quasar | ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd

Analysis

max time kernel
329s
max time network
330s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2025, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

7dbac71bcc7920b66e8c4fc04fbc30dd
SHA1

c746b4358c2a15765a010c1890979239f152d6f7
SHA256

ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd
SHA512

56ffa2c92d97ef6b247db44225f659d8894f0c4c1134a8376346eb8f0a36bbb3331803752b8e24ada28dc554ef14d2098627ae751152b9eba956bb5e4d7c0c24
SSDEEP

49152:bvylL26AaNeWgPhlmVqvMQ7XSKB4RJ6kbR3LoGdXdTHHB72eh2NT:bvqL26AaNeWgPhlmVqkQ7XSKB4RJ6uH

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hojex31104-23437.portmap.host:23437

Mutex

de505f8f-b6d9-44cb-b9ce-7e2f491eb29e

Attributes

encryption_key
D9C52C486698B9297B9AC8B87A65EA67135BE386
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2352-1-0x0000000000840000-0x0000000000B64000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b93-5.dat	family_quasar

Checks computer location settings 2 TTPs 32 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 32 IoCs

pid	Process
4820	Client.exe
644	Client.exe
2264	Client.exe
1484	Client.exe
3264	Client.exe
5016	Client.exe
3440	Client.exe
1560	Client.exe
4216	Client.exe
4044	Client.exe
1208	Client.exe
4460	Client.exe
632	Client.exe
1780	Client.exe
648	Client.exe
4584	Client.exe
388	Client.exe
1428	Client.exe
3740	Client.exe
212	Client.exe
3144	Client.exe
1964	Client.exe
1252	Client.exe
5008	Client.exe
4408	Client.exe
3600	Client.exe
3972	Client.exe
1376	Client.exe
5020	Client.exe
4680	Client.exe
4960	Client.exe
1872	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 32 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2740	PING.EXE
2040	PING.EXE
1932	PING.EXE
840	PING.EXE
1872	PING.EXE
3132	PING.EXE
4420	PING.EXE
4084	PING.EXE
2844	PING.EXE
4140	PING.EXE
1116	PING.EXE
3128	PING.EXE
1092	PING.EXE
3884	PING.EXE
3836	PING.EXE
1456	PING.EXE
2012	PING.EXE
4168	PING.EXE
2280	PING.EXE
3256	PING.EXE
2416	PING.EXE
3544	PING.EXE
2352	PING.EXE
1308	PING.EXE
1876	PING.EXE
1956	PING.EXE
4144	PING.EXE
4924	PING.EXE
2348	PING.EXE
3408	PING.EXE
4548	PING.EXE
4976	PING.EXE

Runs ping.exe 1 TTPs 32 IoCs

Remote System Discovery

T1018

pid	Process
1876	PING.EXE
2416	PING.EXE
3836	PING.EXE
2040	PING.EXE
1308	PING.EXE
1932	PING.EXE
3544	PING.EXE
2740	PING.EXE
1116	PING.EXE
1456	PING.EXE
2844	PING.EXE
2012	PING.EXE
4976	PING.EXE
4084	PING.EXE
3884	PING.EXE
4924	PING.EXE
2348	PING.EXE
2280	PING.EXE
4140	PING.EXE
1872	PING.EXE
1956	PING.EXE
1092	PING.EXE
4144	PING.EXE
3128	PING.EXE
4548	PING.EXE
4168	PING.EXE
3132	PING.EXE
3256	PING.EXE
4420	PING.EXE
840	PING.EXE
2352	PING.EXE
3408	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2936	schtasks.exe
216	schtasks.exe
4876	schtasks.exe
4148	schtasks.exe
3980	schtasks.exe
3056	schtasks.exe
1668	schtasks.exe
2880	schtasks.exe
4496	schtasks.exe
4444	schtasks.exe
3236	schtasks.exe
2428	schtasks.exe
4792	schtasks.exe
3472	schtasks.exe
1052	schtasks.exe
2988	schtasks.exe
4360	schtasks.exe
2324	schtasks.exe
2352	schtasks.exe
2304	schtasks.exe
2936	schtasks.exe
5088	schtasks.exe
1408	schtasks.exe
2404	schtasks.exe
1296	schtasks.exe
468	schtasks.exe
5072	schtasks.exe
5100	schtasks.exe
2852	schtasks.exe
1816	schtasks.exe
4572	schtasks.exe
4868	schtasks.exe
3088	schtasks.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2352	Client-built.exe
Token: SeDebugPrivilege	4820	Client.exe
Token: SeDebugPrivilege	644	Client.exe
Token: SeDebugPrivilege	2264	Client.exe
Token: SeDebugPrivilege	1484	Client.exe
Token: SeDebugPrivilege	3264	Client.exe
Token: SeDebugPrivilege	5016	Client.exe
Token: SeDebugPrivilege	3440	Client.exe
Token: SeDebugPrivilege	1560	Client.exe
Token: SeDebugPrivilege	4216	Client.exe
Token: SeDebugPrivilege	4044	Client.exe
Token: SeDebugPrivilege	1208	Client.exe
Token: SeDebugPrivilege	4460	Client.exe
Token: SeDebugPrivilege	632	Client.exe
Token: SeDebugPrivilege	1780	Client.exe
Token: SeDebugPrivilege	648	Client.exe
Token: SeDebugPrivilege	4584	Client.exe
Token: SeDebugPrivilege	388	Client.exe
Token: SeDebugPrivilege	1428	Client.exe
Token: SeDebugPrivilege	3740	Client.exe
Token: SeDebugPrivilege	212	Client.exe
Token: SeDebugPrivilege	3144	Client.exe
Token: SeDebugPrivilege	1964	Client.exe
Token: SeDebugPrivilege	1252	Client.exe
Token: SeDebugPrivilege	5008	Client.exe
Token: SeDebugPrivilege	4408	Client.exe
Token: SeDebugPrivilege	3600	Client.exe
Token: SeDebugPrivilege	3972	Client.exe
Token: SeDebugPrivilege	1376	Client.exe
Token: SeDebugPrivilege	5020	Client.exe
Token: SeDebugPrivilege	4680	Client.exe
Token: SeDebugPrivilege	4960	Client.exe
Token: SeDebugPrivilege	1872	Client.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
4820	Client.exe
644	Client.exe
2264	Client.exe
1484	Client.exe
3264	Client.exe
5016	Client.exe
3440	Client.exe
1560	Client.exe
4216	Client.exe
4044	Client.exe
1208	Client.exe
4460	Client.exe
632	Client.exe
1780	Client.exe
648	Client.exe
4584	Client.exe
388	Client.exe
1428	Client.exe
3740	Client.exe
212	Client.exe
3144	Client.exe
1964	Client.exe
1252	Client.exe
5008	Client.exe
4408	Client.exe
3600	Client.exe
3972	Client.exe
1376	Client.exe
5020	Client.exe
4680	Client.exe
4960	Client.exe
1872	Client.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4820	Client.exe
644	Client.exe
2264	Client.exe
1484	Client.exe
3264	Client.exe
5016	Client.exe
3440	Client.exe
1560	Client.exe
4216	Client.exe
4044	Client.exe
1208	Client.exe
4460	Client.exe
632	Client.exe
1780	Client.exe
648	Client.exe
4584	Client.exe
388	Client.exe
1428	Client.exe
3740	Client.exe
212	Client.exe
3144	Client.exe
1964	Client.exe
1252	Client.exe
5008	Client.exe
4408	Client.exe
3600	Client.exe
3972	Client.exe
1376	Client.exe
5020	Client.exe
4680	Client.exe
4960	Client.exe
1872	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1780	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1052	2352	Client-built.exe	82
PID 2352 wrote to memory of 1052	2352	Client-built.exe	82
PID 2352 wrote to memory of 4820	2352	Client-built.exe	84
PID 2352 wrote to memory of 4820	2352	Client-built.exe	84
PID 4820 wrote to memory of 2988	4820	Client.exe	86
PID 4820 wrote to memory of 2988	4820	Client.exe	86
PID 4820 wrote to memory of 2840	4820	Client.exe	88
PID 4820 wrote to memory of 2840	4820	Client.exe	88
PID 2840 wrote to memory of 1304	2840	cmd.exe	90
PID 2840 wrote to memory of 1304	2840	cmd.exe	90
PID 2840 wrote to memory of 2844	2840	cmd.exe	91
PID 2840 wrote to memory of 2844	2840	cmd.exe	91
PID 2840 wrote to memory of 644	2840	cmd.exe	97
PID 2840 wrote to memory of 644	2840	cmd.exe	97
PID 644 wrote to memory of 5088	644	Client.exe	99
PID 644 wrote to memory of 5088	644	Client.exe	99
PID 644 wrote to memory of 2260	644	Client.exe	102
PID 644 wrote to memory of 2260	644	Client.exe	102
PID 2260 wrote to memory of 3212	2260	cmd.exe	104
PID 2260 wrote to memory of 3212	2260	cmd.exe	104
PID 2260 wrote to memory of 2416	2260	cmd.exe	105
PID 2260 wrote to memory of 2416	2260	cmd.exe	105
PID 2260 wrote to memory of 2264	2260	cmd.exe	106
PID 2260 wrote to memory of 2264	2260	cmd.exe	106
PID 2264 wrote to memory of 2852	2264	Client.exe	107
PID 2264 wrote to memory of 2852	2264	Client.exe	107
PID 2264 wrote to memory of 4236	2264	Client.exe	109
PID 2264 wrote to memory of 4236	2264	Client.exe	109
PID 4236 wrote to memory of 2096	4236	cmd.exe	111
PID 4236 wrote to memory of 2096	4236	cmd.exe	111
PID 4236 wrote to memory of 1872	4236	cmd.exe	112
PID 4236 wrote to memory of 1872	4236	cmd.exe	112
PID 4236 wrote to memory of 1484	4236	cmd.exe	115
PID 4236 wrote to memory of 1484	4236	cmd.exe	115
PID 1484 wrote to memory of 3236	1484	Client.exe	116
PID 1484 wrote to memory of 3236	1484	Client.exe	116
PID 1484 wrote to memory of 2324	1484	Client.exe	118
PID 1484 wrote to memory of 2324	1484	Client.exe	118
PID 2324 wrote to memory of 4448	2324	cmd.exe	120
PID 2324 wrote to memory of 4448	2324	cmd.exe	120
PID 2324 wrote to memory of 3544	2324	cmd.exe	121
PID 2324 wrote to memory of 3544	2324	cmd.exe	121
PID 2324 wrote to memory of 3264	2324	cmd.exe	122
PID 2324 wrote to memory of 3264	2324	cmd.exe	122
PID 3264 wrote to memory of 4360	3264	Client.exe	123
PID 3264 wrote to memory of 4360	3264	Client.exe	123
PID 3264 wrote to memory of 3688	3264	Client.exe	125
PID 3264 wrote to memory of 3688	3264	Client.exe	125
PID 3688 wrote to memory of 32	3688	cmd.exe	127
PID 3688 wrote to memory of 32	3688	cmd.exe	127
PID 3688 wrote to memory of 2352	3688	cmd.exe	128
PID 3688 wrote to memory of 2352	3688	cmd.exe	128
PID 3688 wrote to memory of 5016	3688	cmd.exe	129
PID 3688 wrote to memory of 5016	3688	cmd.exe	129
PID 5016 wrote to memory of 2880	5016	Client.exe	130
PID 5016 wrote to memory of 2880	5016	Client.exe	130
PID 5016 wrote to memory of 3980	5016	Client.exe	132
PID 5016 wrote to memory of 3980	5016	Client.exe	132
PID 3980 wrote to memory of 4612	3980	cmd.exe	134
PID 3980 wrote to memory of 4612	3980	cmd.exe	134
PID 3980 wrote to memory of 3408	3980	cmd.exe	135
PID 3980 wrote to memory of 3408	3980	cmd.exe	135
PID 3980 wrote to memory of 3440	3980	cmd.exe	136
PID 3980 wrote to memory of 3440	3980	cmd.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1052
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pMAcY4fU7oNC.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1304
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2844
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:644
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xrx1gBu44f7p.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3212
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2416
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jitjvcCXuURY.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\p3Qt2lRHWkm1.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3544
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mneKrosNoJYZ.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:32
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vt1extg0h9o1.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3408
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3440
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\er9LZ0u8Jyur.bat" "
        15⤵
        
        PID:3696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k0KBSf4S5QXU.bat" "
        17⤵
        
        PID:1320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1276
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4144
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E3OthLSgmKQb.bat" "
        19⤵
        
        PID:4300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4548
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\50xs9K2VZsGO.bat" "
        21⤵
        
        PID:4448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3884
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1208
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8qwvQacli4oo.bat" "
        23⤵
        
        PID:2700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NU5ZFtbZkeGZ.bat" "
        25⤵
        
        PID:2880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2912
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4924
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:632
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sXg4fD6qHEfH.bat" "
        27⤵
        
        PID:3388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4976
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1780
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9BuTJEmIhcwi.bat" "
        29⤵
        
        PID:2024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2740
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:648
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D7bevenF3XgL.bat" "
        31⤵
        
        PID:5008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4168
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4584
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zolc2uidacSz.bat" "
        33⤵
        
        PID:3036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:4300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4140
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:388
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4572
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QYXyuCyJCz4S.bat" "
        35⤵
        
        PID:3248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:4448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3836
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1428
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wAMolkIfip2T.bat" "
        37⤵
        
        PID:32
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:2588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2040
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3740
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jGYSOMBmKiEg.bat" "
        39⤵
        
        PID:1864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:4832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1308
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:212
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9bVHXon9S2sv.bat" "
        41⤵
        
        PID:416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:1768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1116
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3144
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        43⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qPvWC0zAEru1.bat" "
        43⤵
        
        PID:2840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:2304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3132
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1964
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        45⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8IaxqSlI8Dn1.bat" "
        45⤵
        
        PID:4240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:2024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1876
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1252
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        47⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xDynr0LPLoC3.bat" "
        47⤵
        
        PID:3520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:1652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3256
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5008
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOYxY86nSBiD.bat" "
        49⤵
        
        PID:4236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:3244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4408
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        51⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tZFXomNffil6.bat" "
        51⤵
        
        PID:3416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:4596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3128
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        52⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3600
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XvtV2NHut5Ej.bat" "
        53⤵
        
        PID:2096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:2152
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4420
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        54⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3972
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        55⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nnenzYAVe5sg.bat" "
        55⤵
        
        PID:4208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:4224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1376
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        57⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KQ5TLIzFTwmQ.bat" "
        57⤵
        
        PID:2108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:4976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        58⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4084
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5020
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        59⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\29K4AhOFn4ve.bat" "
        59⤵
        
        PID:3988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:3340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        60⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4680
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        61⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t5pNnvjG13YI.bat" "
        61⤵
        
        PID:1316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:2532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        62⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:840
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        63⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PNNHfbAzKIVF.bat" "
        63⤵
        
        PID:3520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:1312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        64⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1092
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        64⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1872
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        65⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyZ7CNECk19j.bat" "
        65⤵
        
        PID:4484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:1420
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\29K4AhOFn4ve.bat

Filesize
207B

MD5
dbce2516cb901dc8b285d57489903899

SHA1
6f927fcbc5e53073c7c813d3e57b663d17c976f5

SHA256
8e16ef9d0572c0ba74651ac8b46d1d0ad2ea4b00cc93fe69560cf5d935d4463e

SHA512
2c133240de5dfd41e3f8fac2cf43d860a98f9c4de74b2725097ed9cdb0c0b6518ee24c6d64128b24e21e2e52e1aa79a53ea8d1e6fa235c18f4a6e1437e244edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\50xs9K2VZsGO.bat

Filesize
207B

MD5
a716b1dd5fb3cc6305dfc7161132e9af

SHA1
e610ab93ffc3e014e08ae3a329df2de509e700db

SHA256
99a1b34d211f1080f09a7f7f5cc1b83af5a635214c2a8c275f2757062bcff2e4

SHA512
9812fa637839f847739a15cffc753285a2762813bf0fb55eca7651fc19a2d2676a43a5f3a3cc4bd945efd17674cdcebd0c992d1bd9e2295dd6f3a6b5ba43c64c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8IaxqSlI8Dn1.bat

Filesize
207B

MD5
c2b8c2c529b1ff85159ff09fe3e012ef

SHA1
083fd9b001a52c9b0abd1171c97c48fa0ee97024

SHA256
da02bd752ba6050b52821163e24f919aad48172d16fd860d67f45f6f59fbfc39

SHA512
6e96507ca54bc2d189c066ffa9946c1875007ea5744fb0de06e62b7dcb1aa60f4a5f69fdac9866bc34c4057bdbdd6d08291c6be0e81d0ea5b95d5182d354e466

Download Submit
C:\Users\Admin\AppData\Local\Temp\8qwvQacli4oo.bat

Filesize
207B

MD5
8782662bce8ef9dad8a685cdfb366e55

SHA1
e28c25338ae97d2c497a0d9a89dff52c4f6a7e46

SHA256
ad924390032651aacdd4b0c33a16c0d2b25704eed92bd8b33c228fe45685bffa

SHA512
f0ed4d8c2e3a59c3b353e3d944bddf1d17456e81b808367fb074f9839f878f3a4874b94bc0541bb3ed990918f7521e6e2aedaa1f742e22ef96bd465bc0c6faa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BuTJEmIhcwi.bat

Filesize
207B

MD5
609ee15ad2083ab536ce2fc52f6c3d22

SHA1
d7da8d2647ba8ce81bab96a356388b147a3392d8

SHA256
efae6e6bc5db8f295f1814a84c317faefa664fcb6cd6d562e3ed8a0c6f7382c9

SHA512
b350f72e5866160f5617e5e022400a0188dd36dbb16c841ede9c868645aa97725acafa818faa67ecd1012e239fb3e9ed2a94ff05bde0273a781b3faa0e358f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9bVHXon9S2sv.bat

Filesize
207B

MD5
91bba9c547b1ef679135fd290f282828

SHA1
b1ba4800aefba458fff1f922f232f9389af796c7

SHA256
9d44f5aef19549800e42ee07dd1b56e88dd59e6a48fd3f9b72a5c93fec5bd28d

SHA512
0459cfe07a2c76f7e15cb5dab02210f74fcde8eeea04bb083afcf8714c9c69d1247a4ec437377404a71c844d1c9eb51eb2ca55c4b92977fbe866d664b15e6581

Download Submit
C:\Users\Admin\AppData\Local\Temp\D7bevenF3XgL.bat

Filesize
207B

MD5
a0a0c76a35ea556f85e8d255d6dd9e02

SHA1
49b7e3d4af9b4aa5ffdf5e6af22bbb7a36e1dc84

SHA256
dedee90587333dcc040784e843b4c66b3a8a2efa95f1ab400f76d3e257defe3d

SHA512
4dd08566c1764ad6ca8b8d823fe3bb6b5ba08c37494e5c2eb16bdd086a0914a02a0890aab7607a2dd47267627f1fb74ec83c6fd4f9ce072b8a7d1d6ac52d4f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3OthLSgmKQb.bat

Filesize
207B

MD5
ce17e8eb483104f5fea58ec15f920db9

SHA1
b85aa859d08ad090a284c5a289b81e8eee634811

SHA256
6a8fde7eb18312df34254a4c1359719728eeb9de63935669aaa05c0a5e0d1c77

SHA512
7b5110bc8f210e57762ab4bc2dd1d4547ef51dad0643cbf5e888bde00f195db7884c592a678ba93f79a08fb99f0b05b76c0e03cdeb70e9f3f29a34d3d2c960df

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQ5TLIzFTwmQ.bat

Filesize
207B

MD5
fffaa34213f8702cb6984267d27326db

SHA1
1326be1ac54b1881b2d0c5254b235ca9a0697b3e

SHA256
35c35d60636f92724bd039e989abd6f2c755d9bd42cf40f7e3c481cf42cb9f19

SHA512
4e1a4ed562a2fc7be2b86c695cb66ae3edcb31f8b10d1d315ad68d9d05c8bc391bc635cc0f156859302a580183abe9ad78bd3f2d7f24bb80380549f69325c8d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NU5ZFtbZkeGZ.bat

Filesize
207B

MD5
211ad982c2cbcd9477fe1d11603cc458

SHA1
732fd9010687d632d4a51052c007e70b00706c0f

SHA256
e6ab14dea84f6a4e0b82571ed6b7252f5c25064212ffd981eb8a4c915bbce603

SHA512
7ba735b392f5c0c77d1b208964f56f2f77126dab1672c11e94b24738bf4617fee9f60f0f3d9728023462170a386a080daeca051cfd54c6bfb4398cbe476ccf42

Download Submit
C:\Users\Admin\AppData\Local\Temp\PNNHfbAzKIVF.bat

Filesize
207B

MD5
da2aef0b1f47bbb23b91fa168fa3d323

SHA1
6287bcaeaf3c5bb3a75dad3ef3fe1a09acc31ed5

SHA256
585e7de60a61cefbf1008a4ffd3bd2e8f3879d3d919fc81cfe4eff78c6528b6b

SHA512
daa020a811004ed43c24c94014708b5755dba8fe74c3e4cab4f10f8d1ca8c02743c9b2e4551859e294e1d5b0c592c634f65b50e397200e2e9a11f429307bed87

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYXyuCyJCz4S.bat

Filesize
207B

MD5
c57f5b10727f725710b2aa1824395573

SHA1
3d9f7ff5a9b053dacf551d7860de527763721582

SHA256
573619802f11799f58ad5852adee9f694c170b9996c70d1721dd11cf10c88f8d

SHA512
378cb40f04ac3c3b21f7f26a2058fcae354ee45f23b45167aaf264d95750fc695d19597dcea021748518cbf5e71cf6f47df569b2ce60153c8e6215481139b596

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vt1extg0h9o1.bat

Filesize
207B

MD5
ffe6875af17766c9e917a74ce998dbf5

SHA1
dd6119c1385175e4297ac60b93eafeed59d85f58

SHA256
e6029547bbe376cc9c64d514199eb389a9615303d2e767fa7927ee3e2a4b0782

SHA512
d2cc86e11dd4cecc35b51f094f153457702f448ce504b072fb9ddccddec9b7055113274bc7cf6ce2d9625a2279d1a35dc528d28120b8a5da88c0f4f208121009

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xrx1gBu44f7p.bat

Filesize
207B

MD5
b3bb5c4d921a9a4108b56cc24928a5fd

SHA1
a03e88aa55ed8c6fb7e7070128c247ebb52b0cca

SHA256
718a1d4707172c8b3c99d028ebf3adf30f56bb4b844a5419868528b9c35f902b

SHA512
47448932e2fa6b260af5ff9facc0d19f50cf56fdc037d5a02a56e871d5bf114675d8dcc5789e762d4a4c9cd2ad3be0e00ac8e70815a55019f3275bf959be386d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XvtV2NHut5Ej.bat

Filesize
207B

MD5
9f99c78047e9c9872634dc2366744641

SHA1
dbbd80d221f99925618208e940b21ec1315665c8

SHA256
a34b31a7edcf1a4edd161230fe9217f0993df91e5cc3915e3b696306b6e73e6b

SHA512
e052cf93480f3ab08dba403202583c181c9d893872ca7170b03ffff3c989cf867cc7d67a2ec656ce2ae129e9d4ec172988d711ce3cc5c4e867b557f9361ae19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zolc2uidacSz.bat

Filesize
207B

MD5
361908d1aada39dc8ea5247d6bbd2cfd

SHA1
72331c4cf22a019eb03a2c4e3d128fbc18166be8

SHA256
4d1e4de0d763debaf4f98895251f6a726507894984814772aecfbe10d5cb72c0

SHA512
25777bf925134eefe3d40ef1462d7c4d6bb7bf4ed160b345834b622e7c725a3eb5f042433fc4249d43f39e3e0ce551f866a9be82255833632afcbabad39923bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\eOYxY86nSBiD.bat

Filesize
207B

MD5
abdb165e94407d752b4669d0c5b94ebe

SHA1
fda45c644efd0c830f5768c55f5a239822aad7c7

SHA256
9c22186877a1d4202ca77e9a9bb6a858e30440a5bab445d70baafae70c7489e9

SHA512
5f1d341f4ff39b7508e79975bb57f990048e62074d01f448b14e130962f90ba323db75fc448e312f3c28357fb63533462506de0d0505722a09231d010c802fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\er9LZ0u8Jyur.bat

Filesize
207B

MD5
a3b6bc0e240768ddad160d589bea1940

SHA1
c34e0ba39ccad5f2e75215184262cd2a85ead0bc

SHA256
558eb8aa2191589c15a2d231e81406074aec1cb5ecb03475b3cf3511930b402d

SHA512
e90e009a801cd813218b3716201980286166f51ade5f09415d74c10574df8cebc30e5a576eb049dfde38f4b089ac77ebbe82b8ca139344be15121598efb16db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jGYSOMBmKiEg.bat

Filesize
207B

MD5
238d9d5bff819f04b53d2d9000a7a33e

SHA1
5af0abfb9eb61f0b61459fd9f1bf35bd9ba18253

SHA256
f39e29267f8472ef263cad007ce019090b11f003c77162b848581028c2f96643

SHA512
8a906badcc8b469b1fe72f7cc86bdb93391b617c393d24e50005b86b782c3d921d21cad1a019ebb0d656aaac1a369843d99a60675646968ed53e7e071b49c5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\jitjvcCXuURY.bat

Filesize
207B

MD5
c7e90174ba54ffd32ed38524473f1c04

SHA1
c73890265e4d5bb2c3af8ed333e2f706b8806571

SHA256
5275e9875d0047aaab09570a3f5a3b14b13a22c1ae331df5f040690f72f62a44

SHA512
540eb005464e5806fc221cc911c10c66c019abf968ff85d741fe81daeec53a33dee966ed3390cde8979905bc6171232c2962e19720b0aa757ba85d866e72741d

Download Submit
C:\Users\Admin\AppData\Local\Temp\k0KBSf4S5QXU.bat

Filesize
207B

MD5
5370b17fe026419ff4f58c83db3c016f

SHA1
5e744ffd1248b0d6d8cf5516eb29a986e4150af1

SHA256
085c538359941bcb2ba9dd3a0793fc0e466d8d49422869e1d327aff2724b01f4

SHA512
94b4e3ebbc1f5cdd99da030446361d7e75fd0a539de3627ab12de420e995c062d97de941864dd2affef81cf99961f5a5e6ae36f77c889f05a38062aec3dfe886

Download Submit
C:\Users\Admin\AppData\Local\Temp\mneKrosNoJYZ.bat

Filesize
207B

MD5
7a0edb784f5741ad4f59e61a54413916

SHA1
9b1ab488ee805901afba7ffc646d0d7aafb19e43

SHA256
e69be1ce51b117edb78d9ebf2a67eeff2afb6cf5069f62a39ca5ffd844f43027

SHA512
5a5bcd04a59fe3b7cecee98c625ae40db0e558127253facfb20d60b8041e3709c39d5c37715ba3b289a0555a13a0f49fbf51522dd8ce69311f101bebdad1fff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nnenzYAVe5sg.bat

Filesize
207B

MD5
8d67d2a1a198cbb0b703e84e0d167360

SHA1
9eb988dbba44766cf86b636695fd5ef79037bd25

SHA256
ddb7bb6f822188d3468a3ca43e90cab8cc068a56c721e4fd0a4cf2abc8954bcc

SHA512
eda297e3e0170556a909adec3c3788e00ef991e57e4c1d5c6ee260d13c4a20fceff5958aa892ef8dfc5e382569666ccfe9c2036f7ad82b2ee219abd79fb77309

Download Submit
C:\Users\Admin\AppData\Local\Temp\p3Qt2lRHWkm1.bat

Filesize
207B

MD5
b25b84b2aaa63429ef3a20e3cea61511

SHA1
fdb62e038be30c712d30a1e1257d90bf40fe0385

SHA256
845b062dfdf4d5cabe69ea80fc4f3707344eb67f121c2bc561c3b9d554591e01

SHA512
7a8cf50e2a86200480425fc61b4ddfe9a54082894df7cacd08e3a587ce4f66ad37f60a69091a6f81b3d235908bf17eaf0ac677bf91833cd745a139bac88f0c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pMAcY4fU7oNC.bat

Filesize
207B

MD5
d554be7ac6714575e7c1ba462c8d9ad0

SHA1
6398db3a3d260aac03e63b1db3e5e3dcdc142484

SHA256
9679a6eaafd986bcaec6e8ee22980e3857b5dfd9a260dcd19aa340384e9900e2

SHA512
f4332d2c2a2eb1f01efba1df5beab73acc19118c99389e3ca26fde855a9e4c0cc3c066f8876767500c460e7ac727d952c9c63e4dceadd6af59327aa32518e066

Download Submit
C:\Users\Admin\AppData\Local\Temp\qPvWC0zAEru1.bat

Filesize
207B

MD5
b6ce16b83b0ae7daa0489a532cef8e0f

SHA1
f8e4ffd5c9abcd6baa6b59ab867b4ec699851090

SHA256
9a95629e913a2c055716c6120e336dcb5767648325eba259b5b6ab788fc87aad

SHA512
d43a8d40781fc6dde2b4fbdc7f06e8e28d008c21b8c7e37816da907d118e43186462d0a8d1b3c7dfa6fe0fafeed2e4b6c675c022dba8d31b51dd4ad03fb9c4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sXg4fD6qHEfH.bat

Filesize
207B

MD5
9d9c41d5c4b17a4a609d6eb9a34b4bd5

SHA1
30907ac1469b9eecf2b8336cedfbc1779b4fb718

SHA256
83a065c2bd1eb39e7db604cf84bb18e4dc812944e949851f60e3e3d3f9c2c250

SHA512
36e0f4bd8652086a10bebbf3bf30b612296a4effc3e89a1b6c46093e3319ad566079569c5e840f5084993803d7fa79a4b00e8ec603d322262a95ad6a0dbf5400

Download Submit
C:\Users\Admin\AppData\Local\Temp\t5pNnvjG13YI.bat

Filesize
207B

MD5
68a62f1d02ee56458bffe98f6aae9c20

SHA1
dc9d3a5b267da7a944febcfe8a30323618fa9b10

SHA256
36294cabd4d27246bec948cab9537c3f84f214b65a9423ad7765e9e236b9b552

SHA512
df51e4ca59074eb9ae2961d196cdba979daf5c9b01b92d332abb543253599a6538d66c86f4e6fd3e329c787483b50701b30ded03773dca7b7e9be73b6a47ccba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tZFXomNffil6.bat

Filesize
207B

MD5
d752d1bac9300d2198870017396fc1de

SHA1
26165ea95b70be10b7f5732be58880d2277f2a7f

SHA256
150cd05eb9dc53ddfd7cc52ba42933f9c2e4b6e98aa0537666225566e543c341

SHA512
de5d8e816e9bd509fb38bdd5de2ae3ad365a4dc0cdb6307d7b66e0bc9d7328ce4efc74239306ccb0629685c9aeeb4e8048e99f0012b1a9492503a41a0f7e7473

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAMolkIfip2T.bat

Filesize
207B

MD5
7ed03b424c63c99533f559bbd5dbbe50

SHA1
1c90b96cdd2b27a830e9310c0d5c1c95087caca1

SHA256
573886ba3318943e663a7443143f5574acf0c56d475f952f045410b16e92bff3

SHA512
8dc7d301f585a0490946c535110d40db3f02eca328418f93f597b57db30e693dcef2c78b4c187ef53745ab2b597b4c056905818b2733f4895ddfd3b622adefe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xDynr0LPLoC3.bat

Filesize
207B

MD5
dd455c847a527b8e000979f72c4b6d69

SHA1
6e48ba265cd16a34bda320becd3102888b618fd5

SHA256
d4c3d92fdbc2d305937078c532ebba66dfa454e5430e18efe1395a8ccc4c810b

SHA512
80b60fbfa243c1a43d721f64681c313ef6e0592faf3c328dad656772932aadbd2144e2ae1f6f55246c7734fa1f62bbe002b337e4dbd5b887be94596f71d9a650

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
7dbac71bcc7920b66e8c4fc04fbc30dd

SHA1
c746b4358c2a15765a010c1890979239f152d6f7

SHA256
ccb74c64a45f838a6e7403d976d9b2d82afe40d96dc08952e6a374d8af3f09dd

SHA512
56ffa2c92d97ef6b247db44225f659d8894f0c4c1134a8376346eb8f0a36bbb3331803752b8e24ada28dc554ef14d2098627ae751152b9eba956bb5e4d7c0c24

Download Submit
memory/2352-0-0x00007FF8C10F3000-0x00007FF8C10F5000-memory.dmp

Filesize
8KB

Download
memory/2352-2-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/2352-8-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/2352-1-0x0000000000840000-0x0000000000B64000-memory.dmp

Filesize
3.1MB

Download
memory/4820-9-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4820-10-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4820-17-0x00007FF8C10F0000-0x00007FF8C1BB1000-memory.dmp

Filesize
10.8MB

Download
memory/4820-11-0x000000001C780000-0x000000001C7D0000-memory.dmp

Filesize
320KB

Download
memory/4820-12-0x000000001C890000-0x000000001C942000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads