quasar | ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd

Analysis

max time kernel
564s
max time network
565s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2025 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

7dbac71bcc7920b66e8c4fc04fbc30dd
SHA1

c746b4358c2a15765a010c1890979239f152d6f7
SHA256

ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd
SHA512

56ffa2c92d97ef6b247db44225f659d8894f0c4c1134a8376346eb8f0a36bbb3331803752b8e24ada28dc554ef14d2098627ae751152b9eba956bb5e4d7c0c24
SSDEEP

49152:bvylL26AaNeWgPhlmVqvMQ7XSKB4RJ6kbR3LoGdXdTHHB72eh2NT:bvqL26AaNeWgPhlmVqkQ7XSKB4RJ6uH

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hojex31104-23437.portmap.host:23437

Mutex

de505f8f-b6d9-44cb-b9ce-7e2f491eb29e

Attributes

encryption_key
D9C52C486698B9297B9AC8B87A65EA67135BE386
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3680-1-0x0000000000AD0000-0x0000000000DF4000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b5a-5.dat	family_quasar

Checks computer location settings 2 TTPs 55 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 55 IoCs

pid	Process
4936	Client.exe
1708	Client.exe
1964	Client.exe
452	Client.exe
4192	Client.exe
4780	Client.exe
4000	Client.exe
732	Client.exe
1824	Client.exe
1440	Client.exe
4956	Client.exe
2684	Client.exe
1080	Client.exe
4048	Client.exe
4404	Client.exe
992	Client.exe
3028	Client.exe
2472	Client.exe
1152	Client.exe
1096	Client.exe
4720	Client.exe
1936	Client.exe
1684	Client.exe
2008	Client.exe
1580	Client.exe
528	Client.exe
4448	Client.exe
5080	Client.exe
4820	Client.exe
1252	Client.exe
3764	Client.exe
2904	Client.exe
3688	Client.exe
4868	Client.exe
2088	Client.exe
396	Client.exe
792	Client.exe
4520	Client.exe
2664	Client.exe
3116	Client.exe
4104	Client.exe
2488	Client.exe
2792	Client.exe
3928	Client.exe
1416	Client.exe
4568	Client.exe
2704	Client.exe
4756	Client.exe
3768	Client.exe
1764	Client.exe
4672	Client.exe
4656	Client.exe
2136	Client.exe
2068	Client.exe
1248	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 55 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2380	PING.EXE
4260	PING.EXE
3968	PING.EXE
1684	PING.EXE
4716	PING.EXE
1940	PING.EXE
3192	PING.EXE
1252	PING.EXE
2172	PING.EXE
2248	PING.EXE
2356	PING.EXE
1960	PING.EXE
8	PING.EXE
4812	PING.EXE
3552	PING.EXE
3028	PING.EXE
4676	PING.EXE
636	PING.EXE
1156	PING.EXE
4336	PING.EXE
1612	PING.EXE
3184	PING.EXE
3996	PING.EXE
2424	PING.EXE
2036	PING.EXE
1552	PING.EXE
2484	PING.EXE
4724	PING.EXE
3708	PING.EXE
4456	PING.EXE
4268	PING.EXE
4848	PING.EXE
4576	PING.EXE
4676	PING.EXE
2104	PING.EXE
4012	PING.EXE
1392	PING.EXE
1504	PING.EXE
2780	PING.EXE
2024	PING.EXE
3376	PING.EXE
1960	PING.EXE
2016	PING.EXE
1812	PING.EXE
3392	PING.EXE
2072	PING.EXE
2168	PING.EXE
1464	PING.EXE
3736	PING.EXE
1620	PING.EXE
212	PING.EXE
744	PING.EXE
2072	PING.EXE
792	PING.EXE
1984	PING.EXE

Runs ping.exe 1 TTPs 55 IoCs

Remote System Discovery

T1018

pid	Process
1504	PING.EXE
2072	PING.EXE
2172	PING.EXE
3184	PING.EXE
744	PING.EXE
2024	PING.EXE
3192	PING.EXE
4812	PING.EXE
1392	PING.EXE
1464	PING.EXE
2780	PING.EXE
1620	PING.EXE
3028	PING.EXE
1252	PING.EXE
3376	PING.EXE
2356	PING.EXE
1960	PING.EXE
2248	PING.EXE
4576	PING.EXE
4260	PING.EXE
1960	PING.EXE
2424	PING.EXE
636	PING.EXE
2380	PING.EXE
4012	PING.EXE
2168	PING.EXE
4676	PING.EXE
1156	PING.EXE
1552	PING.EXE
8	PING.EXE
1684	PING.EXE
4676	PING.EXE
1940	PING.EXE
3552	PING.EXE
4724	PING.EXE
1984	PING.EXE
4268	PING.EXE
4848	PING.EXE
3736	PING.EXE
1812	PING.EXE
3708	PING.EXE
2104	PING.EXE
4456	PING.EXE
2036	PING.EXE
3392	PING.EXE
1612	PING.EXE
3996	PING.EXE
212	PING.EXE
792	PING.EXE
2016	PING.EXE
4336	PING.EXE
2484	PING.EXE
3968	PING.EXE
2072	PING.EXE
4716	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 56 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3756	schtasks.exe
4556	schtasks.exe
3760	schtasks.exe
4012	schtasks.exe
2104	schtasks.exe
2248	schtasks.exe
1792	schtasks.exe
1952	schtasks.exe
2088	schtasks.exe
2136	schtasks.exe
3680	schtasks.exe
4548	schtasks.exe
636	schtasks.exe
4020	schtasks.exe
3424	schtasks.exe
4216	schtasks.exe
5020	schtasks.exe
924	schtasks.exe
1652	schtasks.exe
4436	schtasks.exe
1944	schtasks.exe
3516	schtasks.exe
4336	schtasks.exe
1076	schtasks.exe
1524	schtasks.exe
4964	schtasks.exe
1740	schtasks.exe
1984	schtasks.exe
5080	schtasks.exe
2348	schtasks.exe
5020	schtasks.exe
4904	schtasks.exe
768	schtasks.exe
5068	schtasks.exe
3940	schtasks.exe
2572	schtasks.exe
4304	schtasks.exe
4456	schtasks.exe
3388	schtasks.exe
5068	schtasks.exe
4336	schtasks.exe
516	schtasks.exe
5100	schtasks.exe
1812	schtasks.exe
4800	schtasks.exe
5052	schtasks.exe
540	schtasks.exe
1636	schtasks.exe
3492	schtasks.exe
4772	schtasks.exe
4388	schtasks.exe
2416	schtasks.exe
1792	schtasks.exe
3756	schtasks.exe
2164	schtasks.exe
1424	schtasks.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeDebugPrivilege	3680	Client-built.exe
Token: SeDebugPrivilege	4936	Client.exe
Token: SeDebugPrivilege	1708	Client.exe
Token: SeDebugPrivilege	1964	Client.exe
Token: SeDebugPrivilege	452	Client.exe
Token: SeDebugPrivilege	4192	Client.exe
Token: SeDebugPrivilege	4780	Client.exe
Token: SeDebugPrivilege	4000	Client.exe
Token: SeDebugPrivilege	732	Client.exe
Token: SeDebugPrivilege	1824	Client.exe
Token: SeDebugPrivilege	1440	Client.exe
Token: SeDebugPrivilege	4956	Client.exe
Token: SeDebugPrivilege	2684	Client.exe
Token: SeDebugPrivilege	1080	Client.exe
Token: SeDebugPrivilege	4048	Client.exe
Token: SeDebugPrivilege	4404	Client.exe
Token: SeDebugPrivilege	992	Client.exe
Token: SeDebugPrivilege	3028	Client.exe
Token: SeDebugPrivilege	2472	Client.exe
Token: SeDebugPrivilege	1152	Client.exe
Token: SeDebugPrivilege	1096	Client.exe
Token: SeDebugPrivilege	4720	Client.exe
Token: SeDebugPrivilege	1936	Client.exe
Token: SeDebugPrivilege	1684	Client.exe
Token: SeDebugPrivilege	2008	Client.exe
Token: SeDebugPrivilege	1580	Client.exe
Token: SeDebugPrivilege	528	Client.exe
Token: SeDebugPrivilege	4448	Client.exe
Token: SeDebugPrivilege	5080	Client.exe
Token: SeDebugPrivilege	4820	Client.exe
Token: SeDebugPrivilege	1252	Client.exe
Token: SeDebugPrivilege	3764	Client.exe
Token: SeDebugPrivilege	2904	Client.exe
Token: SeDebugPrivilege	3688	Client.exe
Token: SeDebugPrivilege	4868	Client.exe
Token: SeDebugPrivilege	2088	Client.exe
Token: SeDebugPrivilege	396	Client.exe
Token: SeDebugPrivilege	792	Client.exe
Token: SeDebugPrivilege	4520	Client.exe
Token: SeDebugPrivilege	2664	Client.exe
Token: SeDebugPrivilege	3116	Client.exe
Token: SeDebugPrivilege	4104	Client.exe
Token: SeDebugPrivilege	2488	Client.exe
Token: SeDebugPrivilege	2792	Client.exe
Token: SeDebugPrivilege	3928	Client.exe
Token: SeDebugPrivilege	1416	Client.exe
Token: SeDebugPrivilege	4568	Client.exe
Token: SeDebugPrivilege	2704	Client.exe
Token: SeDebugPrivilege	4756	Client.exe
Token: SeDebugPrivilege	3768	Client.exe
Token: SeDebugPrivilege	1764	Client.exe
Token: SeDebugPrivilege	4672	Client.exe
Token: SeDebugPrivilege	4656	Client.exe
Token: SeDebugPrivilege	2136	Client.exe
Token: SeDebugPrivilege	2068	Client.exe
Token: SeDebugPrivilege	1248	Client.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
4936	Client.exe
1708	Client.exe
1964	Client.exe
452	Client.exe
4192	Client.exe
4780	Client.exe
4000	Client.exe
732	Client.exe
1824	Client.exe
1440	Client.exe
4956	Client.exe
2684	Client.exe
1080	Client.exe
4048	Client.exe
4404	Client.exe
992	Client.exe
3028	Client.exe
2472	Client.exe
1152	Client.exe
1096	Client.exe
4720	Client.exe
1936	Client.exe
1684	Client.exe
2008	Client.exe
1580	Client.exe
528	Client.exe
4448	Client.exe
5080	Client.exe
4820	Client.exe
1252	Client.exe
3764	Client.exe
2904	Client.exe
3688	Client.exe
4868	Client.exe
2088	Client.exe
396	Client.exe
792	Client.exe
4520	Client.exe
2664	Client.exe
3116	Client.exe
4104	Client.exe
2488	Client.exe
2792	Client.exe
3928	Client.exe
1416	Client.exe
4568	Client.exe
2704	Client.exe
4756	Client.exe
3768	Client.exe
1764	Client.exe
4672	Client.exe
4656	Client.exe
2136	Client.exe
2068	Client.exe
1248	Client.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
4936	Client.exe
1708	Client.exe
1964	Client.exe
452	Client.exe
4192	Client.exe
4780	Client.exe
4000	Client.exe
732	Client.exe
1824	Client.exe
1440	Client.exe
4956	Client.exe
2684	Client.exe
1080	Client.exe
4048	Client.exe
4404	Client.exe
992	Client.exe
3028	Client.exe
2472	Client.exe
1152	Client.exe
1096	Client.exe
4720	Client.exe
1936	Client.exe
1684	Client.exe
2008	Client.exe
1580	Client.exe
528	Client.exe
4448	Client.exe
5080	Client.exe
4820	Client.exe
1252	Client.exe
3764	Client.exe
2904	Client.exe
3688	Client.exe
4868	Client.exe
2088	Client.exe
396	Client.exe
792	Client.exe
4520	Client.exe
2664	Client.exe
3116	Client.exe
4104	Client.exe
2488	Client.exe
2792	Client.exe
3928	Client.exe
1416	Client.exe
4568	Client.exe
2704	Client.exe
4756	Client.exe
3768	Client.exe
1764	Client.exe
4672	Client.exe
4656	Client.exe
2136	Client.exe
2068	Client.exe
1248	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
992	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 516	3680	Client-built.exe	83
PID 3680 wrote to memory of 516	3680	Client-built.exe	83
PID 3680 wrote to memory of 4936	3680	Client-built.exe	85
PID 3680 wrote to memory of 4936	3680	Client-built.exe	85
PID 4936 wrote to memory of 2136	4936	Client.exe	86
PID 4936 wrote to memory of 2136	4936	Client.exe	86
PID 4936 wrote to memory of 1680	4936	Client.exe	88
PID 4936 wrote to memory of 1680	4936	Client.exe	88
PID 1680 wrote to memory of 400	1680	cmd.exe	90
PID 1680 wrote to memory of 400	1680	cmd.exe	90
PID 1680 wrote to memory of 8	1680	cmd.exe	91
PID 1680 wrote to memory of 8	1680	cmd.exe	91
PID 1680 wrote to memory of 1708	1680	cmd.exe	99
PID 1680 wrote to memory of 1708	1680	cmd.exe	99
PID 1708 wrote to memory of 1740	1708	Client.exe	100
PID 1708 wrote to memory of 1740	1708	Client.exe	100
PID 1708 wrote to memory of 1940	1708	Client.exe	104
PID 1708 wrote to memory of 1940	1708	Client.exe	104
PID 1940 wrote to memory of 2572	1940	cmd.exe	106
PID 1940 wrote to memory of 2572	1940	cmd.exe	106
PID 1940 wrote to memory of 1812	1940	cmd.exe	107
PID 1940 wrote to memory of 1812	1940	cmd.exe	107
PID 1940 wrote to memory of 1964	1940	cmd.exe	112
PID 1940 wrote to memory of 1964	1940	cmd.exe	112
PID 1964 wrote to memory of 5068	1964	Client.exe	113
PID 1964 wrote to memory of 5068	1964	Client.exe	113
PID 1964 wrote to memory of 788	1964	Client.exe	116
PID 1964 wrote to memory of 788	1964	Client.exe	116
PID 788 wrote to memory of 800	788	cmd.exe	118
PID 788 wrote to memory of 800	788	cmd.exe	118
PID 788 wrote to memory of 212	788	cmd.exe	119
PID 788 wrote to memory of 212	788	cmd.exe	119
PID 788 wrote to memory of 452	788	cmd.exe	123
PID 788 wrote to memory of 452	788	cmd.exe	123
PID 452 wrote to memory of 3680	452	Client.exe	124
PID 452 wrote to memory of 3680	452	Client.exe	124
PID 452 wrote to memory of 1416	452	Client.exe	127
PID 452 wrote to memory of 1416	452	Client.exe	127
PID 1416 wrote to memory of 4828	1416	cmd.exe	129
PID 1416 wrote to memory of 4828	1416	cmd.exe	129
PID 1416 wrote to memory of 2380	1416	cmd.exe	130
PID 1416 wrote to memory of 2380	1416	cmd.exe	130
PID 1416 wrote to memory of 4192	1416	cmd.exe	131
PID 1416 wrote to memory of 4192	1416	cmd.exe	131
PID 4192 wrote to memory of 1984	4192	Client.exe	132
PID 4192 wrote to memory of 1984	4192	Client.exe	132
PID 4192 wrote to memory of 3208	4192	Client.exe	135
PID 4192 wrote to memory of 3208	4192	Client.exe	135
PID 3208 wrote to memory of 4416	3208	cmd.exe	137
PID 3208 wrote to memory of 4416	3208	cmd.exe	137
PID 3208 wrote to memory of 1620	3208	cmd.exe	138
PID 3208 wrote to memory of 1620	3208	cmd.exe	138
PID 3208 wrote to memory of 4780	3208	cmd.exe	139
PID 3208 wrote to memory of 4780	3208	cmd.exe	139
PID 4780 wrote to memory of 5080	4780	Client.exe	140
PID 4780 wrote to memory of 5080	4780	Client.exe	140
PID 4780 wrote to memory of 2564	4780	Client.exe	143
PID 4780 wrote to memory of 2564	4780	Client.exe	143
PID 2564 wrote to memory of 60	2564	cmd.exe	145
PID 2564 wrote to memory of 60	2564	cmd.exe	145
PID 2564 wrote to memory of 744	2564	cmd.exe	146
PID 2564 wrote to memory of 744	2564	cmd.exe	146
PID 2564 wrote to memory of 4000	2564	cmd.exe	148
PID 2564 wrote to memory of 4000	2564	cmd.exe	148

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:516
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PelcLEjG6Zdm.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:400
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:8
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1740
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1ZoSRopqNCIF.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2572
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1812
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ti8LNAx5KyTv.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:800
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:212
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\45QVOBt6pYJO.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4828
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mLiry1lQjvZI.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P45VKPqOnU7O.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:60
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:744
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4000
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MR8dMiLzkMN9.bat" "
        15⤵
        
        PID:4572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:396
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4576
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:732
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\urEJx6DsisLe.bat" "
        17⤵
        
        PID:1536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4808
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1824
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMpvaJXAD0CY.bat" "
        19⤵
        
        PID:3520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4260
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1440
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cg3d5rVMX2OS.bat" "
        21⤵
        
        PID:4440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:4388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4012
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4956
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Usd9iaKVDxvd.bat" "
        23⤵
        
        PID:972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4552
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3028
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2684
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8esqIw2x1UrH.bat" "
        25⤵
        
        PID:956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1252
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5CHKBd8pb5oE.bat" "
        27⤵
        
        PID:3620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3392
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4048
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\98POWOpJ2ltD.bat" "
        29⤵
        
        PID:4548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:5052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4404
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyfeJTivRhUi.bat" "
        31⤵
        
        PID:4464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2228
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3968
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jh5FT2Sw0OPF.bat" "
        33⤵
        
        PID:2236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:4660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3028
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XFXFk0UWMbxR.bat" "
        35⤵
        
        PID:1488
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2472
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXp8ygqGCpE6.bat" "
        37⤵
        
        PID:540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:2264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4676
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1152
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ldi20R7Zahme.bat" "
        39⤵
        
        PID:5060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:1500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1096
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KVZ64mja6BgB.bat" "
        41⤵
        
        PID:1672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:1416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4812
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4720
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        43⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HirDOvcFs8Da.bat" "
        43⤵
        
        PID:2316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:2532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1936
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        45⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M8BCsoVCZD5f.bat" "
        45⤵
        
        PID:4440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:3012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2356
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1684
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        47⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q2aAHipRvUxH.bat" "
        47⤵
        
        PID:1092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:1940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2008
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCom1Oh8N72J.bat" "
        49⤵
        
        PID:1868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:2612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3708
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1580
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        51⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dl08YMOxfZMH.bat" "
        51⤵
        
        PID:3500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:1956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:528
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DuUJ9ADHO7yI.bat" "
        53⤵
        
        PID:4172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:2240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1392
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4448
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        55⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gxkHeSujGFJH.bat" "
        55⤵
        
        PID:2184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:5012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4456
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        57⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y4DWZSyZYbFH.bat" "
        57⤵
        
        PID:3948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:3208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        58⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3376
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4820
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        59⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1944
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QLppNBni9b0P.bat" "
        59⤵
        
        PID:4020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:3032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4268
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1252
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        61⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tJIlHkdoBsxh.bat" "
        61⤵
        
        PID:1524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:3744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        62⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:792
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3764
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        63⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SmfHDPfUcfxl.bat" "
        63⤵
        
        PID:3172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:4648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        64⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4848
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2904
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        65⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\idbXv9tY3CgV.bat" "
        65⤵
        
        PID:1780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:2664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3184
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        66⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3688
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        67⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h25208TNy8vb.bat" "
        67⤵
        
        PID:3952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:4924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        68⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        68⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4868
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        69⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WjmPVLVOnHQi.bat" "
        69⤵
        
        PID:3208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:5024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        70⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        70⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2088
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        71⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g0AArujEkleT.bat" "
        71⤵
        
        PID:3032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:2468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        72⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:636
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        72⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:396
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        73⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vL6aymqq6hYd.bat" "
        73⤵
        
        PID:3008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        74⤵
        
        PID:4600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        74⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4676
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        74⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:792
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        75⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FvsXWfIB33qp.bat" "
        75⤵
        
        PID:3696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        76⤵
        
        PID:5028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        76⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4716
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        76⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4520
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        77⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OI7al73nLFYM.bat" "
        77⤵
        
        PID:2380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        78⤵
        
        PID:4364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        78⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        78⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2664
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        79⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WH3053rMxsGI.bat" "
        79⤵
        
        PID:5012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        80⤵
        
        PID:1616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        80⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        80⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3116
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        81⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x0Pu0GwQuFcd.bat" "
        81⤵
        
        PID:3952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        82⤵
        
        PID:4388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        82⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3996
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        82⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4104
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        83⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wR7bCEdYX6yg.bat" "
        83⤵
        
        PID:4472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        84⤵
        
        PID:3356
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        84⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        84⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2488
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        85⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MNDCvKQXXO6K.bat" "
        85⤵
        
        PID:4616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        86⤵
        
        PID:712
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        86⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        86⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2792
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        87⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCmZ0Kt6ay2s.bat" "
        87⤵
        
        PID:3744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        88⤵
        
        PID:116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        88⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        88⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3928
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        89⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QoGreNh5qjOp.bat" "
        89⤵
        
        PID:4928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        90⤵
        
        PID:3736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        90⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        90⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1416
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        91⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LizzDE3Z6Z4r.bat" "
        91⤵
        
        PID:4008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        92⤵
        
        PID:1632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        92⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3552
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        92⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4568
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        93⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PGjcVHMxr6QN.bat" "
        93⤵
        
        PID:2868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        94⤵
        
        PID:968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        94⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2104
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        94⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2704
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        95⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ma8PRSc1bEyl.bat" "
        95⤵
        
        PID:4088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        96⤵
        
        PID:2884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        96⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4336
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        96⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4756
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        97⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCB3WX4aQ6a6.bat" "
        97⤵
        
        PID:4304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        98⤵
        
        PID:3264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        98⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1464
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        98⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3768
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        99⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cILNdPB6ZRTf.bat" "
        99⤵
        
        PID:2416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        100⤵
        
        PID:2864
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        100⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        100⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1764
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        101⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G5ltAfnykt7V.bat" "
        101⤵
        
        PID:3492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        102⤵
        
        PID:1184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        102⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3736
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        102⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4672
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        103⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NsadJGPE3Htv.bat" "
        103⤵
        
        PID:3548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        104⤵
        
        PID:216
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        104⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        104⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4656
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        105⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIfPsdYjBEu3.bat" "
        105⤵
        
        PID:4456
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        106⤵
        
        PID:968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        106⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1984
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        106⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2136
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        107⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgewuivrDikw.bat" "
        107⤵
        
        PID:744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        108⤵
        
        PID:3844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        108⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        108⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2068
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        109⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3nNukHuIo8b3.bat" "
        109⤵
        
        PID:4440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        110⤵
        
        PID:2876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        110⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3192
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        110⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1248
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        111⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cafWlrYv81t7.bat" "
        111⤵
        
        PID:4040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        112⤵
        
        PID:3240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        112⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ZoSRopqNCIF.bat

Filesize
207B

MD5
8f135927682d3c94852ac8600e7f3f97

SHA1
883a241c1ea1e6df4ea819a647a75a8fb8abacae

SHA256
47886aa1cc9ed4a09cb3e8ced98e8fec0419851bbb91d554c1909d74e30bd963

SHA512
904834155d166180cf707f30e51d2addcca272b828686cafcf6aef55d3eb69f3e6f7d5259b7d6d14be78c3a7493c448b08184f88628aff16a4ec59403db4703d

Download Submit
C:\Users\Admin\AppData\Local\Temp\45QVOBt6pYJO.bat

Filesize
207B

MD5
0ac291bab55a7b8214441d6bcb27f70a

SHA1
b18fc73adb8c1c5b0a5e277518e344c523832af0

SHA256
86f9ccda3dc6df3f0307e2629f344513b33bd29fbc3ad67a1f7c58f76ebb967a

SHA512
02f682659cfeebb6af8515b2a5ead22467b4c268b15e3998435a84805f8166ff3942ee411527bcaaed489d744f898955fd8ead8d53f0b4b01188ff99010698c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CHKBd8pb5oE.bat

Filesize
207B

MD5
82a3110dc971640c69742a285c15a93f

SHA1
689f1da1c760102f2af3b30c766a68b3c784cb6f

SHA256
8a5bebaacf34b33294d176715dfeb8c6c3b809b0842db21713a899402c2afed8

SHA512
93fb2314a046ed6893738d76f6760be25ce1ad6935461480ea1ab7705945ade6d92350f742469420e38fdb1c3374852acca92e2e34578966da926de01f336a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\8esqIw2x1UrH.bat

Filesize
207B

MD5
6d03d642a8cecd69969c129a35d615ad

SHA1
64428dfca685e4db7995b706ced7ca035f2850f2

SHA256
ce590d6d2bef4b70844c8671b641c7168950ffad7adcec9d8affba37172fcbd0

SHA512
dbe41dd7a65edefe683d7144d761f8816be60a40d671a9d8b21028006fcbc784b0a56b90944efbe8ae106340183c226c3aea3be924088a81185e7ae72a6be213

Download Submit
C:\Users\Admin\AppData\Local\Temp\98POWOpJ2ltD.bat

Filesize
207B

MD5
2977c4f9b9f9dac5d9d7ca914bc320aa

SHA1
f6a7e6a0a419fb79f32602a807884089a5c9edc4

SHA256
54bf5909963fd9e8f03bc77cbfb1b818f391f7257f56a14a9b7ab987a5948b03

SHA512
baafc33d0061b7736caacc051af9a82ae0e1a3187c38e5a010ee9f7448b9382ab2c568d019421aa14c6532a11a4742adf416834f155b3383f10f0c129cd00713

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dl08YMOxfZMH.bat

Filesize
207B

MD5
5dbc3fb7ae6b1fc5fdd1253bc44e9be9

SHA1
a5bf583d9207985908a9780e026b9b54a1afa02b

SHA256
eaa2ec8f668ca4aea927d2c2916ba2649475fb213b30297aa63b436787bbfde6

SHA512
c026eafa09f07f05d0a2f1101e266167f6f7d3760451956e143b28cf35f4688570657b8d3fff1567e9324bb0b6eecf646fc7a6e23c55cf887929281d1d538d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\DuUJ9ADHO7yI.bat

Filesize
207B

MD5
83f818ccba3e135eaf5395634d2e70c6

SHA1
c3f93a36a6a80a4c232213c0649b761e3fb488bb

SHA256
cf69cb6d7866b114eaf03c3e8d635d9fa63ce66c58a0dd559b7baf31af76845e

SHA512
59692d5069298a694ea3228f7e1fa1c6954ba11212575097f347667c119eede9b26704ef33f17de49604e9835ca2aa50a50e58c6d715f2cda386bb459aa601dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXp8ygqGCpE6.bat

Filesize
207B

MD5
1dd7a93629ee2b15d7ad533c34d0e22a

SHA1
59c66c4f3f3c7267db0496b0a4a17e57f43cadc4

SHA256
00c83c36fd0bdeab33a96bf4a2ec13e639e97d36b95b682223c20ca770b83f08

SHA512
58d526a3f306372bec7a38abe0ed531f72248636a233263b65da3f163861d3792158bbf54fbbde129c7d933477dfdb636d9b94f03a2c074c831ff7161704f4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HirDOvcFs8Da.bat

Filesize
207B

MD5
909e7bdb5316deca3157a23552ec9816

SHA1
2fec11fa2ae115cdfea5237aaf6bdb98051d0c03

SHA256
9b07e8d4d7c92f7af6f4218e8e2913edef9f6cf5bc3e4148b21da04a2eb674b1

SHA512
621f8711383204bea97df262a61e2eb940ee934dcd1366e94d2e77f6eb807c9f6605d032a8bc779a23d4b83b160b28c8325f0f1c13a944c07ded4f11d71c3455

Download Submit
C:\Users\Admin\AppData\Local\Temp\KVZ64mja6BgB.bat

Filesize
207B

MD5
c6551f12690359effea254237f916cf9

SHA1
765d428013a4224f501570cd8e79339e999ec506

SHA256
09e043dcf90240a2d313d01f2256eb5862f17866cfaa94062117715f0b07c30e

SHA512
18defa5218b9c5bf67384d08a368d840671eaf1cd9e004f9262f3099121d99b641a0e13a491167ae327d608cc5e137468f629cb737f52a916dc70be9084e6a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ldi20R7Zahme.bat

Filesize
207B

MD5
dddc8de16454951e652be2e855241983

SHA1
65b527871ec32196ab6a36a12b3fc221ed80a7f3

SHA256
d9f8ea4fd2ef5fddb73e4ada98c3b3ca90f8688e993183ca0047fb411cde6f2d

SHA512
bf571c256e6f2eac10f337f27a92f5f456e8be4e2f6b181350f83f95cf33edb593983302be7966c8bdc40a2ec593ddb795e22159e88f742d100474644bec3adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\M8BCsoVCZD5f.bat

Filesize
207B

MD5
071b1279a5253c5ea2457e75beb05df2

SHA1
7b046ec6287506e0d02dd4944cb8063180e76917

SHA256
4d2573e7dfd589281c1b2bcd4b98f6a1235000194d614da6ae05b4b14792aae4

SHA512
e62e2f264b3e6d7c0240dfd880dc8a1c7a46947e8f5c60c53c576eadba37d145a037caa4fea1764543c21fb0fa2f9f0b87157fec9df7235363835bfdd307cd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\MR8dMiLzkMN9.bat

Filesize
207B

MD5
60c4251460e1c7ed01e07fcfe15bed0a

SHA1
dd96f600227db88db2c84651f36a724e158cf79b

SHA256
aca584888c49c9eb901c1d4d090ac71fc631e792ac1fca152c174717fcf45bb2

SHA512
ec1dc3690670a23a0a8f514efe4771d30fecee55193f5196bc4ac8b6cfd8d538ddbcb09015edb2ba47bd2d3689834ec21bfb1f8e0cffbdd54b042804ac2c25da

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMpvaJXAD0CY.bat

Filesize
207B

MD5
971afdf3e99e0fca35ec66f235b27971

SHA1
fdc1d79ebd5aad4cb8269a6fab9d047415c465e1

SHA256
fef691c75cef1449cdbb39192fdf0248c49960ae5cc570003680e24713c0feaf

SHA512
b7c7c01accaf6fabfeb2c9ce5c2acc59f50541e21b9314bb0d2c04870a73fb28980a1a0434bf9c8e4a043c05c32f295ebc06d6e842828578194af06d8313b15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\P45VKPqOnU7O.bat

Filesize
207B

MD5
9dca10270f9eb301c181299534b44abb

SHA1
fd9f7602772c5f507fe79adafde691bb7ccc822d

SHA256
bde876a49676efd5934ae3d6b60c8e3e7fdbf32313d56a39864183d30b583df6

SHA512
5d768d1bd0e2b2d5db6fd39d0b8463c7970dd56e68e292c8d713f1010713f44a8b81a4e0ce213e735d194f6a14445a975ff741e6583fb4a6b7df5cffc6414592

Download Submit
C:\Users\Admin\AppData\Local\Temp\PelcLEjG6Zdm.bat

Filesize
207B

MD5
6ea01dcb240e0975efdc1abe748c0b14

SHA1
6c6c0d34c9b270030856b9740e24c2e9ad2675a1

SHA256
44877e4e9fc17cee82f8534e6fb9e8da505353d44dbf9f27bf97bfa92ade6786

SHA512
70445195e6d4257500aef0d6e8b5817e67b61eb17d61071f57f209df23de8bf91134acebff44a9bb40d3f8bd637579ef1e754418b3f3f960be4ce3e25af47716

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLppNBni9b0P.bat

Filesize
207B

MD5
d13b4c3158518b103b148aee6c226612

SHA1
47e0958e6ec05053d97cdb9dac95b38b6797f742

SHA256
e782e212363568e1dac70f2ed08cc2c97eeca20452ed76c2fcf6fed6b3d13944

SHA512
2d4f4894796795bfd1292ab27784e86a4581872839aac79d4833b2f59f668ec191efc7fb4e52432393d1e1476a2c1bbb636a96f29d14ff839582ff5344768427

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmfHDPfUcfxl.bat

Filesize
207B

MD5
60dd155b8f36c8d8c8031bde78840af8

SHA1
4e234fe1ea20255829a043c0179d265d5188b3fc

SHA256
f110c7dcd372efa3474e2b7d6cf30b401f381baca33a270b75b7c5693a957800

SHA512
edcf6428c0ed4e25ce275885594b9fae6a75ad2ec9ab22f8899935b6c0f812d65c402a7cee8fc0f42b3572b90cfc7354f28633d08bc50de23b825e523333b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ti8LNAx5KyTv.bat

Filesize
207B

MD5
632e869bb00f306517fbac007cd3d5e1

SHA1
255172e6d9ea35b994f5213d5eb6ee84e027bf19

SHA256
cee44bd8b9399e68453eb00eff1251da87943c7fce4184f021357796d2cbfcc7

SHA512
3e87f15da51bac2e7fc55326b0cdc7d6de35a314ce3e03f9a45a4c113df0cca7fde20e6dec690d66cc0cc4f324bec359c8ef0afaa6710a0779eb48a943698bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usd9iaKVDxvd.bat

Filesize
207B

MD5
a06e15d01d7859fecfb90ba3ebcaae67

SHA1
c27857021c682fa089e1387857d57e722bea48a8

SHA256
1df01c21f00164bf922f0c7e53b213a2aa9ef99a4564c3b1ee2e69a97465b279

SHA512
6c1d847ea1894c5542e7f02acc2ccb2289c26019f53ab3f9a41623acca4cfcff1655d920d2d26c5a4a3d9d3fabfb62b11359f610a8eb6d43a170c0b80c20fcb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFXFk0UWMbxR.bat

Filesize
207B

MD5
656545250d5fa68c49e70dc972541f5b

SHA1
3dfbba2b53eaa7c8b379740213145a89c2c87e46

SHA256
1c9fa1f435a292706f157e7bf6829791bf0ca39c87de1fbfdbe1bc6e5d282ad5

SHA512
23b9174c8ab472e6ae360d1714747c27935932196b09822c077a914ebbfd23ca0e1195efdad2dfe207d0ff8a66dd2df501be674aac7235451553d47ee6c79d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZCom1Oh8N72J.bat

Filesize
207B

MD5
4504687da9e764a6c16e295ea12ddcaf

SHA1
36cc6ad848c6a68f0f697e1cb8754eeef801ae86

SHA256
5d748b2ead4761d8cfd6c791ed0a9a6085d12c5ff4d5ebe2cb0dc3f3901219d6

SHA512
26bb83b30c122ccdecb2998fec911b56afd5af88bbb37abdab8b3ad8ee8e6b611f843175db1abd46ace522aecf2d4cb1dee6e5805d68235a3ed20de2e3a417c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cg3d5rVMX2OS.bat

Filesize
207B

MD5
fdcbdd925c4003b35bd141f6054152bb

SHA1
24c0e97d556e146b3b25a03d0b1d8d36c0538103

SHA256
6368262d432bb451701f52fe6ae6b2fbb2b555bf9a07ff207d643462da76ffbc

SHA512
080279275704f03d1a6325291dca0785db4f10ffbf04c0fc4380b86c386de121598dc87e98808776d02cb330405c3aa0fc2203d78a03bfd4bae883b298306ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gxkHeSujGFJH.bat

Filesize
207B

MD5
223b4829f2316fad68eb05965cb98c07

SHA1
27f5708b00ccab57d0a16b893040e3e7a0c89f73

SHA256
1f89c0e5f35277f8a6af88bc32a164b2649a4c00f2ab7ec5b9681b5ee5885734

SHA512
f1666eef6b0f40ddfdfbed31e3564e00b0dbcb5d30c2d9a0ba1d2d25c8934641ece84f10c5448ec4404b11290a19b7e712aaf8255ecc2c14373d9ad1d92024f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jh5FT2Sw0OPF.bat

Filesize
207B

MD5
9ee5250adf9ddb863b3028fb86fd90fc

SHA1
0fdfb050f54f6e211566749d07096db7c56e313d

SHA256
a44b0933a8917b2b3ae8f58d7929ef611d63e641a8283c90d92c5be76dc23f63

SHA512
c91c138250bbea106b9115010608a4a26e9f337f31fc5c564f3938fc1a7b255fc8af19437380b5191f843e33d765609c68511e341ecd0abafc4f7899609003a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\mLiry1lQjvZI.bat

Filesize
207B

MD5
ba2bd0ef08b4b7ef68598ee84414119d

SHA1
46127081b8b67ebc2383ab0026037d3403e7df21

SHA256
438af029dd2c99ec10a6da7026f8393376d1c1146ba3885bc79acfd4235ac48c

SHA512
e913ca906c788af8e69ee74e10e75e35e0734cb669c84b0c6dd250e9249331afb11af7282e9a5e0fe2405d0e0ea256f695f2e1e7b677ffefeb3df6e8a69dd7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2aAHipRvUxH.bat

Filesize
207B

MD5
42ef291283a4060cf21762ba98828817

SHA1
f54e43e1362704e87b2863e2ecc16b07fca9952b

SHA256
10e1222627a3fa3fd393d844dc2d088dae3f7c63b038f2b4ec4893abbdc74335

SHA512
eead1096c836e33d4ab130bda358204f6437dbba215b2dc55dfb9b91611ecfd538af3d63183e8125b06b5881a3c036aa972a72028bcc2f9ef3367487e95bd203

Download Submit
C:\Users\Admin\AppData\Local\Temp\tJIlHkdoBsxh.bat

Filesize
207B

MD5
32633bb8413f9292737a4b61c77936c1

SHA1
9e8a82de3548cc182954b82f6bbacb2b42cede36

SHA256
75048beb6f74c4c90024a791fffc5434cba6fb08b236914be83c6707e8b0df1e

SHA512
509b2fb7e70cd1b1f1038ccc33eb84cb5f80756b7eb0e3a5e9183849b2618a43619d27cb34ef4c61a4be98e141fa953032649078a92c7ddb51264e777d47bd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyfeJTivRhUi.bat

Filesize
207B

MD5
0c49a6274c8e32d05b31b39bf0e93140

SHA1
c2d03d965ea60519b4b38e4ee4b963ced61ba73e

SHA256
d0687c57cb43f7d38e960fdf75d67a026869e894d3394198082a756284c0f799

SHA512
711e66187b9197d3ceef5ba9a63bba8ae330a5e6b5189b4223895c75ed6ac4ff0e6c676836dea0966951a95a22aabb2ee7b127eed56245b58567a193b354b8c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\urEJx6DsisLe.bat

Filesize
207B

MD5
5e17191856b36da29c2281a2756a9926

SHA1
89b50fb28a4788fd9e294a3372d8ac39648b01d8

SHA256
dddbb0ebafe25daa73442b9c9491f2710c6def3ee41fff9e6c51beec71704e1e

SHA512
9ebe42510c8df0c27577bae53d3e1a6d14ed71909c5b2571cd190fde225979251aaa3b9a98aadb75ac74891b3e2c96c5422235ef15f3dc8adbea83c470fe484b

Download Submit
C:\Users\Admin\AppData\Local\Temp\y4DWZSyZYbFH.bat

Filesize
207B

MD5
610f8323f42b785cd879ba8802fefe38

SHA1
2b4c20affb04aea48efa2b9b70f471e2ca8f1a4b

SHA256
7308df5d9db88c2a2fb5c178c871b7eaf29aa1c87ca7b1060d0d336166b21fd2

SHA512
b6280c554851220c011850792a60399719c15828fd3a7bdf903ca26e6d183e9fa5ee010faf89ad46bdfd292a31aee97344bae3bf6315a1f2f2b296c51b5101e5

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
7dbac71bcc7920b66e8c4fc04fbc30dd

SHA1
c746b4358c2a15765a010c1890979239f152d6f7

SHA256
ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd

SHA512
56ffa2c92d97ef6b247db44225f659d8894f0c4c1134a8376346eb8f0a36bbb3331803752b8e24ada28dc554ef14d2098627ae751152b9eba956bb5e4d7c0c24

Download Submit
memory/3680-8-0x00007FF989B40000-0x00007FF98A601000-memory.dmp

Filesize
10.8MB

Download
memory/3680-0-0x00007FF989B43000-0x00007FF989B45000-memory.dmp

Filesize
8KB

Download
memory/3680-2-0x00007FF989B40000-0x00007FF98A601000-memory.dmp

Filesize
10.8MB

Download
memory/3680-1-0x0000000000AD0000-0x0000000000DF4000-memory.dmp

Filesize
3.1MB

Download
memory/4936-17-0x00007FF989B40000-0x00007FF98A601000-memory.dmp

Filesize
10.8MB

Download
memory/4936-9-0x00007FF989B40000-0x00007FF98A601000-memory.dmp

Filesize
10.8MB

Download
memory/4936-10-0x00007FF989B40000-0x00007FF98A601000-memory.dmp

Filesize
10.8MB

Download
memory/4936-11-0x000000001BE20000-0x000000001BE70000-memory.dmp

Filesize
320KB

Download
memory/4936-12-0x000000001BF30000-0x000000001BFE2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads