Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
329s -
max time network
330s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2025, 21:03
Behavioral task
behavioral1
Sample
Client-built.exe
Resource
win7-20240903-en
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
7dbac71bcc7920b66e8c4fc04fbc30dd
-
SHA1
c746b4358c2a15765a010c1890979239f152d6f7
-
SHA256
ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd
-
SHA512
56ffa2c92d97ef6b247db44225f659d8894f0c4c1134a8376346eb8f0a36bbb3331803752b8e24ada28dc554ef14d2098627ae751152b9eba956bb5e4d7c0c24
-
SSDEEP
49152:bvylL26AaNeWgPhlmVqvMQ7XSKB4RJ6kbR3LoGdXdTHHB72eh2NT:bvqL26AaNeWgPhlmVqkQ7XSKB4RJ6uH
Malware Config
Extracted
quasar
1.4.1
Office04
hojex31104-23437.portmap.host:23437
de505f8f-b6d9-44cb-b9ce-7e2f491eb29e
-
encryption_key
D9C52C486698B9297B9AC8B87A65EA67135BE386
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/2352-1-0x0000000000840000-0x0000000000B64000-memory.dmp family_quasar behavioral2/files/0x000a000000023b93-5.dat family_quasar -
Checks computer location settings 2 TTPs 32 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 32 IoCs
pid Process 4820 Client.exe 644 Client.exe 2264 Client.exe 1484 Client.exe 3264 Client.exe 5016 Client.exe 3440 Client.exe 1560 Client.exe 4216 Client.exe 4044 Client.exe 1208 Client.exe 4460 Client.exe 632 Client.exe 1780 Client.exe 648 Client.exe 4584 Client.exe 388 Client.exe 1428 Client.exe 3740 Client.exe 212 Client.exe 3144 Client.exe 1964 Client.exe 1252 Client.exe 5008 Client.exe 4408 Client.exe 3600 Client.exe 3972 Client.exe 1376 Client.exe 5020 Client.exe 4680 Client.exe 4960 Client.exe 1872 Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 32 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2740 PING.EXE 2040 PING.EXE 1932 PING.EXE 840 PING.EXE 1872 PING.EXE 3132 PING.EXE 4420 PING.EXE 4084 PING.EXE 2844 PING.EXE 4140 PING.EXE 1116 PING.EXE 3128 PING.EXE 1092 PING.EXE 3884 PING.EXE 3836 PING.EXE 1456 PING.EXE 2012 PING.EXE 4168 PING.EXE 2280 PING.EXE 3256 PING.EXE 2416 PING.EXE 3544 PING.EXE 2352 PING.EXE 1308 PING.EXE 1876 PING.EXE 1956 PING.EXE 4144 PING.EXE 4924 PING.EXE 2348 PING.EXE 3408 PING.EXE 4548 PING.EXE 4976 PING.EXE -
Runs ping.exe 1 TTPs 32 IoCs
pid Process 1876 PING.EXE 2416 PING.EXE 3836 PING.EXE 2040 PING.EXE 1308 PING.EXE 1932 PING.EXE 3544 PING.EXE 2740 PING.EXE 1116 PING.EXE 1456 PING.EXE 2844 PING.EXE 2012 PING.EXE 4976 PING.EXE 4084 PING.EXE 3884 PING.EXE 4924 PING.EXE 2348 PING.EXE 2280 PING.EXE 4140 PING.EXE 1872 PING.EXE 1956 PING.EXE 1092 PING.EXE 4144 PING.EXE 3128 PING.EXE 4548 PING.EXE 4168 PING.EXE 3132 PING.EXE 3256 PING.EXE 4420 PING.EXE 840 PING.EXE 2352 PING.EXE 3408 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2936 schtasks.exe 216 schtasks.exe 4876 schtasks.exe 4148 schtasks.exe 3980 schtasks.exe 3056 schtasks.exe 1668 schtasks.exe 2880 schtasks.exe 4496 schtasks.exe 4444 schtasks.exe 3236 schtasks.exe 2428 schtasks.exe 4792 schtasks.exe 3472 schtasks.exe 1052 schtasks.exe 2988 schtasks.exe 4360 schtasks.exe 2324 schtasks.exe 2352 schtasks.exe 2304 schtasks.exe 2936 schtasks.exe 5088 schtasks.exe 1408 schtasks.exe 2404 schtasks.exe 1296 schtasks.exe 468 schtasks.exe 5072 schtasks.exe 5100 schtasks.exe 2852 schtasks.exe 1816 schtasks.exe 4572 schtasks.exe 4868 schtasks.exe 3088 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2352 Client-built.exe Token: SeDebugPrivilege 4820 Client.exe Token: SeDebugPrivilege 644 Client.exe Token: SeDebugPrivilege 2264 Client.exe Token: SeDebugPrivilege 1484 Client.exe Token: SeDebugPrivilege 3264 Client.exe Token: SeDebugPrivilege 5016 Client.exe Token: SeDebugPrivilege 3440 Client.exe Token: SeDebugPrivilege 1560 Client.exe Token: SeDebugPrivilege 4216 Client.exe Token: SeDebugPrivilege 4044 Client.exe Token: SeDebugPrivilege 1208 Client.exe Token: SeDebugPrivilege 4460 Client.exe Token: SeDebugPrivilege 632 Client.exe Token: SeDebugPrivilege 1780 Client.exe Token: SeDebugPrivilege 648 Client.exe Token: SeDebugPrivilege 4584 Client.exe Token: SeDebugPrivilege 388 Client.exe Token: SeDebugPrivilege 1428 Client.exe Token: SeDebugPrivilege 3740 Client.exe Token: SeDebugPrivilege 212 Client.exe Token: SeDebugPrivilege 3144 Client.exe Token: SeDebugPrivilege 1964 Client.exe Token: SeDebugPrivilege 1252 Client.exe Token: SeDebugPrivilege 5008 Client.exe Token: SeDebugPrivilege 4408 Client.exe Token: SeDebugPrivilege 3600 Client.exe Token: SeDebugPrivilege 3972 Client.exe Token: SeDebugPrivilege 1376 Client.exe Token: SeDebugPrivilege 5020 Client.exe Token: SeDebugPrivilege 4680 Client.exe Token: SeDebugPrivilege 4960 Client.exe Token: SeDebugPrivilege 1872 Client.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
pid Process 4820 Client.exe 644 Client.exe 2264 Client.exe 1484 Client.exe 3264 Client.exe 5016 Client.exe 3440 Client.exe 1560 Client.exe 4216 Client.exe 4044 Client.exe 1208 Client.exe 4460 Client.exe 632 Client.exe 1780 Client.exe 648 Client.exe 4584 Client.exe 388 Client.exe 1428 Client.exe 3740 Client.exe 212 Client.exe 3144 Client.exe 1964 Client.exe 1252 Client.exe 5008 Client.exe 4408 Client.exe 3600 Client.exe 3972 Client.exe 1376 Client.exe 5020 Client.exe 4680 Client.exe 4960 Client.exe 1872 Client.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 4820 Client.exe 644 Client.exe 2264 Client.exe 1484 Client.exe 3264 Client.exe 5016 Client.exe 3440 Client.exe 1560 Client.exe 4216 Client.exe 4044 Client.exe 1208 Client.exe 4460 Client.exe 632 Client.exe 1780 Client.exe 648 Client.exe 4584 Client.exe 388 Client.exe 1428 Client.exe 3740 Client.exe 212 Client.exe 3144 Client.exe 1964 Client.exe 1252 Client.exe 5008 Client.exe 4408 Client.exe 3600 Client.exe 3972 Client.exe 1376 Client.exe 5020 Client.exe 4680 Client.exe 4960 Client.exe 1872 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1780 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2352 wrote to memory of 1052 2352 Client-built.exe 82 PID 2352 wrote to memory of 1052 2352 Client-built.exe 82 PID 2352 wrote to memory of 4820 2352 Client-built.exe 84 PID 2352 wrote to memory of 4820 2352 Client-built.exe 84 PID 4820 wrote to memory of 2988 4820 Client.exe 86 PID 4820 wrote to memory of 2988 4820 Client.exe 86 PID 4820 wrote to memory of 2840 4820 Client.exe 88 PID 4820 wrote to memory of 2840 4820 Client.exe 88 PID 2840 wrote to memory of 1304 2840 cmd.exe 90 PID 2840 wrote to memory of 1304 2840 cmd.exe 90 PID 2840 wrote to memory of 2844 2840 cmd.exe 91 PID 2840 wrote to memory of 2844 2840 cmd.exe 91 PID 2840 wrote to memory of 644 2840 cmd.exe 97 PID 2840 wrote to memory of 644 2840 cmd.exe 97 PID 644 wrote to memory of 5088 644 Client.exe 99 PID 644 wrote to memory of 5088 644 Client.exe 99 PID 644 wrote to memory of 2260 644 Client.exe 102 PID 644 wrote to memory of 2260 644 Client.exe 102 PID 2260 wrote to memory of 3212 2260 cmd.exe 104 PID 2260 wrote to memory of 3212 2260 cmd.exe 104 PID 2260 wrote to memory of 2416 2260 cmd.exe 105 PID 2260 wrote to memory of 2416 2260 cmd.exe 105 PID 2260 wrote to memory of 2264 2260 cmd.exe 106 PID 2260 wrote to memory of 2264 2260 cmd.exe 106 PID 2264 wrote to memory of 2852 2264 Client.exe 107 PID 2264 wrote to memory of 2852 2264 Client.exe 107 PID 2264 wrote to memory of 4236 2264 Client.exe 109 PID 2264 wrote to memory of 4236 2264 Client.exe 109 PID 4236 wrote to memory of 2096 4236 cmd.exe 111 PID 4236 wrote to memory of 2096 4236 cmd.exe 111 PID 4236 wrote to memory of 1872 4236 cmd.exe 112 PID 4236 wrote to memory of 1872 4236 cmd.exe 112 PID 4236 wrote to memory of 1484 4236 cmd.exe 115 PID 4236 wrote to memory of 1484 4236 cmd.exe 115 PID 1484 wrote to memory of 3236 1484 Client.exe 116 PID 1484 wrote to memory of 3236 1484 Client.exe 116 PID 1484 wrote to memory of 2324 1484 Client.exe 118 PID 1484 wrote to memory of 2324 1484 Client.exe 118 PID 2324 wrote to memory of 4448 2324 cmd.exe 120 PID 2324 wrote to memory of 4448 2324 cmd.exe 120 PID 2324 wrote to memory of 3544 2324 cmd.exe 121 PID 2324 wrote to memory of 3544 2324 cmd.exe 121 PID 2324 wrote to memory of 3264 2324 cmd.exe 122 PID 2324 wrote to memory of 3264 2324 cmd.exe 122 PID 3264 wrote to memory of 4360 3264 Client.exe 123 PID 3264 wrote to memory of 4360 3264 Client.exe 123 PID 3264 wrote to memory of 3688 3264 Client.exe 125 PID 3264 wrote to memory of 3688 3264 Client.exe 125 PID 3688 wrote to memory of 32 3688 cmd.exe 127 PID 3688 wrote to memory of 32 3688 cmd.exe 127 PID 3688 wrote to memory of 2352 3688 cmd.exe 128 PID 3688 wrote to memory of 2352 3688 cmd.exe 128 PID 3688 wrote to memory of 5016 3688 cmd.exe 129 PID 3688 wrote to memory of 5016 3688 cmd.exe 129 PID 5016 wrote to memory of 2880 5016 Client.exe 130 PID 5016 wrote to memory of 2880 5016 Client.exe 130 PID 5016 wrote to memory of 3980 5016 Client.exe 132 PID 5016 wrote to memory of 3980 5016 Client.exe 132 PID 3980 wrote to memory of 4612 3980 cmd.exe 134 PID 3980 wrote to memory of 4612 3980 cmd.exe 134 PID 3980 wrote to memory of 3408 3980 cmd.exe 135 PID 3980 wrote to memory of 3408 3980 cmd.exe 135 PID 3980 wrote to memory of 3440 3980 cmd.exe 136 PID 3980 wrote to memory of 3440 3980 cmd.exe 136 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:1052
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMAcY4fU7oNC.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:1304
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2844
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:5088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xrx1gBu44f7p.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:3212
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2416
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:2852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jitjvcCXuURY.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2096
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1872
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:3236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p3Qt2lRHWkm1.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4448
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3544
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mneKrosNoJYZ.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:32
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2352
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vt1extg0h9o1.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4612
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3408
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3440 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1408
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\er9LZ0u8Jyur.bat" "15⤵PID:3696
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:748
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1956
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1560 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k0KBSf4S5QXU.bat" "17⤵PID:1320
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:1276
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4144
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4216 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E3OthLSgmKQb.bat" "19⤵PID:4300
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2132
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4548
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4044 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:1816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\50xs9K2VZsGO.bat" "21⤵PID:4448
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3928
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3884
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1208 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:2324
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8qwvQacli4oo.bat" "23⤵PID:2700
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:760
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2012
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4460 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2352
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NU5ZFtbZkeGZ.bat" "25⤵PID:2880
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2912
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4924
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:632 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:3980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sXg4fD6qHEfH.bat" "27⤵PID:3388
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:748
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4976
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1780 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9BuTJEmIhcwi.bat" "29⤵PID:2024
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:3340
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2740
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:648 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:4496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D7bevenF3XgL.bat" "31⤵PID:5008
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:4896
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4168
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4584 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f33⤵
- Scheduled Task/Job: Scheduled Task
PID:2428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zolc2uidacSz.bat" "33⤵PID:3036
-
C:\Windows\system32\chcp.comchcp 6500134⤵PID:4300
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost34⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4140
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:388 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f35⤵
- Scheduled Task/Job: Scheduled Task
PID:4572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYXyuCyJCz4S.bat" "35⤵PID:3248
-
C:\Windows\system32\chcp.comchcp 6500136⤵PID:4448
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost36⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3836
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1428 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f37⤵
- Scheduled Task/Job: Scheduled Task
PID:1296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAMolkIfip2T.bat" "37⤵PID:32
-
C:\Windows\system32\chcp.comchcp 6500138⤵PID:2588
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost38⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2040
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3740 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f39⤵
- Scheduled Task/Job: Scheduled Task
PID:216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGYSOMBmKiEg.bat" "39⤵PID:1864
-
C:\Windows\system32\chcp.comchcp 6500140⤵PID:4832
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost40⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1308
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:212 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f41⤵
- Scheduled Task/Job: Scheduled Task
PID:4868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9bVHXon9S2sv.bat" "41⤵PID:416
-
C:\Windows\system32\chcp.comchcp 6500142⤵PID:1768
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost42⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1116
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3144 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f43⤵
- Scheduled Task/Job: Scheduled Task
PID:3088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qPvWC0zAEru1.bat" "43⤵PID:2840
-
C:\Windows\system32\chcp.comchcp 6500144⤵PID:2304
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost44⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3132
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1964 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f45⤵
- Scheduled Task/Job: Scheduled Task
PID:5072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8IaxqSlI8Dn1.bat" "45⤵PID:4240
-
C:\Windows\system32\chcp.comchcp 6500146⤵PID:2024
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost46⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1876
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"46⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1252 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f47⤵
- Scheduled Task/Job: Scheduled Task
PID:4876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xDynr0LPLoC3.bat" "47⤵PID:3520
-
C:\Windows\system32\chcp.comchcp 6500148⤵PID:1652
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost48⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3256
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"48⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5008 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f49⤵
- Scheduled Task/Job: Scheduled Task
PID:4792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOYxY86nSBiD.bat" "49⤵PID:4236
-
C:\Windows\system32\chcp.comchcp 6500150⤵PID:3244
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost50⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2348
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"50⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4408 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f51⤵
- Scheduled Task/Job: Scheduled Task
PID:4148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tZFXomNffil6.bat" "51⤵PID:3416
-
C:\Windows\system32\chcp.comchcp 6500152⤵PID:4596
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost52⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3128
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3600 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f53⤵
- Scheduled Task/Job: Scheduled Task
PID:3472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XvtV2NHut5Ej.bat" "53⤵PID:2096
-
C:\Windows\system32\chcp.comchcp 6500154⤵PID:2152
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost54⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4420
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3972 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f55⤵
- Scheduled Task/Job: Scheduled Task
PID:3056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nnenzYAVe5sg.bat" "55⤵PID:4208
-
C:\Windows\system32\chcp.comchcp 6500156⤵PID:4224
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost56⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1456
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"56⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1376 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f57⤵
- Scheduled Task/Job: Scheduled Task
PID:5100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQ5TLIzFTwmQ.bat" "57⤵PID:2108
-
C:\Windows\system32\chcp.comchcp 6500158⤵PID:4976
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost58⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4084
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"58⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5020 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f59⤵
- Scheduled Task/Job: Scheduled Task
PID:2304
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\29K4AhOFn4ve.bat" "59⤵PID:3988
-
C:\Windows\system32\chcp.comchcp 6500160⤵PID:3340
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost60⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1932
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"60⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4680 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f61⤵
- Scheduled Task/Job: Scheduled Task
PID:2936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t5pNnvjG13YI.bat" "61⤵PID:1316
-
C:\Windows\system32\chcp.comchcp 6500162⤵PID:2532
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost62⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:840
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"62⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4960 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f63⤵
- Scheduled Task/Job: Scheduled Task
PID:1668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PNNHfbAzKIVF.bat" "63⤵PID:3520
-
C:\Windows\system32\chcp.comchcp 6500164⤵PID:1312
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost64⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1092
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"64⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1872 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f65⤵
- Scheduled Task/Job: Scheduled Task
PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyZ7CNECk19j.bat" "65⤵PID:4484
-
C:\Windows\system32\chcp.comchcp 6500166⤵PID:1420
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost66⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
207B
MD5dbce2516cb901dc8b285d57489903899
SHA16f927fcbc5e53073c7c813d3e57b663d17c976f5
SHA2568e16ef9d0572c0ba74651ac8b46d1d0ad2ea4b00cc93fe69560cf5d935d4463e
SHA5122c133240de5dfd41e3f8fac2cf43d860a98f9c4de74b2725097ed9cdb0c0b6518ee24c6d64128b24e21e2e52e1aa79a53ea8d1e6fa235c18f4a6e1437e244edf
-
Filesize
207B
MD5a716b1dd5fb3cc6305dfc7161132e9af
SHA1e610ab93ffc3e014e08ae3a329df2de509e700db
SHA25699a1b34d211f1080f09a7f7f5cc1b83af5a635214c2a8c275f2757062bcff2e4
SHA5129812fa637839f847739a15cffc753285a2762813bf0fb55eca7651fc19a2d2676a43a5f3a3cc4bd945efd17674cdcebd0c992d1bd9e2295dd6f3a6b5ba43c64c
-
Filesize
207B
MD5c2b8c2c529b1ff85159ff09fe3e012ef
SHA1083fd9b001a52c9b0abd1171c97c48fa0ee97024
SHA256da02bd752ba6050b52821163e24f919aad48172d16fd860d67f45f6f59fbfc39
SHA5126e96507ca54bc2d189c066ffa9946c1875007ea5744fb0de06e62b7dcb1aa60f4a5f69fdac9866bc34c4057bdbdd6d08291c6be0e81d0ea5b95d5182d354e466
-
Filesize
207B
MD58782662bce8ef9dad8a685cdfb366e55
SHA1e28c25338ae97d2c497a0d9a89dff52c4f6a7e46
SHA256ad924390032651aacdd4b0c33a16c0d2b25704eed92bd8b33c228fe45685bffa
SHA512f0ed4d8c2e3a59c3b353e3d944bddf1d17456e81b808367fb074f9839f878f3a4874b94bc0541bb3ed990918f7521e6e2aedaa1f742e22ef96bd465bc0c6faa1
-
Filesize
207B
MD5609ee15ad2083ab536ce2fc52f6c3d22
SHA1d7da8d2647ba8ce81bab96a356388b147a3392d8
SHA256efae6e6bc5db8f295f1814a84c317faefa664fcb6cd6d562e3ed8a0c6f7382c9
SHA512b350f72e5866160f5617e5e022400a0188dd36dbb16c841ede9c868645aa97725acafa818faa67ecd1012e239fb3e9ed2a94ff05bde0273a781b3faa0e358f9c
-
Filesize
207B
MD591bba9c547b1ef679135fd290f282828
SHA1b1ba4800aefba458fff1f922f232f9389af796c7
SHA2569d44f5aef19549800e42ee07dd1b56e88dd59e6a48fd3f9b72a5c93fec5bd28d
SHA5120459cfe07a2c76f7e15cb5dab02210f74fcde8eeea04bb083afcf8714c9c69d1247a4ec437377404a71c844d1c9eb51eb2ca55c4b92977fbe866d664b15e6581
-
Filesize
207B
MD5a0a0c76a35ea556f85e8d255d6dd9e02
SHA149b7e3d4af9b4aa5ffdf5e6af22bbb7a36e1dc84
SHA256dedee90587333dcc040784e843b4c66b3a8a2efa95f1ab400f76d3e257defe3d
SHA5124dd08566c1764ad6ca8b8d823fe3bb6b5ba08c37494e5c2eb16bdd086a0914a02a0890aab7607a2dd47267627f1fb74ec83c6fd4f9ce072b8a7d1d6ac52d4f5a
-
Filesize
207B
MD5ce17e8eb483104f5fea58ec15f920db9
SHA1b85aa859d08ad090a284c5a289b81e8eee634811
SHA2566a8fde7eb18312df34254a4c1359719728eeb9de63935669aaa05c0a5e0d1c77
SHA5127b5110bc8f210e57762ab4bc2dd1d4547ef51dad0643cbf5e888bde00f195db7884c592a678ba93f79a08fb99f0b05b76c0e03cdeb70e9f3f29a34d3d2c960df
-
Filesize
207B
MD5fffaa34213f8702cb6984267d27326db
SHA11326be1ac54b1881b2d0c5254b235ca9a0697b3e
SHA25635c35d60636f92724bd039e989abd6f2c755d9bd42cf40f7e3c481cf42cb9f19
SHA5124e1a4ed562a2fc7be2b86c695cb66ae3edcb31f8b10d1d315ad68d9d05c8bc391bc635cc0f156859302a580183abe9ad78bd3f2d7f24bb80380549f69325c8d3
-
Filesize
207B
MD5211ad982c2cbcd9477fe1d11603cc458
SHA1732fd9010687d632d4a51052c007e70b00706c0f
SHA256e6ab14dea84f6a4e0b82571ed6b7252f5c25064212ffd981eb8a4c915bbce603
SHA5127ba735b392f5c0c77d1b208964f56f2f77126dab1672c11e94b24738bf4617fee9f60f0f3d9728023462170a386a080daeca051cfd54c6bfb4398cbe476ccf42
-
Filesize
207B
MD5da2aef0b1f47bbb23b91fa168fa3d323
SHA16287bcaeaf3c5bb3a75dad3ef3fe1a09acc31ed5
SHA256585e7de60a61cefbf1008a4ffd3bd2e8f3879d3d919fc81cfe4eff78c6528b6b
SHA512daa020a811004ed43c24c94014708b5755dba8fe74c3e4cab4f10f8d1ca8c02743c9b2e4551859e294e1d5b0c592c634f65b50e397200e2e9a11f429307bed87
-
Filesize
207B
MD5c57f5b10727f725710b2aa1824395573
SHA13d9f7ff5a9b053dacf551d7860de527763721582
SHA256573619802f11799f58ad5852adee9f694c170b9996c70d1721dd11cf10c88f8d
SHA512378cb40f04ac3c3b21f7f26a2058fcae354ee45f23b45167aaf264d95750fc695d19597dcea021748518cbf5e71cf6f47df569b2ce60153c8e6215481139b596
-
Filesize
207B
MD5ffe6875af17766c9e917a74ce998dbf5
SHA1dd6119c1385175e4297ac60b93eafeed59d85f58
SHA256e6029547bbe376cc9c64d514199eb389a9615303d2e767fa7927ee3e2a4b0782
SHA512d2cc86e11dd4cecc35b51f094f153457702f448ce504b072fb9ddccddec9b7055113274bc7cf6ce2d9625a2279d1a35dc528d28120b8a5da88c0f4f208121009
-
Filesize
207B
MD5b3bb5c4d921a9a4108b56cc24928a5fd
SHA1a03e88aa55ed8c6fb7e7070128c247ebb52b0cca
SHA256718a1d4707172c8b3c99d028ebf3adf30f56bb4b844a5419868528b9c35f902b
SHA51247448932e2fa6b260af5ff9facc0d19f50cf56fdc037d5a02a56e871d5bf114675d8dcc5789e762d4a4c9cd2ad3be0e00ac8e70815a55019f3275bf959be386d
-
Filesize
207B
MD59f99c78047e9c9872634dc2366744641
SHA1dbbd80d221f99925618208e940b21ec1315665c8
SHA256a34b31a7edcf1a4edd161230fe9217f0993df91e5cc3915e3b696306b6e73e6b
SHA512e052cf93480f3ab08dba403202583c181c9d893872ca7170b03ffff3c989cf867cc7d67a2ec656ce2ae129e9d4ec172988d711ce3cc5c4e867b557f9361ae19a
-
Filesize
207B
MD5361908d1aada39dc8ea5247d6bbd2cfd
SHA172331c4cf22a019eb03a2c4e3d128fbc18166be8
SHA2564d1e4de0d763debaf4f98895251f6a726507894984814772aecfbe10d5cb72c0
SHA51225777bf925134eefe3d40ef1462d7c4d6bb7bf4ed160b345834b622e7c725a3eb5f042433fc4249d43f39e3e0ce551f866a9be82255833632afcbabad39923bc
-
Filesize
207B
MD5abdb165e94407d752b4669d0c5b94ebe
SHA1fda45c644efd0c830f5768c55f5a239822aad7c7
SHA2569c22186877a1d4202ca77e9a9bb6a858e30440a5bab445d70baafae70c7489e9
SHA5125f1d341f4ff39b7508e79975bb57f990048e62074d01f448b14e130962f90ba323db75fc448e312f3c28357fb63533462506de0d0505722a09231d010c802fb3
-
Filesize
207B
MD5a3b6bc0e240768ddad160d589bea1940
SHA1c34e0ba39ccad5f2e75215184262cd2a85ead0bc
SHA256558eb8aa2191589c15a2d231e81406074aec1cb5ecb03475b3cf3511930b402d
SHA512e90e009a801cd813218b3716201980286166f51ade5f09415d74c10574df8cebc30e5a576eb049dfde38f4b089ac77ebbe82b8ca139344be15121598efb16db1
-
Filesize
207B
MD5238d9d5bff819f04b53d2d9000a7a33e
SHA15af0abfb9eb61f0b61459fd9f1bf35bd9ba18253
SHA256f39e29267f8472ef263cad007ce019090b11f003c77162b848581028c2f96643
SHA5128a906badcc8b469b1fe72f7cc86bdb93391b617c393d24e50005b86b782c3d921d21cad1a019ebb0d656aaac1a369843d99a60675646968ed53e7e071b49c5fe
-
Filesize
207B
MD5c7e90174ba54ffd32ed38524473f1c04
SHA1c73890265e4d5bb2c3af8ed333e2f706b8806571
SHA2565275e9875d0047aaab09570a3f5a3b14b13a22c1ae331df5f040690f72f62a44
SHA512540eb005464e5806fc221cc911c10c66c019abf968ff85d741fe81daeec53a33dee966ed3390cde8979905bc6171232c2962e19720b0aa757ba85d866e72741d
-
Filesize
207B
MD55370b17fe026419ff4f58c83db3c016f
SHA15e744ffd1248b0d6d8cf5516eb29a986e4150af1
SHA256085c538359941bcb2ba9dd3a0793fc0e466d8d49422869e1d327aff2724b01f4
SHA51294b4e3ebbc1f5cdd99da030446361d7e75fd0a539de3627ab12de420e995c062d97de941864dd2affef81cf99961f5a5e6ae36f77c889f05a38062aec3dfe886
-
Filesize
207B
MD57a0edb784f5741ad4f59e61a54413916
SHA19b1ab488ee805901afba7ffc646d0d7aafb19e43
SHA256e69be1ce51b117edb78d9ebf2a67eeff2afb6cf5069f62a39ca5ffd844f43027
SHA5125a5bcd04a59fe3b7cecee98c625ae40db0e558127253facfb20d60b8041e3709c39d5c37715ba3b289a0555a13a0f49fbf51522dd8ce69311f101bebdad1fff5
-
Filesize
207B
MD58d67d2a1a198cbb0b703e84e0d167360
SHA19eb988dbba44766cf86b636695fd5ef79037bd25
SHA256ddb7bb6f822188d3468a3ca43e90cab8cc068a56c721e4fd0a4cf2abc8954bcc
SHA512eda297e3e0170556a909adec3c3788e00ef991e57e4c1d5c6ee260d13c4a20fceff5958aa892ef8dfc5e382569666ccfe9c2036f7ad82b2ee219abd79fb77309
-
Filesize
207B
MD5b25b84b2aaa63429ef3a20e3cea61511
SHA1fdb62e038be30c712d30a1e1257d90bf40fe0385
SHA256845b062dfdf4d5cabe69ea80fc4f3707344eb67f121c2bc561c3b9d554591e01
SHA5127a8cf50e2a86200480425fc61b4ddfe9a54082894df7cacd08e3a587ce4f66ad37f60a69091a6f81b3d235908bf17eaf0ac677bf91833cd745a139bac88f0c6a
-
Filesize
207B
MD5d554be7ac6714575e7c1ba462c8d9ad0
SHA16398db3a3d260aac03e63b1db3e5e3dcdc142484
SHA2569679a6eaafd986bcaec6e8ee22980e3857b5dfd9a260dcd19aa340384e9900e2
SHA512f4332d2c2a2eb1f01efba1df5beab73acc19118c99389e3ca26fde855a9e4c0cc3c066f8876767500c460e7ac727d952c9c63e4dceadd6af59327aa32518e066
-
Filesize
207B
MD5b6ce16b83b0ae7daa0489a532cef8e0f
SHA1f8e4ffd5c9abcd6baa6b59ab867b4ec699851090
SHA2569a95629e913a2c055716c6120e336dcb5767648325eba259b5b6ab788fc87aad
SHA512d43a8d40781fc6dde2b4fbdc7f06e8e28d008c21b8c7e37816da907d118e43186462d0a8d1b3c7dfa6fe0fafeed2e4b6c675c022dba8d31b51dd4ad03fb9c4eb
-
Filesize
207B
MD59d9c41d5c4b17a4a609d6eb9a34b4bd5
SHA130907ac1469b9eecf2b8336cedfbc1779b4fb718
SHA25683a065c2bd1eb39e7db604cf84bb18e4dc812944e949851f60e3e3d3f9c2c250
SHA51236e0f4bd8652086a10bebbf3bf30b612296a4effc3e89a1b6c46093e3319ad566079569c5e840f5084993803d7fa79a4b00e8ec603d322262a95ad6a0dbf5400
-
Filesize
207B
MD568a62f1d02ee56458bffe98f6aae9c20
SHA1dc9d3a5b267da7a944febcfe8a30323618fa9b10
SHA25636294cabd4d27246bec948cab9537c3f84f214b65a9423ad7765e9e236b9b552
SHA512df51e4ca59074eb9ae2961d196cdba979daf5c9b01b92d332abb543253599a6538d66c86f4e6fd3e329c787483b50701b30ded03773dca7b7e9be73b6a47ccba
-
Filesize
207B
MD5d752d1bac9300d2198870017396fc1de
SHA126165ea95b70be10b7f5732be58880d2277f2a7f
SHA256150cd05eb9dc53ddfd7cc52ba42933f9c2e4b6e98aa0537666225566e543c341
SHA512de5d8e816e9bd509fb38bdd5de2ae3ad365a4dc0cdb6307d7b66e0bc9d7328ce4efc74239306ccb0629685c9aeeb4e8048e99f0012b1a9492503a41a0f7e7473
-
Filesize
207B
MD57ed03b424c63c99533f559bbd5dbbe50
SHA11c90b96cdd2b27a830e9310c0d5c1c95087caca1
SHA256573886ba3318943e663a7443143f5574acf0c56d475f952f045410b16e92bff3
SHA5128dc7d301f585a0490946c535110d40db3f02eca328418f93f597b57db30e693dcef2c78b4c187ef53745ab2b597b4c056905818b2733f4895ddfd3b622adefe6
-
Filesize
207B
MD5dd455c847a527b8e000979f72c4b6d69
SHA16e48ba265cd16a34bda320becd3102888b618fd5
SHA256d4c3d92fdbc2d305937078c532ebba66dfa454e5430e18efe1395a8ccc4c810b
SHA51280b60fbfa243c1a43d721f64681c313ef6e0592faf3c328dad656772932aadbd2144e2ae1f6f55246c7734fa1f62bbe002b337e4dbd5b887be94596f71d9a650
-
Filesize
3.1MB
MD57dbac71bcc7920b66e8c4fc04fbc30dd
SHA1c746b4358c2a15765a010c1890979239f152d6f7
SHA256ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd
SHA51256ffa2c92d97ef6b247db44225f659d8894f0c4c1134a8376346eb8f0a36bbb3331803752b8e24ada28dc554ef14d2098627ae751152b9eba956bb5e4d7c0c24