9d3d66b90aad2bd1bb

SHA256
7cd35c629c975fa8414b00da2f9a92c9f2a7af3652666b5bd61009fdeba0d13b

SHA512
728e75d83cecc14e93a66301e347d6cf69cdc6984dbe584ece3340aca0bd11850fbef2ebcc1eac08196a7fd2b996c6d3ed65934a8c2d68238591fbbe36a92b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\GmXLtwuJ14k2.bat

Filesize
207B

MD5
1128dffdc76fd046211478e48bf947ac

SHA1
d61c3b2a1eafecb097175852f5462fa92790e678

SHA256
aac3517b6a6e97a8dea4cf22f3031784b842d1d5a17c6854d3e03aa794bfeac4

SHA512
ce0e376c5a0a3d4c1180564b6b8ec3d98cf97ba8f6e016a5f1016b95ba2117a831a02c83c56c6c307bb64e4b8cb27ec99164e09e3768fc14fdc61327131ca481

Download Submit
C:\Users\Admin\AppData\Local\Temp\HThoAjWnRS4v.bat

Filesize
207B

MD5
7a804f0d355ad473995ea6119922fa0c

SHA1
0867ed2edac355837693547b6ae86c572d223816

SHA256
1e6f5caefd0daf2e27ec1151a72ac9c954a22a8c460aa07468461eaa432d32ff

SHA512
7f009adfb0246cea04c19d0e541b60a793a4d0760634214179d981addd352a031df1bde7ba2a5aac21f6f6f7515f60b01d56f2009a35e3672ea6aaf2567ab82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Is0Xx4mehK2h.bat

Filesize
207B

MD5
728f05857bcbcca526a74b3803a7f6da

SHA1
64bd93899d760b11e962b78c2f3cddeb98e38eae

SHA256
4bb1409176a3eb940f7af24fd2c6c863f1d08f937e6d9f3390ad2f5faabe4222

SHA512
a8ab2259e741f831bff02ced20faf10d75d9ce8f2cbac1d1b14594b4752462f70e97666b6973cff15db396f91c761993864b20e1b9d11e449cac4ba5b7904232

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jr3ColEIaU7l.bat

Filesize
207B

MD5
02f9ea36ffa4bef2317802287ea87ff3

SHA1
175a10b760c4ca1ebe1a2f70cfe0d0cb27d98531

SHA256
7771e46d23fcea0e4db6d4300b68a862a15f744330e51736caae1c085cd2c6c4

SHA512
e21d38ef13343b1dde93147a275ccf09ea276d1a1bff524fbc8061ab3eb6938bc87d99aa874f1d76fbb966b04f6f25d1f35de06cc44693f361c9643a2482b93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SP39gc3b7xgd.bat

Filesize
207B

MD5
51fb389833a05a0ddd00a4ae6766ff86

SHA1
44629a6702926c1671a0c487e993469651a80e86

SHA256
5846f62a359e826802e9bf1c05d6c10dd1ba8fc32baf570ce5d5019ea07ee334

SHA512
c672b183e602fb38f9bb2183ab46f416f6b326fa677db9dd223bf9b7870da6c2064ee5ea5f86bfd56eaf623f0ce9a5daffbd0277d5e953620d86e504e377c48b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SexQE0hhaVE9.bat

Filesize
207B

MD5
5d864fe8a85b6d75866228ee870915e9

SHA1
814f67cff9340b0910e82fa87a3c6b53d802d9a5

SHA256
4aa4f779ccbc4a0a970ed4a3114ebf49709a512dab9b850de5fadee58ba08736

SHA512
40e832c15cacdf6adb4af02c914d630687b4e5611ad31ac826f812cc94dca73743d4db152de58eed8b4cd8b0414fe73bd78962eeb99e48d118aaf5e4e336d24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWf9gUds4GgD.bat

Filesize
207B

MD5
c03b53514d57408158981f251416fe0e

SHA1
a1bb309fad949ab2210ed049ba4bba650419f68f

SHA256
03be7627f578b3b13fbd19c280f8bf2f5a62f2dea394e757d00cde5e3cd94b90

SHA512
49bce2991aa4c90586645e461b1fa9675d79f08a4e3f1dbc59b943a2c4b6d40008f8cbc12f878f6d879e7ba0282ce172f4c18b498d4fc2b002356be61ba98357

Download Submit
C:\Users\Admin\AppData\Local\Temp\WogJdl4MwAfL.bat

Filesize
207B

MD5
d8755406e5aadb976d511f4e4196f56e

SHA1
74d41a1e1df846dd62e372d8a0daa611cdde4fa7

SHA256
0e595178c570d99b63070c1b180d8d0ae6df83060ee6403c66af830e2f52b3e3

SHA512
c9822d2365fc2d9159699f8f3006d09ff407896def2d4a791b6f7800e55f6070752b4d6619688c9ecc5d185625311b6e440d32ebfb802bfc1a06d1decad8aef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xcxq8wqaBiNu.bat

Filesize
207B

MD5
b0a1ccae289db5ebd11ab8686cfa7a8b

SHA1
92e54efc68585f95ab1b4b30aa6966baa01b59bf

SHA256
ec0a253a831964c32b217cb148d7cc4fbd85ce7171a81147494144260b6bfb2c

SHA512
a0ef69592555da12e6d3e808de2399022c59d3d5e5043152b192d6ecabaa152fbdd320df2398419da82b8243a048e95ac350f595dde6e751517cc9ba71d230ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z78AGDDkSzvt.bat

Filesize
207B

MD5
6a62ed93bd01fef2d6cb77c189583966

SHA1
9e997218df6b7ee62998d1444746cf4fa9b4aba0

SHA256
371bb661ae55dbbc047b560e70087c1fb84ee4f6da73885ef847b9814bf583bf

SHA512
3d0ed772d836c9ea7849fb7905932faa106e0e4324a5e557e02445f99998eb66149dde78d57f51eadf4590014eedfb44a54f162bd8956a43bf794228cc209a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7YhbKASz19Q.bat

Filesize
207B

MD5
f2cbea20d0097a680dbfbb8ba2d79ef2

SHA1
2d495fb71ced2799c7c21d5c62c6abc310d14caa

SHA256
26986dbe67489d92c91f530997bb8ef6a49754892cb0f8f6639043cb19b643c3

SHA512
bdd4db871dde12999a08cf6bc807c56bc4832cdcae6bc377f701d52f625d867d7d923c568d8f536bef954514bb95eca3f574e0bb7bc822ae2d83143c80b86b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dDSpgO4jp521.bat

Filesize
207B

MD5
88c5624769020ede9b5e1e143f7c6897

SHA1
f1e61765f21ccacdcec6e98afb4c4b8edaa82233

SHA256
409251a211d75c5cfd0bc028e91832ff1657f056d7884728ddeb4b24949d45c5

SHA512
8a8ff48410d774b72247744eb332c77edff3f9cf9428f20b3685f43d2ba01b6904a91f58c151e89da06199203e8321cc31854950ee516b84bcf8957da12f4931

Download Submit
C:\Users\Admin\AppData\Local\Temp\detpjePYOAX6.bat

Filesize
207B

MD5
1c5dd9373dde488c9cee437f8af5f879

SHA1
6e5d71b8387a40b568e778062e98d22f8419ced6

SHA256
312f48019542082f05e98c38341ec1e11486040a371dfe7e3dccd6c3bf1a64a3

SHA512
c0fa426ee6624982dbee6e465fa56123b4ac3d017c1c2cf5772f840570e8995386dd1eb5fd0842e769a26f724d05970e66cdc7cd57a4c67bf30a0e7fd83a05f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7VPVNB85xrU.bat

Filesize
207B

MD5
e394d388725c0ddc1790b9c3af58a5f5

SHA1
64de843866a6e81b8587aeb527a4c0cc3286c5c3

SHA256
6605108810d2b737e2ce7e082b9d7c0be81dfd82123980cf900ef6170f3e3ad2

SHA512
4073e4df21f68b0880bb22eebe477a1e67f52bfa7781789fcdd9f24c053279ef06b5d90cdc4f6ccb79d02213f2ade417c1578155425deaba37f706611d01fcca

Download Submit
C:\Users\Admin\AppData\Local\Temp\gs5MbUdMmwjb.bat

Filesize
207B

MD5
4dbd3072c27c0a9687ea138f887d0ff2

SHA1
0cbe2d03886d534a4da424fb89198a624135d595

SHA256
9753d2b5e7a0ef7def12bce106c02396eb7043c7247224b4d9f806e94bb43365

SHA512
563853b9f31ba7263b126d1cf32042eabf7aad2136264db469d3b76bcf65a4eb3cb91d24202a28d28f5bd6d7caa5cb8e1ea31d7f34500afdd709b41098ad031a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iGK07MhtZEIV.bat

Filesize
207B

MD5
1307790b0d4960472e7b71c52e00cf7d

SHA1
b7578bb348dc29dc8e8b67ee318629abdcc4f4d7

SHA256
af5725139c2c4fbd20524e5dc247337014c96e9aafb4e1cd3d8408c53d6f3bf7

SHA512
6050736bf02bfe6ead906dc29ee1346d77e7a00c9ac4d70fedb154b38038bcafe229a75181b2aa7a5f3033cde955b03118f2a7a725fd3db97218c51da4ec2939

Download Submit
C:\Users\Admin\AppData\Local\Temp\m9CPCGAk7iHa.bat

Filesize
207B

MD5
71cacb29a2fd1d49fff58684b4dfa34f

SHA1
af2231a0fc443b5ad38bb5a1f1fe70354a0db233

SHA256
62dbe7a58cb9015499bcaf3ef9f62cf0fbb47d5cf73ef4620919f3885eb8c1bf

SHA512
68901b87fb350df8bd6ba93174876f375732b6c0f5ad5537ceefa7a3122cdb6ced41d1207ac8c34ec416cce9ae89cbd0ad89c2ac642c72afbd14f464925cbb8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rJgUkrph8n6k.bat

Filesize
207B

MD5
329a75e2c83fe32345ad42944e430689

SHA1
eeacc6b29168daa264a958a537892f35dc489fee

SHA256
0140eaeedf3d94c327d9287e6662916380c28d5377779923aa3b36a25ed12e6a

SHA512
16a438df85921ed6de5b2229fc1244a7572f8185351f5b3285f762c8fb83027dc4b77929e65e2c991e9e30a38f407d2654d7ced8bad2dca01997b303141596b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tZL0qxG3BXmS.bat

Filesize
207B

MD5
0ee054ed9f7b4bc49b985249d168ed8f

SHA1
fa02414e90078e63818ca6d2a5d0876c0bd3c451

SHA256
d68c93ec3d08623a663189cf7c9fd1044d6102ab7cc1fdc4276600a1ec58e935

SHA512
85e43502d116ccfcde0645283d556f50449d5afb58d92a642163370db59c4339f1e88671223ff7a0ee5b4af4e179423105d2aac29da8bec7f6e67f7dab3be63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqRYZnq7zfXn.bat

Filesize
207B

MD5
de6db9202188c75deec59445816e7934

SHA1
36cd0f31908accde199ec6f3c2b6075824f82ca7

SHA256
602e9d5c6c2bdce6abe495a4a89430bebf4276c750fd372c00881615781bb00d

SHA512
68a380fd1c4565d8a016b7fb90d4ff003a3deb6221a2ba3f0d0928d47e955ecfaf91d4c1da81ab86fd30b179a2c352d8f87c9e878fb8029ef976c249b52e83e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMGQHSaC8FDC.bat

Filesize
207B

MD5
1873315c97d339c1a59e4d0beecafe6b

SHA1
36d95ad812aa77f92f02859bbd5a0da6de040cef

SHA256
fc3bcb8b390525cf4b33189d1186eafe95742a3ab2efe13215d984297805ace9

SHA512
2ca1bb8e7b85b1409305d29fc6b737340ce26599f6c02e7493e0727e9fc9c159cbb4ae2af1b9ca4f51481dd6a928063e8cdb227c507cc540b567bb26367fba1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRa8YHHBXqR8.bat

Filesize
207B

MD5
c73ce0420305158837b95bd2e9f33f01

SHA1
86a127815af4eba73196510494edbf19844246e4

SHA256
bb72b460738f29428e0a733afa96635cafa6846520ff0f98abc6f11487f56671

SHA512
85351b9a5bc573ebe0c23dae062c72a6b3ec1646553767e6f992245d8d21790f75496549e7e223532e4bb5fd576b873e905831ef303c51b1ba3d2176f6b38ebc

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
bc1d1f704a0f37aaa31d8da25618926d

SHA1
f4660775a087c298f06ea418ed31d678eea08922

SHA256
d235809f999353ba99369eb3f2df5a32c400954bbd852f6842edf8cd5ad1a8d6

SHA512
84316eab0534d14ab956f52117a156071c7a930a670a5a77c109b7bb09df08b6d1b9871e97e4b4e844dcc9211f8883af9ed87ae96fa422082ecf0a7f99defee1

Download Submit
memory/4104-10-0x00007FFDC7DF0000-0x00007FFDC88B2000-memory.dmp

Filesize
10.8MB

Download
memory/4104-11-0x00007FFDC7DF0000-0x00007FFDC88B2000-memory.dmp

Filesize
10.8MB

Download
memory/4104-12-0x000000001B960000-0x000000001B9B0000-memory.dmp

Filesize
320KB

Download
memory/4104-13-0x000000001C0C0000-0x000000001C172000-memory.dmp

Filesize
712KB

Download
memory/4104-19-0x00007FFDC7DF0000-0x00007FFDC88B2000-memory.dmp

Filesize
10.8MB

Download
memory/4744-9-0x00007FFDC7DF0000-0x00007FFDC88B2000-memory.dmp

Filesize
10.8MB

Download
memory/4744-0-0x00007FFDC7DF3000-0x00007FFDC7DF5000-memory.dmp

Filesize
8KB

Download
memory/4744-2-0x00007FFDC7DF0000-0x00007FFDC88B2000-memory.dmp

Filesize
10.8MB

Download
memory/4744-1-0x0000000000F30000-0x0000000001254000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads