quasar | 7849231d077a00fd9129c2c6cecbb3287afc5656b8dfd263fdf57e2432d4f335

Analysis

max time kernel
1195s
max time network
905s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sp00fer.exe
Size

3.1MB
MD5

a121d9d691a400786000dee14a808ab1
SHA1

14ab065be3cfe0a7aa7808cb8891f7c75affc395
SHA256

7849231d077a00fd9129c2c6cecbb3287afc5656b8dfd263fdf57e2432d4f335
SHA512

e0a162b3d00ef69b96bd4a43f9a0c3297005e8a8db84233010d420bf87ff337ed4139b4cc27594fdd194416a03fe8a7be90b03a8f10e34b72f70d399d6917929
SSDEEP

49152:zvulL26AaNeWgPhlmVqvMQ7XSKLCO1JRLoGdFTHHB72eh2NT:zveL26AaNeWgPhlmVqkQ7XSKLCE

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pringelsy-51954.portmap.host:51954

Mutex

6dc28d35-3024-44a7-a559-f9991015fa39

Attributes

encryption_key
3107DF2D44BB6914C55BEA57D100135AB0F278DF
install_name
Client.exe
log_directory
Logs
reconnect_delay
799
startup_key
Quasar Client Startup
subdirectory
Common Files

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 62 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2020-1-0x00000000000D0000-0x00000000003F4000-memory.dmp	family_quasar
C:\Program Files\Common Files\Client.exe	family_quasar
behavioral1/memory/2340-9-0x0000000000CC0000-0x0000000000FE4000-memory.dmp	family_quasar
behavioral1/memory/2656-23-0x0000000000050000-0x0000000000374000-memory.dmp	family_quasar
behavioral1/memory/2812-34-0x0000000000EA0000-0x00000000011C4000-memory.dmp	family_quasar
behavioral1/memory/2852-45-0x00000000013C0000-0x00000000016E4000-memory.dmp	family_quasar
behavioral1/memory/668-56-0x00000000003A0000-0x00000000006C4000-memory.dmp	family_quasar
behavioral1/memory/944-68-0x00000000008A0000-0x0000000000BC4000-memory.dmp	family_quasar
behavioral1/memory/2148-79-0x0000000000C30000-0x0000000000F54000-memory.dmp	family_quasar
behavioral1/memory/2084-90-0x0000000000200000-0x0000000000524000-memory.dmp	family_quasar
behavioral1/memory/2788-102-0x0000000000E50000-0x0000000001174000-memory.dmp	family_quasar
behavioral1/memory/1812-113-0x0000000000210000-0x0000000000534000-memory.dmp	family_quasar
behavioral1/memory/316-125-0x0000000000A70000-0x0000000000D94000-memory.dmp	family_quasar
behavioral1/memory/772-137-0x0000000001260000-0x0000000001584000-memory.dmp	family_quasar
behavioral1/memory/1816-149-0x0000000000010000-0x0000000000334000-memory.dmp	family_quasar
behavioral1/memory/2288-160-0x0000000000230000-0x0000000000554000-memory.dmp	family_quasar
behavioral1/memory/2420-172-0x00000000012F0000-0x0000000001614000-memory.dmp	family_quasar
behavioral1/memory/2868-214-0x0000000000280000-0x00000000005A4000-memory.dmp	family_quasar
behavioral1/memory/408-223-0x0000000000B10000-0x0000000000E34000-memory.dmp	family_quasar
behavioral1/memory/1964-232-0x0000000000130000-0x0000000000454000-memory.dmp	family_quasar
behavioral1/memory/3060-241-0x0000000001280000-0x00000000015A4000-memory.dmp	family_quasar
behavioral1/memory/1048-250-0x0000000000070000-0x0000000000394000-memory.dmp	family_quasar
behavioral1/memory/1576-259-0x0000000000C20000-0x0000000000F44000-memory.dmp	family_quasar
behavioral1/memory/2508-268-0x00000000013A0000-0x00000000016C4000-memory.dmp	family_quasar
behavioral1/memory/680-349-0x0000000000300000-0x0000000000624000-memory.dmp	family_quasar
behavioral1/memory/3056-358-0x0000000000D30000-0x0000000001054000-memory.dmp	family_quasar
behavioral1/memory/1308-383-0x0000000001080000-0x00000000013A4000-memory.dmp	family_quasar
behavioral1/memory/1696-400-0x0000000000260000-0x0000000000584000-memory.dmp	family_quasar
behavioral1/memory/2924-409-0x0000000001210000-0x0000000001534000-memory.dmp	family_quasar
behavioral1/memory/1332-442-0x0000000000090000-0x00000000003B4000-memory.dmp	family_quasar
behavioral1/memory/820-451-0x0000000000B80000-0x0000000000EA4000-memory.dmp	family_quasar
behavioral1/memory/2704-460-0x00000000010B0000-0x00000000013D4000-memory.dmp	family_quasar
behavioral1/memory/2776-469-0x00000000012E0000-0x0000000001604000-memory.dmp	family_quasar
behavioral1/memory/2480-486-0x0000000000D50000-0x0000000001074000-memory.dmp	family_quasar
behavioral1/memory/2700-495-0x0000000000030000-0x0000000000354000-memory.dmp	family_quasar
behavioral1/memory/560-504-0x0000000001140000-0x0000000001464000-memory.dmp	family_quasar
behavioral1/memory/1160-513-0x0000000001240000-0x0000000001564000-memory.dmp	family_quasar
behavioral1/memory/1548-530-0x00000000012B0000-0x00000000015D4000-memory.dmp	family_quasar
behavioral1/memory/2000-587-0x00000000002E0000-0x0000000000604000-memory.dmp	family_quasar
behavioral1/memory/1656-596-0x0000000000390000-0x00000000006B4000-memory.dmp	family_quasar
behavioral1/memory/1200-621-0x0000000001000000-0x0000000001324000-memory.dmp	family_quasar
behavioral1/memory/2028-638-0x0000000000850000-0x0000000000B74000-memory.dmp	family_quasar
behavioral1/memory/2628-671-0x0000000000DA0000-0x00000000010C4000-memory.dmp	family_quasar
behavioral1/memory/2972-680-0x0000000000E60000-0x0000000001184000-memory.dmp	family_quasar
behavioral1/memory/1608-697-0x0000000000360000-0x0000000000684000-memory.dmp	family_quasar
behavioral1/memory/2304-706-0x0000000000040000-0x0000000000364000-memory.dmp	family_quasar
behavioral1/memory/1476-715-0x0000000000E70000-0x0000000001194000-memory.dmp	family_quasar
behavioral1/memory/2988-724-0x0000000000170000-0x0000000000494000-memory.dmp	family_quasar
behavioral1/memory/960-773-0x0000000001370000-0x0000000001694000-memory.dmp	family_quasar
behavioral1/memory/2552-806-0x0000000000190000-0x00000000004B4000-memory.dmp	family_quasar
behavioral1/memory/1980-815-0x0000000000F20000-0x0000000001244000-memory.dmp	family_quasar
behavioral1/memory/448-824-0x0000000001090000-0x00000000013B4000-memory.dmp	family_quasar
behavioral1/memory/2680-833-0x00000000000E0000-0x0000000000404000-memory.dmp	family_quasar
behavioral1/memory/1704-842-0x0000000001390000-0x00000000016B4000-memory.dmp	family_quasar
behavioral1/memory/2448-939-0x00000000001C0000-0x00000000004E4000-memory.dmp	family_quasar
behavioral1/memory/2996-948-0x0000000000080000-0x00000000003A4000-memory.dmp	family_quasar
behavioral1/memory/2296-957-0x00000000009A0000-0x0000000000CC4000-memory.dmp	family_quasar
behavioral1/memory/1996-974-0x00000000013B0000-0x00000000016D4000-memory.dmp	family_quasar
behavioral1/memory/848-1007-0x00000000002B0000-0x00000000005D4000-memory.dmp	family_quasar
behavioral1/memory/3064-1016-0x0000000000EC0000-0x00000000011E4000-memory.dmp	family_quasar
behavioral1/memory/1972-1041-0x0000000000240000-0x0000000000564000-memory.dmp	family_quasar
behavioral1/memory/2676-1050-0x0000000000A90000-0x0000000000DB4000-memory.dmp	family_quasar

Executes dropped EXE 64 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
2340	Client.exe
2656	Client.exe
2812	Client.exe
2852	Client.exe
668	Client.exe
944	Client.exe
2148	Client.exe
2084	Client.exe
2788	Client.exe
1812	Client.exe
316	Client.exe
772	Client.exe
1816	Client.exe
2288	Client.exe
2420	Client.exe
612	Client.exe
1652	Client.exe
1764	Client.exe
2868	Client.exe
408	Client.exe
1964	Client.exe
3060	Client.exe
1048	Client.exe
1576	Client.exe
2508	Client.exe
1864	Client.exe
1044	Client.exe
1880	Client.exe
2464	Client.exe
2128	Client.exe
2640	Client.exe
376	Client.exe
1284	Client.exe
2948	Client.exe
680	Client.exe
3056	Client.exe
2708	Client.exe
1596	Client.exe
1308	Client.exe
536	Client.exe
1696	Client.exe
2924	Client.exe
2644	Client.exe
2980	Client.exe
2336	Client.exe
1332	Client.exe
820	Client.exe
2704	Client.exe
2776	Client.exe
2388	Client.exe
2480	Client.exe
2700	Client.exe
560	Client.exe
1160	Client.exe
2660	Client.exe
1548	Client.exe
1820	Client.exe
1868	Client.exe
292	Client.exe
2244	Client.exe
2728	Client.exe
2208	Client.exe
2000	Client.exe
1656	Client.exe

Drops file in Program Files directory 64 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1360	PING.EXE
2164	PING.EXE
1224	PING.EXE
1668	PING.EXE
2696	PING.EXE
1428	PING.EXE
2648	PING.EXE
844	PING.EXE
2968	PING.EXE
2200	PING.EXE
2664	PING.EXE
2936	PING.EXE
1712	PING.EXE
1316	PING.EXE
800	PING.EXE
2276	PING.EXE
2220	PING.EXE
2624	PING.EXE
1592	PING.EXE
2076	PING.EXE
2404	PING.EXE
2200	PING.EXE
1908	PING.EXE
1708	PING.EXE
2760	PING.EXE
1992	PING.EXE
880	PING.EXE
3024	PING.EXE
2844	PING.EXE
2608	PING.EXE
2488	PING.EXE
1884	PING.EXE
2492	PING.EXE
800	PING.EXE
2112	PING.EXE
2060	PING.EXE
1212	PING.EXE
1452	PING.EXE
2112	PING.EXE
1440	PING.EXE
1784	PING.EXE
2968	PING.EXE
1252	PING.EXE
2896	PING.EXE
324	PING.EXE
3064	PING.EXE
2008	PING.EXE
2068	PING.EXE
1704	PING.EXE
844	PING.EXE
2784	PING.EXE
408	PING.EXE
2736	PING.EXE
2240	PING.EXE
2436	PING.EXE
2588	PING.EXE
1928	PING.EXE
2488	PING.EXE
1084	PING.EXE
1088	PING.EXE
2008	PING.EXE
1360	PING.EXE
612	PING.EXE
2184	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1552	schtasks.exe
2564	schtasks.exe
2412	schtasks.exe
2696	schtasks.exe
2800	schtasks.exe
2888	schtasks.exe
1260	schtasks.exe
1040	schtasks.exe
2676	schtasks.exe
1972	schtasks.exe
1332	schtasks.exe
2432	schtasks.exe
2780	schtasks.exe
2020	schtasks.exe
1064	schtasks.exe
2432	schtasks.exe
2988	schtasks.exe
3000	schtasks.exe
988	schtasks.exe
2008	schtasks.exe
1376	schtasks.exe
1460	schtasks.exe
752	schtasks.exe
2320	schtasks.exe
1784	schtasks.exe
2408	schtasks.exe
1644	schtasks.exe
448	schtasks.exe
756	schtasks.exe
2996	schtasks.exe
1908	schtasks.exe
2648	schtasks.exe
2784	schtasks.exe
3052	schtasks.exe
1732	schtasks.exe
816	schtasks.exe
264	schtasks.exe
2360	schtasks.exe
2564	schtasks.exe
2660	schtasks.exe
2648	schtasks.exe
2896	schtasks.exe
2912	schtasks.exe
2200	schtasks.exe
2472	schtasks.exe
2108	schtasks.exe
2420	schtasks.exe
292	schtasks.exe
780	schtasks.exe
2780	schtasks.exe
268	schtasks.exe
1628	schtasks.exe
2808	schtasks.exe
1952	schtasks.exe
2296	schtasks.exe
2188	schtasks.exe
1364	schtasks.exe
3048	schtasks.exe
2368	schtasks.exe
1796	schtasks.exe
2488	schtasks.exe
2616	schtasks.exe
896	schtasks.exe
2484	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sp00fer.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2020	sp00fer.exe
Token: SeDebugPrivilege	2340	Client.exe
Token: SeDebugPrivilege	2656	Client.exe
Token: SeDebugPrivilege	2812	Client.exe
Token: SeDebugPrivilege	2852	Client.exe
Token: SeDebugPrivilege	668	Client.exe
Token: SeDebugPrivilege	944	Client.exe
Token: SeDebugPrivilege	2148	Client.exe
Token: SeDebugPrivilege	2084	Client.exe
Token: SeDebugPrivilege	2788	Client.exe
Token: SeDebugPrivilege	1812	Client.exe
Token: SeDebugPrivilege	316	Client.exe
Token: SeDebugPrivilege	772	Client.exe
Token: SeDebugPrivilege	1816	Client.exe
Token: SeDebugPrivilege	2288	Client.exe
Token: SeDebugPrivilege	2420	Client.exe
Token: SeDebugPrivilege	612	Client.exe
Token: SeDebugPrivilege	1652	Client.exe
Token: SeDebugPrivilege	1764	Client.exe
Token: SeDebugPrivilege	2868	Client.exe
Token: SeDebugPrivilege	408	Client.exe
Token: SeDebugPrivilege	1964	Client.exe
Token: SeDebugPrivilege	3060	Client.exe
Token: SeDebugPrivilege	1048	Client.exe
Token: SeDebugPrivilege	1576	Client.exe
Token: SeDebugPrivilege	2508	Client.exe
Token: SeDebugPrivilege	1864	Client.exe
Token: SeDebugPrivilege	1044	Client.exe
Token: SeDebugPrivilege	1880	Client.exe
Token: SeDebugPrivilege	2464	Client.exe
Token: SeDebugPrivilege	2128	Client.exe
Token: SeDebugPrivilege	2640	Client.exe
Token: SeDebugPrivilege	376	Client.exe
Token: SeDebugPrivilege	1284	Client.exe
Token: SeDebugPrivilege	2948	Client.exe
Token: SeDebugPrivilege	680	Client.exe
Token: SeDebugPrivilege	3056	Client.exe
Token: SeDebugPrivilege	2708	Client.exe
Token: SeDebugPrivilege	1596	Client.exe
Token: SeDebugPrivilege	1308	Client.exe
Token: SeDebugPrivilege	536	Client.exe
Token: SeDebugPrivilege	1696	Client.exe
Token: SeDebugPrivilege	2924	Client.exe
Token: SeDebugPrivilege	2644	Client.exe
Token: SeDebugPrivilege	2980	Client.exe
Token: SeDebugPrivilege	2336	Client.exe
Token: SeDebugPrivilege	1332	Client.exe
Token: SeDebugPrivilege	820	Client.exe
Token: SeDebugPrivilege	2704	Client.exe
Token: SeDebugPrivilege	2776	Client.exe
Token: SeDebugPrivilege	2388	Client.exe
Token: SeDebugPrivilege	2480	Client.exe
Token: SeDebugPrivilege	2700	Client.exe
Token: SeDebugPrivilege	560	Client.exe
Token: SeDebugPrivilege	1160	Client.exe
Token: SeDebugPrivilege	2660	Client.exe
Token: SeDebugPrivilege	1548	Client.exe
Token: SeDebugPrivilege	1820	Client.exe
Token: SeDebugPrivilege	1868	Client.exe
Token: SeDebugPrivilege	292	Client.exe
Token: SeDebugPrivilege	2244	Client.exe
Token: SeDebugPrivilege	2728	Client.exe
Token: SeDebugPrivilege	2208	Client.exe
Token: SeDebugPrivilege	2000	Client.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

pid	process
2340	Client.exe
2656	Client.exe
2812	Client.exe
2852	Client.exe
668	Client.exe
944	Client.exe
2148	Client.exe
2084	Client.exe
2788	Client.exe
1812	Client.exe
316	Client.exe
772	Client.exe
1816	Client.exe
2288	Client.exe
2420	Client.exe
612	Client.exe
1652	Client.exe
1764	Client.exe
2868	Client.exe
408	Client.exe
1964	Client.exe
3060	Client.exe
1048	Client.exe
1576	Client.exe
2508	Client.exe
1864	Client.exe
1044	Client.exe
1880	Client.exe
2464	Client.exe
2128	Client.exe
2640	Client.exe
376	Client.exe
1284	Client.exe
2948	Client.exe
680	Client.exe
3056	Client.exe
2708	Client.exe
1596	Client.exe
1308	Client.exe
536	Client.exe
1696	Client.exe
2924	Client.exe
2644	Client.exe
2980	Client.exe
2336	Client.exe
1332	Client.exe
820	Client.exe
2704	Client.exe
2776	Client.exe
2388	Client.exe
2480	Client.exe
2700	Client.exe
560	Client.exe
1160	Client.exe
2660	Client.exe
1548	Client.exe
1820	Client.exe
1868	Client.exe
292	Client.exe
2244	Client.exe
2728	Client.exe
2208	Client.exe
2000	Client.exe
1656	Client.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

pid	process
2340	Client.exe
2656	Client.exe
2812	Client.exe
2852	Client.exe
668	Client.exe
944	Client.exe
2148	Client.exe
2084	Client.exe
2788	Client.exe
1812	Client.exe
316	Client.exe
772	Client.exe
1816	Client.exe
2288	Client.exe
2420	Client.exe
612	Client.exe
1652	Client.exe
1764	Client.exe
2868	Client.exe
408	Client.exe
1964	Client.exe
3060	Client.exe
1048	Client.exe
1576	Client.exe
2508	Client.exe
1864	Client.exe
1044	Client.exe
1880	Client.exe
2464	Client.exe
2128	Client.exe
2640	Client.exe
376	Client.exe
1284	Client.exe
2948	Client.exe
680	Client.exe
3056	Client.exe
2708	Client.exe
1596	Client.exe
1308	Client.exe
536	Client.exe
1696	Client.exe
2924	Client.exe
2644	Client.exe
2980	Client.exe
2336	Client.exe
1332	Client.exe
820	Client.exe
2704	Client.exe
2776	Client.exe
2388	Client.exe
2480	Client.exe
2700	Client.exe
560	Client.exe
1160	Client.exe
2660	Client.exe
1548	Client.exe
1820	Client.exe
1868	Client.exe
292	Client.exe
2244	Client.exe
2728	Client.exe
2208	Client.exe
2000	Client.exe
1656	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sp00fer.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 2020 wrote to memory of 2420	2020	sp00fer.exe	schtasks.exe
PID 2020 wrote to memory of 2420	2020	sp00fer.exe	schtasks.exe
PID 2020 wrote to memory of 2420	2020	sp00fer.exe	schtasks.exe
PID 2020 wrote to memory of 2340	2020	sp00fer.exe	Client.exe
PID 2020 wrote to memory of 2340	2020	sp00fer.exe	Client.exe
PID 2020 wrote to memory of 2340	2020	sp00fer.exe	Client.exe
PID 2340 wrote to memory of 2648	2340	Client.exe	schtasks.exe
PID 2340 wrote to memory of 2648	2340	Client.exe	schtasks.exe
PID 2340 wrote to memory of 2648	2340	Client.exe	schtasks.exe
PID 2340 wrote to memory of 2792	2340	Client.exe	cmd.exe
PID 2340 wrote to memory of 2792	2340	Client.exe	cmd.exe
PID 2340 wrote to memory of 2792	2340	Client.exe	cmd.exe
PID 2792 wrote to memory of 2088	2792	cmd.exe	chcp.com
PID 2792 wrote to memory of 2088	2792	cmd.exe	chcp.com
PID 2792 wrote to memory of 2088	2792	cmd.exe	chcp.com
PID 2792 wrote to memory of 2636	2792	cmd.exe	PING.EXE
PID 2792 wrote to memory of 2636	2792	cmd.exe	PING.EXE
PID 2792 wrote to memory of 2636	2792	cmd.exe	PING.EXE
PID 2792 wrote to memory of 2656	2792	cmd.exe	Client.exe
PID 2792 wrote to memory of 2656	2792	cmd.exe	Client.exe
PID 2792 wrote to memory of 2656	2792	cmd.exe	Client.exe
PID 2656 wrote to memory of 1972	2656	Client.exe	schtasks.exe
PID 2656 wrote to memory of 1972	2656	Client.exe	schtasks.exe
PID 2656 wrote to memory of 1972	2656	Client.exe	schtasks.exe
PID 2656 wrote to memory of 3016	2656	Client.exe	cmd.exe
PID 2656 wrote to memory of 3016	2656	Client.exe	cmd.exe
PID 2656 wrote to memory of 3016	2656	Client.exe	cmd.exe
PID 3016 wrote to memory of 1200	3016	cmd.exe	chcp.com
PID 3016 wrote to memory of 1200	3016	cmd.exe	chcp.com
PID 3016 wrote to memory of 1200	3016	cmd.exe	chcp.com
PID 3016 wrote to memory of 1812	3016	cmd.exe	PING.EXE
PID 3016 wrote to memory of 1812	3016	cmd.exe	PING.EXE
PID 3016 wrote to memory of 1812	3016	cmd.exe	PING.EXE
PID 3016 wrote to memory of 2812	3016	cmd.exe	Client.exe
PID 3016 wrote to memory of 2812	3016	cmd.exe	Client.exe
PID 3016 wrote to memory of 2812	3016	cmd.exe	Client.exe
PID 2812 wrote to memory of 1596	2812	Client.exe	schtasks.exe
PID 2812 wrote to memory of 1596	2812	Client.exe	schtasks.exe
PID 2812 wrote to memory of 1596	2812	Client.exe	schtasks.exe
PID 2812 wrote to memory of 2028	2812	Client.exe	cmd.exe
PID 2812 wrote to memory of 2028	2812	Client.exe	cmd.exe
PID 2812 wrote to memory of 2028	2812	Client.exe	cmd.exe
PID 2028 wrote to memory of 1476	2028	cmd.exe	chcp.com
PID 2028 wrote to memory of 1476	2028	cmd.exe	chcp.com
PID 2028 wrote to memory of 1476	2028	cmd.exe	chcp.com
PID 2028 wrote to memory of 1360	2028	cmd.exe	PING.EXE
PID 2028 wrote to memory of 1360	2028	cmd.exe	PING.EXE
PID 2028 wrote to memory of 1360	2028	cmd.exe	PING.EXE
PID 2028 wrote to memory of 2852	2028	cmd.exe	Client.exe
PID 2028 wrote to memory of 2852	2028	cmd.exe	Client.exe
PID 2028 wrote to memory of 2852	2028	cmd.exe	Client.exe
PID 2852 wrote to memory of 816	2852	Client.exe	schtasks.exe
PID 2852 wrote to memory of 816	2852	Client.exe	schtasks.exe
PID 2852 wrote to memory of 816	2852	Client.exe	schtasks.exe
PID 2852 wrote to memory of 2096	2852	Client.exe	cmd.exe
PID 2852 wrote to memory of 2096	2852	Client.exe	cmd.exe
PID 2852 wrote to memory of 2096	2852	Client.exe	cmd.exe
PID 2096 wrote to memory of 1988	2096	cmd.exe	chcp.com
PID 2096 wrote to memory of 1988	2096	cmd.exe	chcp.com
PID 2096 wrote to memory of 1988	2096	cmd.exe	chcp.com
PID 2096 wrote to memory of 1864	2096	cmd.exe	PING.EXE
PID 2096 wrote to memory of 1864	2096	cmd.exe	PING.EXE
PID 2096 wrote to memory of 1864	2096	cmd.exe	PING.EXE
PID 2096 wrote to memory of 668	2096	cmd.exe	Client.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sp00fer.exe
"C:\Users\Admin\AppData\Local\Temp\sp00fer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QgRYu8XkixsI.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2088

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
PID:2636

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DCdLUOfPtAWT.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:1200

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
PID:1812

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
7⤵
PID:1596

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JES2OJ5AlNvR.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:1476

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:1360

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NrgzEmf3vT8D.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:1988

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
PID:1864

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:668

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
11⤵
PID:300

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NPNcEMLGIDOV.bat" "
11⤵
PID:2000

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:948

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:408

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:944

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VSaK6BsdO5HS.bat" "
13⤵
PID:680

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:1916

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
PID:1892

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2148

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
15⤵
PID:1504

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\q3ssle8pWLKP.bat" "
15⤵
PID:1736

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:2440

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:2060

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
16⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2084

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BxF8TPj72Bvj.bat" "
17⤵
PID:2724

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:2864

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:612

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
18⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2788

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Im4pvohi1Crg.bat" "
19⤵
PID:2540

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:2596

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
PID:1652

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1812

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
21⤵
PID:1224

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1tjLsHvlbGBD.bat" "
21⤵
PID:1644

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:1476

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:2588

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:316

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
23⤵
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TmOTIb3kldzL.bat" "
23⤵
PID:2868

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:2392

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
PID:2256

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:772

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
25⤵
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QIjYzwQ42Z9F.bat" "
25⤵
PID:1656

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:840

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
PID:2484

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1816

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
27⤵
PID:576

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FJWWaKGavioN.bat" "
27⤵
PID:1160

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:1328

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
PID:2436

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2288

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
29⤵
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wd4FUKrPJxew.bat" "
29⤵
PID:2440

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:2452

C:\Windows\system32\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:844

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2420

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
31⤵
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\x6g5YWHPYIIi.bat" "
31⤵
PID:2068

C:\Windows\system32\chcp.com
chcp 65001
32⤵
PID:1628

C:\Windows\system32\PING.EXE
ping -n 10 localhost
32⤵
PID:1088

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:612

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
33⤵
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fjqFj0HmoEim.bat" "
33⤵
PID:2636

C:\Windows\system32\chcp.com
chcp 65001
34⤵
PID:2580

C:\Windows\system32\PING.EXE
ping -n 10 localhost
34⤵
PID:2824

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1652

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
35⤵
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cfNa7oQkuiZg.bat" "
35⤵
PID:1740

C:\Windows\system32\chcp.com
chcp 65001
36⤵
PID:1476

C:\Windows\system32\PING.EXE
ping -n 10 localhost
36⤵
PID:1308

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
36⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1764

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
37⤵
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PEYdhoaeOXf8.bat" "
37⤵
PID:1756

C:\Windows\system32\chcp.com
chcp 65001
38⤵
PID:1668

C:\Windows\system32\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:2112

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2868

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
39⤵
PID:2700

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6ioLPO1Zr2Kq.bat" "
39⤵
PID:1460

C:\Windows\system32\chcp.com
chcp 65001
40⤵
PID:1912

C:\Windows\system32\PING.EXE
ping -n 10 localhost
40⤵
PID:868

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:408

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
41⤵
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nF7cMDcwOZnu.bat" "
41⤵
PID:800

C:\Windows\system32\chcp.com
chcp 65001
42⤵
PID:828

C:\Windows\system32\PING.EXE
ping -n 10 localhost
42⤵
PID:756

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
42⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1964

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
43⤵
PID:1160

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1QeM9VAuG6w4.bat" "
43⤵
PID:1060

C:\Windows\system32\chcp.com
chcp 65001
44⤵
PID:1608

C:\Windows\system32\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:2220

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
44⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3060

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
45⤵
PID:2252

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\O0nHL2rN8lsh.bat" "
45⤵
PID:2916

C:\Windows\system32\chcp.com
chcp 65001
46⤵
PID:2660

C:\Windows\system32\PING.EXE
ping -n 10 localhost
46⤵
PID:2128

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
46⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1048

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
47⤵
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WmsjofwZJhFH.bat" "
47⤵
PID:2536

C:\Windows\system32\chcp.com
chcp 65001
48⤵
PID:2692

C:\Windows\system32\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:2736

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
48⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1576

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
49⤵
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GYytgcbQkxep.bat" "
49⤵
PID:376

C:\Windows\system32\chcp.com
chcp 65001
50⤵
PID:1992

C:\Windows\system32\PING.EXE
ping -n 10 localhost
50⤵
PID:2044

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
50⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2508

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
51⤵
PID:2404

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9sBlTwlaEOsz.bat" "
51⤵
PID:1284

C:\Windows\system32\chcp.com
chcp 65001
52⤵
PID:2028

C:\Windows\system32\PING.EXE
ping -n 10 localhost
52⤵
PID:1372

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
52⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1864

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
53⤵
PID:2348

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zdLnro68UX0f.bat" "
53⤵
PID:1452

C:\Windows\system32\chcp.com
chcp 65001
54⤵
PID:932

C:\Windows\system32\PING.EXE
ping -n 10 localhost
54⤵
PID:748

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1044

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
55⤵
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RpkR7A2ov1Kw.bat" "
55⤵
PID:848

C:\Windows\system32\chcp.com
chcp 65001
56⤵
PID:1656

C:\Windows\system32\PING.EXE
ping -n 10 localhost
56⤵
PID:576

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
56⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1880

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
57⤵
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\feGSUUNpl4vL.bat" "
57⤵
PID:2064

C:\Windows\system32\chcp.com
chcp 65001
58⤵
PID:3064

C:\Windows\system32\PING.EXE
ping -n 10 localhost
58⤵
PID:1724

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
58⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2464

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
59⤵
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ug1nigOUrpRu.bat" "
59⤵
PID:1464

C:\Windows\system32\chcp.com
chcp 65001
60⤵
PID:2808

C:\Windows\system32\PING.EXE
ping -n 10 localhost
60⤵
PID:2660

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
60⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2128

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
61⤵
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GLq3QkdvJzuh.bat" "
61⤵
PID:2896

C:\Windows\system32\chcp.com
chcp 65001
62⤵
PID:2216

C:\Windows\system32\PING.EXE
ping -n 10 localhost
62⤵
PID:2520

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
62⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2640

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
63⤵
PID:2572

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gj09BPDQZsEB.bat" "
63⤵
PID:1624

C:\Windows\system32\chcp.com
chcp 65001
64⤵
PID:2332

C:\Windows\system32\PING.EXE
ping -n 10 localhost
64⤵
- Runs ping.exe
PID:1360

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
64⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:376

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
65⤵
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\56XK20SDirD8.bat" "
65⤵
PID:1692

C:\Windows\system32\chcp.com
chcp 65001
66⤵
PID:2392

C:\Windows\system32\PING.EXE
ping -n 10 localhost
66⤵
- Runs ping.exe
PID:2844

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
66⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1284

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
67⤵
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CBNebGtFyYjR.bat" "
67⤵
PID:484

C:\Windows\system32\chcp.com
chcp 65001
68⤵
PID:1316

C:\Windows\system32\PING.EXE
ping -n 10 localhost
68⤵
- Runs ping.exe
PID:2968

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
68⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2948

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
69⤵
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\exCh1nbx8cU5.bat" "
69⤵
PID:448

C:\Windows\system32\chcp.com
chcp 65001
70⤵
PID:2024

C:\Windows\system32\PING.EXE
ping -n 10 localhost
70⤵
PID:1712

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
70⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:680

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
71⤵
PID:1956

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JgkUUkacFyOD.bat" "
71⤵
PID:400

C:\Windows\system32\chcp.com
chcp 65001
72⤵
PID:1068

C:\Windows\system32\PING.EXE
ping -n 10 localhost
72⤵
- Runs ping.exe
PID:1884

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
72⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3056

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
73⤵
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mk7S78LKNuuc.bat" "
73⤵
PID:1092

C:\Windows\system32\chcp.com
chcp 65001
74⤵
PID:2292

C:\Windows\system32\PING.EXE
ping -n 10 localhost
74⤵
- Runs ping.exe
PID:2608

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
74⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2708

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
75⤵
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\x6N6sGf86s9W.bat" "
75⤵
PID:2520

C:\Windows\system32\chcp.com
chcp 65001
76⤵
PID:1672

C:\Windows\system32\PING.EXE
ping -n 10 localhost
76⤵
- Runs ping.exe
PID:1708

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
76⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1596

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
77⤵
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uWnXaMnQRdkW.bat" "
77⤵
PID:1624

C:\Windows\system32\chcp.com
chcp 65001
78⤵
PID:2404

C:\Windows\system32\PING.EXE
ping -n 10 localhost
78⤵
- Runs ping.exe
PID:2696

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
78⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1308

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
79⤵
PID:1528

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8u5vKSAzCgif.bat" "
79⤵
PID:3012

C:\Windows\system32\chcp.com
chcp 65001
80⤵
PID:604

C:\Windows\system32\PING.EXE
ping -n 10 localhost
80⤵
PID:544

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
80⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:536

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
81⤵
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KWZdMpV7hP4z.bat" "
81⤵
PID:1572

C:\Windows\system32\chcp.com
chcp 65001
82⤵
PID:2444

C:\Windows\system32\PING.EXE
ping -n 10 localhost
82⤵
PID:308

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
82⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1696

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
83⤵
PID:576

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\06gbc4VOjpZj.bat" "
83⤵
PID:2140

C:\Windows\system32\chcp.com
chcp 65001
84⤵
PID:1664

C:\Windows\system32\PING.EXE
ping -n 10 localhost
84⤵
PID:1500

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
84⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2924

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
85⤵
PID:2436

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Kl4Ca7bgrea4.bat" "
85⤵
PID:2020

C:\Windows\system32\chcp.com
chcp 65001
86⤵
PID:2808

C:\Windows\system32\PING.EXE
ping -n 10 localhost
86⤵
- Runs ping.exe
PID:2624

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
86⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2644

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
87⤵
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1WrdTlk4MdFr.bat" "
87⤵
PID:2388

C:\Windows\system32\chcp.com
chcp 65001
88⤵
PID:2628

C:\Windows\system32\PING.EXE
ping -n 10 localhost
88⤵
PID:2876

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
88⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2980

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
89⤵
PID:1960

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QHvOYB3hvqDa.bat" "
89⤵
PID:2044

C:\Windows\system32\chcp.com
chcp 65001
90⤵
PID:1476

C:\Windows\system32\PING.EXE
ping -n 10 localhost
90⤵
- Runs ping.exe
PID:1928

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
90⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2336

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
91⤵
PID:2888

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FY04I38RorxR.bat" "
91⤵
PID:1084

C:\Windows\system32\chcp.com
chcp 65001
92⤵
PID:2560

C:\Windows\system32\PING.EXE
ping -n 10 localhost
92⤵
PID:1260

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
92⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1332

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
93⤵
PID:2096

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SYWsIhTBCDh7.bat" "
93⤵
PID:552

C:\Windows\system32\chcp.com
chcp 65001
94⤵
PID:1316

C:\Windows\system32\PING.EXE
ping -n 10 localhost
94⤵
PID:1488

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
94⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:820

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
95⤵
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hv58tvBzLycd.bat" "
95⤵
PID:2484

C:\Windows\system32\chcp.com
chcp 65001
96⤵
PID:848

C:\Windows\system32\PING.EXE
ping -n 10 localhost
96⤵
- Runs ping.exe
PID:1712

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
96⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
97⤵
PID:1160

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BjlBbRNqoOoe.bat" "
97⤵
PID:1068

C:\Windows\system32\chcp.com
chcp 65001
98⤵
PID:2476

C:\Windows\system32\PING.EXE
ping -n 10 localhost
98⤵
- Runs ping.exe
PID:2240

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
98⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2776

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
99⤵
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZPFz8AM6rFkd.bat" "
99⤵
PID:2068

C:\Windows\system32\chcp.com
chcp 65001
100⤵
PID:3000

C:\Windows\system32\PING.EXE
ping -n 10 localhost
100⤵
- Runs ping.exe
PID:2784

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
100⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2388

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
101⤵
PID:2584

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xhI9dpLDNewe.bat" "
101⤵
PID:1088

C:\Windows\system32\chcp.com
chcp 65001
102⤵
PID:2296

C:\Windows\system32\PING.EXE
ping -n 10 localhost
102⤵
- Runs ping.exe
PID:2404

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
102⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2480

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
103⤵
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vSKzuMNtlea0.bat" "
103⤵
PID:2028

C:\Windows\system32\chcp.com
chcp 65001
104⤵
PID:2000

C:\Windows\system32\PING.EXE
ping -n 10 localhost
104⤵
PID:2940

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
104⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2700

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
105⤵
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FeG760l7rphU.bat" "
105⤵
PID:1316

C:\Windows\system32\chcp.com
chcp 65001
106⤵
PID:1112

C:\Windows\system32\PING.EXE
ping -n 10 localhost
106⤵
- Runs ping.exe
PID:2968

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
106⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:560

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
107⤵
PID:1168

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\VLN1xVbDBPDG.bat" "
107⤵
PID:2204

C:\Windows\system32\chcp.com
chcp 65001
108⤵
PID:2908

C:\Windows\system32\PING.EXE
ping -n 10 localhost
108⤵
- Runs ping.exe
PID:1428

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
108⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1160

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
109⤵
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4e1CeYBhUV4G.bat" "
109⤵
PID:1896

C:\Windows\system32\chcp.com
chcp 65001
110⤵
PID:1060

C:\Windows\system32\PING.EXE
ping -n 10 localhost
110⤵
PID:2240

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
110⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2660

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
111⤵
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\899o92IVorj7.bat" "
111⤵
PID:1040

C:\Windows\system32\chcp.com
chcp 65001
112⤵
PID:1672

C:\Windows\system32\PING.EXE
ping -n 10 localhost
112⤵
- Runs ping.exe
PID:2164

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
112⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1548

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
113⤵
PID:2836

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k2uDCZevVKC5.bat" "
113⤵
PID:2496

C:\Windows\system32\chcp.com
chcp 65001
114⤵
PID:3052

C:\Windows\system32\PING.EXE
ping -n 10 localhost
114⤵
- Runs ping.exe
PID:1224

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
114⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1820

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
115⤵
PID:2880

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LKWRiNCQAq4Y.bat" "
115⤵
PID:1212

C:\Windows\system32\chcp.com
chcp 65001
116⤵
PID:960

C:\Windows\system32\PING.EXE
ping -n 10 localhost
116⤵
- Runs ping.exe
PID:2760

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
116⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1868

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
117⤵
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6QaiGLBCuMtZ.bat" "
117⤵
PID:1732

C:\Windows\system32\chcp.com
chcp 65001
118⤵
PID:2968

C:\Windows\system32\PING.EXE
ping -n 10 localhost
118⤵
- Runs ping.exe
PID:1316

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
118⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:292

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
119⤵
PID:1600

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1VsU7nt9sqf4.bat" "
119⤵
PID:2432

C:\Windows\system32\chcp.com
chcp 65001
120⤵
PID:828

C:\Windows\system32\PING.EXE
ping -n 10 localhost
120⤵
- Runs ping.exe
PID:1592

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
120⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2244

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
121⤵
PID:2320

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gmJtRpRcb1jb.bat" "
121⤵
PID:2800

C:\Windows\system32\chcp.com
chcp 65001
122⤵
PID:3004

C:\Windows\system32\PING.EXE
ping -n 10 localhost
122⤵
PID:2768

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
122⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2728

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
123⤵
PID:2720

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\72a4u6s0c4jp.bat" "
123⤵
PID:1672

C:\Windows\system32\chcp.com
chcp 65001
124⤵
PID:2572

C:\Windows\system32\PING.EXE
ping -n 10 localhost
124⤵
- Runs ping.exe
PID:2068

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
124⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2208

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
125⤵
PID:2588

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qz7PLUacFAdO.bat" "
125⤵
PID:2988

C:\Windows\system32\chcp.com
chcp 65001
126⤵
PID:1360

C:\Windows\system32\PING.EXE
ping -n 10 localhost
126⤵
- Runs ping.exe
PID:1252

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
126⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2000

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
127⤵
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\JZa78WXT7M7P.bat" "
127⤵
PID:2616

C:\Windows\system32\chcp.com
chcp 65001
128⤵
PID:2760

C:\Windows\system32\PING.EXE
ping -n 10 localhost
128⤵
PID:1084

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
128⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1656

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
129⤵
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sgIP8R08p00A.bat" "
129⤵
PID:1636

C:\Windows\system32\chcp.com
chcp 65001
130⤵
PID:880

C:\Windows\system32\PING.EXE
ping -n 10 localhost
130⤵
PID:2092

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
130⤵
PID:2252

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
131⤵
PID:1712

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\J20mkx27t1ry.bat" "
131⤵
PID:2396

C:\Windows\system32\chcp.com
chcp 65001
132⤵
PID:2432

C:\Windows\system32\PING.EXE
ping -n 10 localhost
132⤵
- Runs ping.exe
PID:800

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
132⤵
PID:780

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
133⤵
PID:2276

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Pa3cGyHHqPcc.bat" "
133⤵
PID:1068

C:\Windows\system32\chcp.com
chcp 65001
134⤵
PID:2800

C:\Windows\system32\PING.EXE
ping -n 10 localhost
134⤵
PID:2884

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
134⤵
PID:1200

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
135⤵
PID:2608

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\suTh7XtuAnvk.bat" "
135⤵
PID:2544

C:\Windows\system32\chcp.com
chcp 65001
136⤵
PID:2748

C:\Windows\system32\PING.EXE
ping -n 10 localhost
136⤵
- Runs ping.exe
PID:2896

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
136⤵
PID:1588

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
137⤵
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\r8CsJGu6RYjU.bat" "
137⤵
PID:1224

C:\Windows\system32\chcp.com
chcp 65001
138⤵
PID:1372

C:\Windows\system32\PING.EXE
ping -n 10 localhost
138⤵
PID:832

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
138⤵
PID:2028

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
139⤵
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\I2KlgRtip72Z.bat" "
139⤵
PID:948

C:\Windows\system32\chcp.com
chcp 65001
140⤵
PID:1420

C:\Windows\system32\PING.EXE
ping -n 10 localhost
140⤵
- Runs ping.exe
PID:2488

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
140⤵
PID:2004

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
141⤵
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HuNcMOj5KXtQ.bat" "
141⤵
PID:1432

C:\Windows\system32\chcp.com
chcp 65001
142⤵
PID:1712

C:\Windows\system32\PING.EXE
ping -n 10 localhost
142⤵
PID:1428

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
142⤵
- Drops file in Program Files directory
PID:2956

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
143⤵
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FNyTOF0EjvpI.bat" "
143⤵
PID:1724

C:\Windows\system32\chcp.com
chcp 65001
144⤵
PID:2276

C:\Windows\system32\PING.EXE
ping -n 10 localhost
144⤵
- Runs ping.exe
PID:2200

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
144⤵
- Drops file in Program Files directory
PID:1736

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
145⤵
PID:2800

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\QxiX5IS7ntvV.bat" "
145⤵
PID:2672

C:\Windows\system32\chcp.com
chcp 65001
146⤵
PID:2608

C:\Windows\system32\PING.EXE
ping -n 10 localhost
146⤵
- Runs ping.exe
PID:1992

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
146⤵
- Drops file in Program Files directory
PID:2628

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
147⤵
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MHz6Xuy6l7Pn.bat" "
147⤵
PID:2580

C:\Windows\system32\chcp.com
chcp 65001
148⤵
PID:2496

C:\Windows\system32\PING.EXE
ping -n 10 localhost
148⤵
PID:2832

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
148⤵
- Drops file in Program Files directory
PID:2972

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
149⤵
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\d8EoKm9bj911.bat" "
149⤵
PID:1980

C:\Windows\system32\chcp.com
chcp 65001
150⤵
PID:1472

C:\Windows\system32\PING.EXE
ping -n 10 localhost
150⤵
- Runs ping.exe
PID:1084

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
150⤵
- Drops file in Program Files directory
PID:1168

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
151⤵
PID:2368

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4Nk9OxTAQvAf.bat" "
151⤵
PID:1636

C:\Windows\system32\chcp.com
chcp 65001
152⤵
PID:880

C:\Windows\system32\PING.EXE
ping -n 10 localhost
152⤵
PID:2272

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
152⤵
PID:1608

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
153⤵
PID:896

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PR8SFirmmaqg.bat" "
153⤵
PID:2396

C:\Windows\system32\chcp.com
chcp 65001
154⤵
PID:2064

C:\Windows\system32\PING.EXE
ping -n 10 localhost
154⤵
- Runs ping.exe
PID:2436

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
154⤵
PID:2304

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
155⤵
PID:2184

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yvwYHpHnJAmM.bat" "
155⤵
PID:2780

C:\Windows\system32\chcp.com
chcp 65001
156⤵
PID:2676

C:\Windows\system32\PING.EXE
ping -n 10 localhost
156⤵
- Runs ping.exe
PID:1704

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
156⤵
- Drops file in Program Files directory
PID:1476

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
157⤵
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\z3VODNkDwK3T.bat" "
157⤵
PID:2696

C:\Windows\system32\chcp.com
chcp 65001
158⤵
PID:564

C:\Windows\system32\PING.EXE
ping -n 10 localhost
158⤵
PID:2896

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
158⤵
PID:2988

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
159⤵
PID:2824

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\3KBJ46ilhneH.bat" "
159⤵
PID:916

C:\Windows\system32\chcp.com
chcp 65001
160⤵
PID:1796

C:\Windows\system32\PING.EXE
ping -n 10 localhost
160⤵
- Runs ping.exe
PID:1212

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
160⤵
- Drops file in Program Files directory
PID:1064

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
161⤵
PID:544

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4ELZfM44Pkrg.bat" "
161⤵
PID:2144

C:\Windows\system32\chcp.com
chcp 65001
162⤵
PID:2568

C:\Windows\system32\PING.EXE
ping -n 10 localhost
162⤵
PID:2968

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
162⤵
PID:1712

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
163⤵
PID:3012

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\98l3zKYIT7Ce.bat" "
163⤵
PID:800

C:\Windows\system32\chcp.com
chcp 65001
164⤵
PID:2912

C:\Windows\system32\PING.EXE
ping -n 10 localhost
164⤵
- Runs ping.exe
PID:2648

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
164⤵
PID:2080

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
165⤵
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Q1dNfiNfddH1.bat" "
165⤵
PID:2576

C:\Windows\system32\chcp.com
chcp 65001
166⤵
PID:2952

C:\Windows\system32\PING.EXE
ping -n 10 localhost
166⤵
- Runs ping.exe
PID:1440

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
166⤵
- Drops file in Program Files directory
PID:2876

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
167⤵
PID:2104

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\CxeR9AWNtxJR.bat" "
167⤵
PID:2620

C:\Windows\system32\chcp.com
chcp 65001
168⤵
PID:2672

C:\Windows\system32\PING.EXE
ping -n 10 localhost
168⤵
PID:2472

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
168⤵
- Drops file in Program Files directory
PID:548

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
169⤵
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YZh9nAN7xbYE.bat" "
169⤵
PID:1624

C:\Windows\system32\chcp.com
chcp 65001
170⤵
PID:2580

C:\Windows\system32\PING.EXE
ping -n 10 localhost
170⤵
PID:1224

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
170⤵
- Drops file in Program Files directory
PID:960

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
171⤵
PID:1372

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KyvQ4OX44182.bat" "
171⤵
PID:2560

C:\Windows\system32\chcp.com
chcp 65001
172⤵
PID:2192

C:\Windows\system32\PING.EXE
ping -n 10 localhost
172⤵
- Runs ping.exe
PID:324

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
172⤵
PID:1076

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
173⤵
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9jp43bBjsDWM.bat" "
173⤵
PID:3036

C:\Windows\system32\chcp.com
chcp 65001
174⤵
PID:3048

C:\Windows\system32\PING.EXE
ping -n 10 localhost
174⤵
- Runs ping.exe
PID:3064

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
174⤵
PID:1716

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
175⤵
PID:2200

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAyxA36bF60A.bat" "
175⤵
PID:2984

C:\Windows\system32\chcp.com
chcp 65001
176⤵
PID:2764

C:\Windows\system32\PING.EXE
ping -n 10 localhost
176⤵
- Runs ping.exe
PID:2076

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
176⤵
- Drops file in Program Files directory
PID:2576

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
177⤵
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\mFqg6DYNq88m.bat" "
177⤵
PID:996

C:\Windows\system32\chcp.com
chcp 65001
178⤵
PID:624

C:\Windows\system32\PING.EXE
ping -n 10 localhost
178⤵
- Runs ping.exe
PID:2492

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
178⤵
PID:2552

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
179⤵
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dwgUi0AChpoq.bat" "
179⤵
PID:2580

C:\Windows\system32\chcp.com
chcp 65001
180⤵
PID:1940

C:\Windows\system32\PING.EXE
ping -n 10 localhost
180⤵
- Runs ping.exe
PID:2008

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
180⤵
- Drops file in Program Files directory
PID:1980

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
181⤵
PID:544

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GOl6cyhctgJU.bat" "
181⤵
PID:848

C:\Windows\system32\chcp.com
chcp 65001
182⤵
PID:1732

C:\Windows\system32\PING.EXE
ping -n 10 localhost
182⤵
- Runs ping.exe
PID:880

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
182⤵
- Drops file in Program Files directory
PID:448

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
183⤵
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jg83utsisLlW.bat" "
183⤵
PID:2600

C:\Windows\system32\chcp.com
chcp 65001
184⤵
PID:3064

C:\Windows\system32\PING.EXE
ping -n 10 localhost
184⤵
- Runs ping.exe
PID:1452

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
184⤵
- Drops file in Program Files directory
PID:2680

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
185⤵
PID:2184

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PI9wIfsMuIfN.bat" "
185⤵
PID:2732

C:\Windows\system32\chcp.com
chcp 65001
186⤵
PID:2632

C:\Windows\system32\PING.EXE
ping -n 10 localhost
186⤵
PID:2544

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
186⤵
- Drops file in Program Files directory
PID:1704

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
187⤵
PID:1532

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WXfWyKpNUqdp.bat" "
187⤵
PID:2888

C:\Windows\system32\chcp.com
chcp 65001
188⤵
PID:1040

C:\Windows\system32\PING.EXE
ping -n 10 localhost
188⤵
- Runs ping.exe
PID:1668

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
188⤵
- Drops file in Program Files directory
PID:2248

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
189⤵
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TmteVaG1FIRz.bat" "
189⤵
PID:2008

C:\Windows\system32\chcp.com
chcp 65001
190⤵
PID:1856

C:\Windows\system32\PING.EXE
ping -n 10 localhost
190⤵
PID:1260

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
190⤵
PID:2500

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
191⤵
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\dnKMEh4SZn4u.bat" "
191⤵
PID:2316

C:\Windows\system32\chcp.com
chcp 65001
192⤵
PID:2428

C:\Windows\system32\PING.EXE
ping -n 10 localhost
192⤵
- Runs ping.exe
PID:2664

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
192⤵
- Drops file in Program Files directory
PID:828

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
193⤵
PID:2484

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qe3P26sZImqU.bat" "
193⤵
PID:1452

C:\Windows\system32\chcp.com
chcp 65001
194⤵
PID:2800

C:\Windows\system32\PING.EXE
ping -n 10 localhost
194⤵
- Runs ping.exe
PID:800

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
194⤵
- Drops file in Program Files directory
PID:1724

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
195⤵
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\52nadDRuniio.bat" "
195⤵
PID:2916

C:\Windows\system32\chcp.com
chcp 65001
196⤵
PID:1992

C:\Windows\system32\PING.EXE
ping -n 10 localhost
196⤵
PID:3020

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
196⤵
- Drops file in Program Files directory
PID:2844

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
197⤵
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gvBEAuREwxmS.bat" "
197⤵
PID:2492

C:\Windows\system32\chcp.com
chcp 65001
198⤵
PID:2900

C:\Windows\system32\PING.EXE
ping -n 10 localhost
198⤵
PID:2824

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
198⤵
PID:2108

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
199⤵
PID:2832

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NcPz9GhwmM4t.bat" "
199⤵
PID:684

C:\Windows\system32\chcp.com
chcp 65001
200⤵
PID:576

C:\Windows\system32\PING.EXE
ping -n 10 localhost
200⤵
- Runs ping.exe
PID:2112

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
200⤵
PID:948

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
201⤵
PID:2036

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rDCUao8J4Nhw.bat" "
201⤵
PID:2684

C:\Windows\system32\chcp.com
chcp 65001
202⤵
PID:1896

C:\Windows\system32\PING.EXE
ping -n 10 localhost
202⤵
- Runs ping.exe
PID:2936

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
202⤵
- Drops file in Program Files directory
PID:1132

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
203⤵
PID:1968

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IQDa5zikl9Fu.bat" "
203⤵
PID:2268

C:\Windows\system32\chcp.com
chcp 65001
204⤵
PID:2052

C:\Windows\system32\PING.EXE
ping -n 10 localhost
204⤵
- Runs ping.exe
PID:1088

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
204⤵
PID:1540

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
205⤵
PID:2736

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8nfvfm4FYZ1X.bat" "
205⤵
PID:1040

C:\Windows\system32\chcp.com
chcp 65001
206⤵
PID:2584

C:\Windows\system32\PING.EXE
ping -n 10 localhost
206⤵
PID:1448

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
206⤵
PID:2456

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
207⤵
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\McITpRt0OaOq.bat" "
207⤵
PID:2504

C:\Windows\system32\chcp.com
chcp 65001
208⤵
PID:2008

C:\Windows\system32\PING.EXE
ping -n 10 localhost
208⤵
- Runs ping.exe
PID:2488

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
208⤵
PID:1260

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
209⤵
PID:2568

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kYuk9GU2cxCZ.bat" "
209⤵
PID:2036

C:\Windows\system32\chcp.com
chcp 65001
210⤵
PID:1760

C:\Windows\system32\PING.EXE
ping -n 10 localhost
210⤵
PID:2136

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
210⤵
- Drops file in Program Files directory
PID:2448

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
211⤵
PID:1488

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\uDbmeyngwxLU.bat" "
211⤵
PID:2396

C:\Windows\system32\chcp.com
chcp 65001
212⤵
PID:2952

C:\Windows\system32\PING.EXE
ping -n 10 localhost
212⤵
PID:2912

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
212⤵
PID:2996

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
213⤵
PID:1672

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8oVvV0luTdff.bat" "
213⤵
PID:2216

C:\Windows\system32\chcp.com
chcp 65001
214⤵
PID:1992

C:\Windows\system32\PING.EXE
ping -n 10 localhost
214⤵
- Runs ping.exe
PID:2276

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
214⤵
PID:2296

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
215⤵
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YGdpnK5FHtKI.bat" "
215⤵
PID:1960

C:\Windows\system32\chcp.com
chcp 65001
216⤵
PID:1908

C:\Windows\system32\PING.EXE
ping -n 10 localhost
216⤵
PID:2008

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
216⤵
PID:2488

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
217⤵
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Q4zocqnFLh9a.bat" "
217⤵
PID:2328

C:\Windows\system32\chcp.com
chcp 65001
218⤵
PID:1760

C:\Windows\system32\PING.EXE
ping -n 10 localhost
218⤵
- Runs ping.exe
PID:1784

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
218⤵
PID:1996

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
219⤵
PID:2768

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Wr7mpSMFkuFa.bat" "
219⤵
PID:1328

C:\Windows\system32\chcp.com
chcp 65001
220⤵
PID:1060

C:\Windows\system32\PING.EXE
ping -n 10 localhost
220⤵
- Runs ping.exe
PID:2184

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
220⤵
- Drops file in Program Files directory
PID:1452

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
221⤵
PID:2140

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\czPRdpVmyLK8.bat" "
221⤵
PID:2452

C:\Windows\system32\chcp.com
chcp 65001
222⤵
PID:1992

C:\Windows\system32\PING.EXE
ping -n 10 localhost
222⤵
PID:2584

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
222⤵
- Drops file in Program Files directory
PID:1056

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
223⤵
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\f4kubUmMgLs0.bat" "
223⤵
PID:752

C:\Windows\system32\chcp.com
chcp 65001
224⤵
PID:1908

C:\Windows\system32\PING.EXE
ping -n 10 localhost
224⤵
PID:1224

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
224⤵
PID:1960

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
225⤵
PID:684

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nQEmsIWfenom.bat" "
225⤵
PID:2412

C:\Windows\system32\chcp.com
chcp 65001
226⤵
PID:1896

C:\Windows\system32\PING.EXE
ping -n 10 localhost
226⤵
PID:892

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
226⤵
PID:848

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
227⤵
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eg6Wl1mdBvvu.bat" "
227⤵
PID:1884

C:\Windows\system32\chcp.com
chcp 65001
228⤵
PID:2984

C:\Windows\system32\PING.EXE
ping -n 10 localhost
228⤵
- Runs ping.exe
PID:2200

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
228⤵
PID:3064

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
229⤵
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DbCkH5Jbpwhh.bat" "
229⤵
PID:1528

C:\Windows\system32\chcp.com
chcp 65001
230⤵
PID:2732

C:\Windows\system32\PING.EXE
ping -n 10 localhost
230⤵
PID:2224

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
230⤵
PID:2692

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
231⤵
PID:1952

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eXmnDnhkHld7.bat" "
231⤵
PID:2816

C:\Windows\system32\chcp.com
chcp 65001
232⤵
PID:1112

C:\Windows\system32\PING.EXE
ping -n 10 localhost
232⤵
- Runs ping.exe
PID:2008

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
232⤵
- Drops file in Program Files directory
PID:2664

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
233⤵
PID:1732

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HWZg5RyGX5O7.bat" "
233⤵
PID:2136

C:\Windows\system32\chcp.com
chcp 65001
234⤵
PID:3012

C:\Windows\system32\PING.EXE
ping -n 10 localhost
234⤵
- Runs ping.exe
PID:844

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
234⤵
- Drops file in Program Files directory
PID:1972

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
235⤵
PID:2076

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Wi0LX0lYvr1G.bat" "
235⤵
PID:608

C:\Windows\system32\chcp.com
chcp 65001
236⤵
PID:2184

C:\Windows\system32\PING.EXE
ping -n 10 localhost
236⤵
- Runs ping.exe
PID:3024

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
236⤵
- Drops file in Program Files directory
PID:2676

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
237⤵
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8pfO59ue7cyY.bat" "
237⤵
PID:2472

C:\Windows\system32\chcp.com
chcp 65001
238⤵
PID:996

C:\Windows\system32\PING.EXE
ping -n 10 localhost
238⤵
PID:2716

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
238⤵
PID:2636

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
239⤵
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\qLIuMqAfmeDC.bat" "
239⤵
PID:752

C:\Windows\system32\chcp.com
chcp 65001
240⤵
PID:604

C:\Windows\system32\PING.EXE
ping -n 10 localhost
240⤵
- Runs ping.exe
PID:1908

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
240⤵
PID:2568

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
241⤵
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8NJyNyYXMzFa.bat" "
241⤵
PID:3036

C:\Windows\system32\chcp.com
chcp 65001
242⤵
PID:2432

C:\Windows\system32\PING.EXE
ping -n 10 localhost
242⤵
PID:2848

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Client.exe
Filesize
3.1MB

MD5
a121d9d691a400786000dee14a808ab1

SHA1
14ab065be3cfe0a7aa7808cb8891f7c75affc395

SHA256
7849231d077a00fd9129c2c6cecbb3287afc5656b8dfd263fdf57e2432d4f335

SHA512
e0a162b3d00ef69b96bd4a43f9a0c3297005e8a8db84233010d420bf87ff337ed4139b4cc27594fdd194416a03fe8a7be90b03a8f10e34b72f70d399d6917929

Download Submit
C:\Users\Admin\AppData\Local\Temp\06gbc4VOjpZj.bat
Filesize
199B

MD5
bce312e7f5d7847787850ce56611ee59

SHA1
b7f585203fbb39273a20f5cc44274c5c41a9cdbc

SHA256
b62997a4b1cb0700fac4fed094e85eec70a5c8b3fbb75ef60e39a85b4b07e4b9

SHA512
064d11f50d00571a1faedb6aa7aa0e1987cfa8497a0cba26087a402a5d7703312d1a956ec0f1014015a8cf0d45e92c7c7dd1c70ca25ca166790e8ab6ff46a76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1QeM9VAuG6w4.bat
Filesize
199B

MD5
bc641fff1f05924e06db0a05232d6a86

SHA1
4b0a7ceb91b5c55c8f80ba37be69465794c959cf

SHA256
acf51fa508cb4901c8840a1a97816876d55b2202c22ceee9d00eee87b47ec461

SHA512
f0690c87217eb346a081c87928165efe59cf0317bb94bc15fbbad57853d5e2c2ba7c86d1c70f34c75d43127e06de27a184414bc30e1ca4b5ba53cf45808f7aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1VsU7nt9sqf4.bat
Filesize
199B

MD5
8c07c330b9e90a4fe4ed5d2cf3dd15f6

SHA1
ca06f4e1699992a89131bc31697873f3e4d83185

SHA256
2945b504c0cdb07857b0bd6522990932cfa9d50c732b12c99a9770fdd9e90058

SHA512
8e7e32148a7256e87e7d9ea4c5c2fbd257351480c9da0942afbc77bdff97c1e8a2e6dfd98a4f81a34b32ea4bed36e3354dfff964668279a71961a3570eb127fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1WrdTlk4MdFr.bat
Filesize
199B

MD5
20c00d85e641273d95960bf0b7679483

SHA1
4ddd461ad530e9aee739c1058ec91b61b6681647

SHA256
c6cdf9c90c387d7ab8a62863b2f57b12f31252a49b23819145bbcba53b7f84d6

SHA512
3081f0ea75f4ae43209d0ae265c8c7aad7438f8700f36b12b2f54c83abcf942028ba83a1740ad285565f5a571ad65f7d3dea7bcca530628555fc5b0baa702daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1tjLsHvlbGBD.bat
Filesize
199B

MD5
f4aa77ca7937ca6200d7e489aaee6d44

SHA1
1c719e1550e92c8d722ed26f5c29c85a9e998554

SHA256
709e41177a9c2500c54dfc430ae2dc5923102c8dd40644b5e3803ecfbc1a93da

SHA512
2dab1a95f6cba40f101faee5d66f9a0956179f78e1ca96fab14f28b37fa2f71ef281c742cd1d132492aaf066c1980b73847724ce35f8f673d214daa341c0a27b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3KBJ46ilhneH.bat
Filesize
199B

MD5
d09c46720f60384a7bc718db487400ba

SHA1
e7381958ef5b6737e79d4753f3a2654bd7e41a3f

SHA256
76a76877b5adf52c2c1ea8fa15e174ebddad10094c869fb60729e06542287f57

SHA512
cb880ab87ba7a04054931cdb7abd7957ee8234e82847d29d90b9245df3cab9d40ce891fbd6af10197827336285f75402c7ad80ca18bb318c83fa72f2f8623588

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ELZfM44Pkrg.bat
Filesize
199B

MD5
43d7469f90d1dd7737b91db1498b7f31

SHA1
c5cb768fb48c161ac72619bb248ab7d3f4025814

SHA256
e30cb806b84a1039ff0b440a9df6ed75186ceb215d577f77228b1069df43cfc7

SHA512
939a92f8c7f4531ee2ec793088b001858df46a116ff25402b9e3d927c057e2a7911c8f6d813d33bea1a0b03d2dc2180561e02d47ceff70df969011642ffaad48

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Nk9OxTAQvAf.bat
Filesize
199B

MD5
a9aedd9fb22d5607e67cfea4ee8e83c5

SHA1
8cd992ee1455e2ea9d33b56a7059ec2d93a63fcf

SHA256
b03ed4394675684425de6f5995cdd3a1d5c78f7a25da9e805f49cd2ade443adb

SHA512
a552226669de01f783ab70eda44544a735d60936814f436cd99abc7f934bb57ccc6d0420de083865025058f638236e3088bcba7e62cc3b2c52e002b17ad2bec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e1CeYBhUV4G.bat
Filesize
199B

MD5
55354d14ed9f0bde415fc949c5835702

SHA1
9d43df8d2fc113226e4b3bb2a822b959e146124a

SHA256
a70e82f6a62e76665d85c5be1a63cfb8c743131866b72d15171244a304d14b21

SHA512
c97cb4d0d5dc8b1ef7fb93eb2ab4cdee57867b1b3878f0dcfd339aa29d37bbe47137810a99a2294e6e4909d2ce1ea70d01cf7780e47d727bd08d880da2858193

Download Submit
C:\Users\Admin\AppData\Local\Temp\52nadDRuniio.bat
Filesize
199B

MD5
2d41e4f3728510e1e81614500f369956

SHA1
f62f33e35bd61356d6dd5050ebbacb086799c90f

SHA256
f032b99337849ce4cc782fa0fc9ddc64785c7eeb26e8820a8c60034053d76d45

SHA512
948242d9ddb8a0cdf1162a2ad6c9ed1632215bfdfb57deb0bb193eb3cb34ea4f034f4206d4cc594a20f48ae82dd441c426327e141574c12e33646c60f4935715

Download Submit
C:\Users\Admin\AppData\Local\Temp\56XK20SDirD8.bat
Filesize
199B

MD5
05c37dcb1a54f1d73c0e71de38510dec

SHA1
42cd5e601c9b94502b53ea58c9c137f50a34737d

SHA256
778868f122dfa4d290bf2d32cba9a755b889471d19f236982ed8b022708d9325

SHA512
0536f8d80bde2b81e7323a0d50591a6ec4ce92c93745852278bb6ed949b6a99d5eaac3a3337b7601b53fcc6e6426677f65dc43f92f3fb0f220f1abab696d28f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6QaiGLBCuMtZ.bat
Filesize
199B

MD5
9cd5d0f6b092bacb718637bc1977f232

SHA1
2715d57bedc20f33af12d7af159578aa9c22f2b6

SHA256
e9351ef49adfdb7e0171303a5d7f10439448c2480bd0e40d3e6ed737618358b9

SHA512
bc52057f8c407bb1e821d90ff334f1fbb96bec51672c564efe09b9d39756c2d59ab44b1ee818bf5a9ca50784a05262725453dfec3f6f68c153ab4709148abf23

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ioLPO1Zr2Kq.bat
Filesize
199B

MD5
7194bd4710b2625ab3b81f95c02336c5

SHA1
5760713aa59c84d2c2e4c7217916f74fcd5b8622

SHA256
5fae2e14995804a484f4528490e8715100e873e020391993999e448c102dcceb

SHA512
ac7ba2b4ee2c979dd129e9510eb2c1850912c6f775bc635153f721037b2ce4ec1b79a65aa0e1fc2021ef034ae107bf7ab9642bc83c2146d29eb05cf73a460a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\72a4u6s0c4jp.bat
Filesize
199B

MD5
9d26d219b040fa5c5c6535946dcffbbb

SHA1
b5193d45c31d6a12935eae23e23437bd2f6b1aa2

SHA256
04e3396f8b06a1c0a63d149372608dff8c69ef5f1e81ad9fea601fac477f2a62

SHA512
d17f195c6162ca659c05f7b28b162f95637638787b1c2ac4293df6d4d346588fedc82b1f0270514c41de32fa0b01e80c924e8a56ca293f0ea494e00f45e53b30

Download Submit
C:\Users\Admin\AppData\Local\Temp\899o92IVorj7.bat
Filesize
199B

MD5
15744b41f1df212177f1cfc435783d05

SHA1
d6b4a5c22815a1a4aa62cbcad5665beac51b3e17

SHA256
7a3bcd4f2888e4515cd454a7ea7dcae15fcc43af6d0e7999af51daa18046f8ad

SHA512
1633865792f4b09fb9e5ae3d773b0944746606330edeee9ac42b6518b877945a66657c47fe272d70c2a13986419ec452f63a873b4cc594bc0ee44a06d5ebf09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8NJyNyYXMzFa.bat
Filesize
199B

MD5
d2c7f53bfac6026aa3f394a575defc44

SHA1
21d27205405d9ce7ede85cf9135e4029d591f4ae

SHA256
92761a58732e72f3039722ee30cf0e395ed98ac424a3c11844e491c6a5ed00a9

SHA512
ba33333e7ef1e607c61537a11972115b1c57f43cf3264570c3c7f2053d66fe9ce26605f7995d51396d85ee2a258c2e020f4961d06f85d8b2096146cabbda54e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8nfvfm4FYZ1X.bat
Filesize
199B

MD5
625cf13478fd6563efeaa04a1218c744

SHA1
54c0a14cf9144c72f1b5128a9e9d6c18d3a7d7ac

SHA256
a5269641a33ea1a74dc601897b9a5264c825c2d833fe231d65040969a6dac746

SHA512
2a0c30cd53e4b3d3df7df4d0fd198ed8d177b51cf9b6de6c69a2a6e8862723e851deae1e340a32ef0bc29fba77feb417f43b6604b675d0857d3c0df6bba513f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8oVvV0luTdff.bat
Filesize
199B

MD5
6cd773a95a5deafec2901e60454e29fc

SHA1
fd0c97cdbf666d3b14e24a713fd33f8d7e4785b0

SHA256
fa84741b3dc9b1de01a783abbfd6ead416bdc1bc16969d925982f17950a1fd98

SHA512
ea42e301500902a1ccea721ed5299ea64f399698c263008b5d24284a29ce87f1620c9743b8edae3a26b8275d8fb49bbda147d38fae36f1560053ac9305aa6474

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pfO59ue7cyY.bat
Filesize
199B

MD5
11b69bb62043d83c106803b833737e63

SHA1
bc7bc24b263fde6ec75e7fb9825c577c5d0ae28c

SHA256
93d5e7c01987a37b5576a1c7d99b92cf1aadd1a43d2af373fcfbec3bc14312c1

SHA512
0ac6cc9f5420ade4cf978c7d6020dfb0a1fc7d408498e01a536b1b8dfe9dd4808d14b979bb1292c620887ddaa7d2ae89d94878e6a9560f80a4d337a1151244a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8u5vKSAzCgif.bat
Filesize
199B

MD5
390aaf6942c5f222979dd7b734b790bc

SHA1
e8f195087e85d4640b3ae2405a492bfce50e6416

SHA256
0d8b16c8a456feb80f55ea0fb28f43265927e27c0e9b277a6d7ebb5ceb23ec1d

SHA512
d8614817874a8d3879acbf6b749b1259c41fda3a43b8dac923263754fc7e287252395d3f13f3ef5e8d7fcf4341bb389eb17f6d2b203a52894527a4ce11c93cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\98l3zKYIT7Ce.bat
Filesize
199B

MD5
acff8740cbc03f4e94db1c2cc6d189d9

SHA1
8f78460501338ef3a1e2f501f9fdb949f19e447b

SHA256
55f4edfb90ebc23258791df063f84877d8f4e89efe71a9166978e5d440e692be

SHA512
4c1893e8c3e0d9aeb0870a2e7e0b229fd7ba738fb00abff160cae611daeaad767be172a7a6b18c3fae5d7f938709aa15a7b3dae0680e1662d328eead55ba4798

Download Submit
C:\Users\Admin\AppData\Local\Temp\9jp43bBjsDWM.bat
Filesize
199B

MD5
759760b847e90bdd8469877f9c7d90ba

SHA1
54cbfb7fde4a35b9b0f563fd34b1a9f0fe6c8fff

SHA256
238ba5e8571af0096b051056f0ca16c91bbed70090df4253a0f0f35032c7780c

SHA512
398c6a44e23763b0c6440963d613f1df1c5abb493323eb1278f2cb1d7f923d124560e1ee49185b62c9be5aeea4b04648e63ff72eefabefc22b67ab29f1fa3b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9sBlTwlaEOsz.bat
Filesize
199B

MD5
17e100dca674d5fdfc458a5f032ca09c

SHA1
aa2a3b06596292564ec9651541f9eb5262f8b711

SHA256
2fe72d57d1c98452d25f158d293cfb8914f4a10f007c8965d107580b64601970

SHA512
2519fd5e11d9411ce1c3df355f09d280a0e1d9ce57d67cfe13fee9d19b86916a0e4bd03f679704803d58b16b3eb038436250406a604b054824bcf8787c419b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BjlBbRNqoOoe.bat
Filesize
199B

MD5
ee76dc73d8a86ae446deb3c8f0925f80

SHA1
75743e35533a2b51908c7fdd784f7b8a5d0250a4

SHA256
9d137c4f72c1d9cd49c3838e3e28df1f53b3bfbf6553039c0ca0b47e4a064bd8

SHA512
f8d8a2a48c42a4a3cef7cea8cc4d4993f0c1a27048c0054a3cb321c847f40a71f002463f35b5c1e97102c17b9fac69ebf7786ad862d22b0b38f1792dd7055bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BxF8TPj72Bvj.bat
Filesize
199B

MD5
b1b44046d7443b5845975f4bf43ee692

SHA1
9b4bf04416bda3c2a7c33fdc72ba9aa097e1e690

SHA256
29e64dacbdc5d58814661e4a9a46a21d8181e087f6431c1b794282c48029ebf6

SHA512
3d6c7719162fd1b51047023630621a61a72ab12b09afaa6d2c2a324447a942105cf21a8f9a20cf198a41a03762ecd04a9f49a0c09bfc661e253215a7d6b667d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBNebGtFyYjR.bat
Filesize
199B

MD5
24b669f9644f8b2f2f7215c22fb4469f

SHA1
a337c94ecf97ee0d771fcf88f9123e8cf0e0abcf

SHA256
09075f62ef7b02817667b1ec00156d53ae2cfafd32bb7fb6b7a2dd5d3be12820

SHA512
931f31eabbfce0e85399497c1aba45f7ab6bc4891478f0c293f73658316cec332960913920411c06ac8ebf3bc901e8cd0a57a5bf425e4846550536814caf8629

Download Submit
C:\Users\Admin\AppData\Local\Temp\CxeR9AWNtxJR.bat
Filesize
199B

MD5
2c975571cc791b8104e86791e3a85a53

SHA1
fa688802e9cd2804ee785f3d57a5a4cf9d85bc56

SHA256
264ac66bfead0f073a9dc1fbeb5a16bcb616a3ace648acaeb0183009961558ba

SHA512
8a05de8a47562dbc33be817fc35523f3351d3f45eff4d53dfa11055bf509432f53076f4e667760f398ed6c6fdf80282a37b5cb76a7540ad5d557adf0a7e72b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCdLUOfPtAWT.bat
Filesize
199B

MD5
52be63fdc98a3b1763ab9fab4da95fb3

SHA1
f1bf6a2201e2571d4d2899378d4ca55d490456c0

SHA256
10bd6566f55365a4b33e1b2daafdfa90dd0778e305c9331d63ff1c9aa0056c2b

SHA512
0bb7df0206bc3616fbef255d7bc84333afbc56cf0c9ca9255be05cda06eadf2e627f8f268936ee07ed8afe1cbec208fc311779e0f591285094b06fd0d466c25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DbCkH5Jbpwhh.bat
Filesize
199B

MD5
030de01adddddedd2ff667401c8cf90f

SHA1
374106d0c306ba4dd52045cbedbb6b0fc7cb3252

SHA256
1720331183953e490f0df1ee93895b70fc92ce6e58e826c96ef295564b05f39f

SHA512
5c9ee86c0690a3dc1b1dbdab59f89b6e58cc8307c92b04ffcc54fc78e7c9991bde4f029c5d3b5c9ce66012969435071e26620536b4bffbc23f124aeb05319eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\FJWWaKGavioN.bat
Filesize
199B

MD5
68a24a0d9459d5c4a3e6f8abcbd23638

SHA1
62744f2e10b60fb0d469d0c7b8999768e9470aa3

SHA256
96e4437d8a06b7a9a08c10edc29680a03c7b08bb12dfe0d0c3e7cde71e454635

SHA512
f691bd3768a7a515697a8830c85c188170b6f3eb003fdec2e9e53a166c14928847ae522e926ac825b82dd25c8ae7369df6c6672be7f83175642523038a5a0214

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNyTOF0EjvpI.bat
Filesize
199B

MD5
a479ef4949825bfcd35bd4d59e322705

SHA1
ea6cf270dfed2590af3d996a5298997dd832fc14

SHA256
e92a3c7fca89d11e4c37ad578622814b350e92266d1184c045df0cc835985e98

SHA512
349e62f4fbf6301ff1c349d4bb461ad7a4c7a2b58e7192105cf29ede805532c5b962d53bf1579b37b9afbd859631c93b80374a20d65c22be60ec8a9bee33c263

Download Submit
C:\Users\Admin\AppData\Local\Temp\FY04I38RorxR.bat
Filesize
199B

MD5
ae42f2b04d444c2e1bfeb438f590c54a

SHA1
99c495e2f4b11c065a71e8e2036ece308eef3fa7

SHA256
6b232e90240226a83caa89dd02a79a9dc4437664a31b37231152a9ec0d1f6d4c

SHA512
e63781afdd326391b22370425590014119b1e4e1915c27be4f27647381368cad89759cd67392c750e3fe3170bba8b76160a7a3d2823040f3bde978fb5e9c058a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FeG760l7rphU.bat
Filesize
199B

MD5
4fcfeb349db5c81131ecdf59ad130f09

SHA1
0922a9861c01d4b82ccaefd00c0179d7a448c163

SHA256
f2e7fc50fdcbbada415192f6e4d8432dc0a58c8aefe6afbdac834c7e50388bf4

SHA512
25ae29f7da3b4846dc50f4ea6caade0451256b7df021a61e4272d309bfce986f9cf5d8bbdc50eff26a8aa6c3042ffbd3b69780360577c9fb33f8352628f355f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLq3QkdvJzuh.bat
Filesize
199B

MD5
46ceabae327aa43fb1b51a98956f0391

SHA1
16089e03219d883f2019e05e33417d1895350d8e

SHA256
741dee7238bf74c349454f175dee8d82aff7a6bde894d05215c78c0f971a1038

SHA512
3ff21e494b4b76d69f362ba82ce3ef5b9242f7bd99dbd314baad1483b9bbb284241e4bf1d04ccab40f8b61657e71ae2572e8f850f8a3a39dbddde45680e048bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOl6cyhctgJU.bat
Filesize
199B

MD5
d9b958754947fc3a3d255464299c6fbe

SHA1
faa494a6de8419fca55d480dd658126f7e7dff95

SHA256
e302ab6dfdefcd22d001a6f50edda52129f159b63f6e7ebe3609f15b5d2166b3

SHA512
f112b19fe405d932f6d161d6ca0400a3afa10cf21be3532ef1b3e69c95f1f6d48a1ba1fb42825a4ade11305a7ba01a21f8054fe028cf1b4295773603f36bdc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYytgcbQkxep.bat
Filesize
199B

MD5
cec93a7c75a4138d2dc80602f05f9292

SHA1
a368b9f8d8a758e15b5b83062b4a01c71c220f34

SHA256
c1040a1a1a86634bb40687b68f4bc12002fcc411b4c6abd86a85b65fcf1e4846

SHA512
4e0cbde8458a7db5bb47505e0e84863bfd8ec785d990c555a5bde4156f7e98aed983718d623d6d70af79d1213b108261711452dc47ab1fdf01b7bdd4c5ec5169

Download Submit
C:\Users\Admin\AppData\Local\Temp\HWZg5RyGX5O7.bat
Filesize
199B

MD5
69ea713403db10b540926394654f3d45

SHA1
5201edc13e6b51c1d94d3c17b957e1330a4188a1

SHA256
cb10492615f113ecf3855b1d6cca1b7f15fb12cb5389413b8011f9e2c463e448

SHA512
261e6147703f2453f1bd1bfa6dc578c80d3058baac6a2f197d1a31f6513cabb3f478894e139a8810cfd8dcf00dadc018ab19ba86afda146a4db73a6873b1cf51

Download Submit
C:\Users\Admin\AppData\Local\Temp\HuNcMOj5KXtQ.bat
Filesize
199B

MD5
3db4d4c7546e628f5c26929b4c1c38a2

SHA1
bc20763297809c344d9dce072f5dc511cb1499ca

SHA256
4b52cb86004865acc3e306d0cbe4cc7294547569d44ad64aa48d3e5e9c1d2ef8

SHA512
cf1fe1307680854b73e85312ae869b059b21d1f5b9f326cd00e0c5874f972dece8fe95ceb2548d41535f7e260f972d1772ef54c099a15bf5e304789fe5c04957

Download Submit
C:\Users\Admin\AppData\Local\Temp\I2KlgRtip72Z.bat
Filesize
199B

MD5
f8641b9275d4a153956957d9b69ad2d8

SHA1
8b1e635627824503601bdae6acdbb30e58904c99

SHA256
2cea9bcc65ac7e7eff43cf97e1c288045bacdb1a6e966addec63e5a26df93a11

SHA512
6242f42c5d7f65e6102b7b92651c192e81f6862ef725e3d70ccdb3753c86e92e10b5f6469b003e9529797cd6b28d62aac4c7230ba9ec92168361db56e999b51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQDa5zikl9Fu.bat
Filesize
199B

MD5
bc9488cfbacbd7deb30937ef2d04a866

SHA1
71c62aa0a453a9166a3311643bd0d854d3956bad

SHA256
b59b5215b256e5965fb47faea7ef898a9c6e1aebd34ab7b46995c2999b65d5c3

SHA512
94a920b187da8de24ade77f0447f9a8568742e215bf5f1f7b9d06520b799c4f39c049dd4c99d5b9b0e6922c9a0e447b5d1efd804774904a422a3d10a606ed270

Download Submit
C:\Users\Admin\AppData\Local\Temp\Im4pvohi1Crg.bat
Filesize
199B

MD5
f65ec35df4f95046fca47d7e7fc9c0a6

SHA1
717c940cb32fa503c9fedda2dc1de6c65eab8629

SHA256
ef37a9bfe6269355f37b9a66a94a3787d62f053b7c01e6e4faa91cf314f4c3e1

SHA512
870b42bea27da79a389f47159d3e710d3e01a82fb4eeeb55e8be7e726394bfcd99e7d8757632cca91e0c63a47858ba9db4562aab9e81b6f550047ad76e5d3456

Download Submit
C:\Users\Admin\AppData\Local\Temp\J20mkx27t1ry.bat
Filesize
199B

MD5
2c0dd077a10b72cbd50bd41917dcd8a2

SHA1
d15a74ee6d2ba063182e50fac4354adbd2d0ef25

SHA256
20465c95139922e736e758c3a3e394795b45488334bf491ecf1ffbe6b5ee7ccb

SHA512
443d423de3bd96caae69872f5a7532200a16966d8e35b7974e8616984da157d40840e058338db9199ed9201f106f7110471a4bdb7dfffdf8a320dc01bfbdcb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\JES2OJ5AlNvR.bat
Filesize
199B

MD5
1d85700713e92a6a69da6e768514f5fa

SHA1
1e02b9c3397360267558d8bca40b17f81c706031

SHA256
11846876b4a56f060e060114b2db696c14ed31da61e6285fcba7807ac564f2c8

SHA512
a7687eda032555b4895ce1ca4da2386d14b2009b87d62ec2415e720959f5748959a812f53027a26ce1d6bc6a0ba25bf6f90b58d2d66c2453222a5d6a399fe77d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JZa78WXT7M7P.bat
Filesize
199B

MD5
ebe4768dbc472d2f5390ba0496f074ee

SHA1
2e31881115b6e81cab03da2fa6c1199d8589692a

SHA256
a5919706268a541293e063f621d22c148b5203ca39f6404de5a15d556d012115

SHA512
2f5993e6530f94d56151df8b294b9f9c6c97b16cfbcd4c88c599e479d44081310be1111a9b027507a5fd184ad5e22b6432ee171e6f309165f03e1e4344c47786

Download Submit
C:\Users\Admin\AppData\Local\Temp\JgkUUkacFyOD.bat
Filesize
199B

MD5
832e66db47e4271708d9fe83bc0370af

SHA1
ad8b25bc8301f60b656adceb32ededc5d1a444b6

SHA256
c9e1f59d1e35028ff752fea2c1d80384627e537af08811e470bb9082aad0009c

SHA512
ceb032c641dd582267c589854238a991b4959c0242f9e6c1d2390428400f3f678ada304a15d45f12c93a0c32d3ea9c671ca20b9aeff583b37cc6e1f808ba562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KWZdMpV7hP4z.bat
Filesize
199B

MD5
d31ef23b97076504ba4af151d50efcbf

SHA1
02980a0e975f826176f6184f097064dcbb7e479b

SHA256
7334e43ba64cefa063e138752062ad51c7d29d4092f54105a01070e505d4a368

SHA512
35f0e0d924d70111da21454aa456fe981a6786d82f4f7acc0b110cd790b29f47346e9ee233afe41251b18ae59a1eac946d80d87ef49df184477862723a10bdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kl4Ca7bgrea4.bat
Filesize
199B

MD5
a979a9e98f83671c6f7b547105e87c0b

SHA1
cdb5de4e13e360b8980e6ffa6cd88ec06a030b8b

SHA256
78ed004144fe4dfbf12e39103885b3ea1bf679d37d9535ee5a877f712fa73420

SHA512
3194345a041b6c5ea891e2dbf8ec572d89a8a0a89447c4db6e2b015288e96fe3f28278de787fb5c9b4e39e80feb54252c466ca5c366866beb495eef1197c1e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KyvQ4OX44182.bat
Filesize
199B

MD5
516d993587dae4abbecf163ac58ad1d5

SHA1
3522eef0fced3d3fce268b76b099689c99d3bb40

SHA256
6f845375a1aec072534a6aac6bc0e64beaf544be66f86bafcf5c70aeec6fb504

SHA512
d3a1bccfd1dbcf37da4cbce601ec3d6c7fea1947c9af46a9446c184a8b619bb4b7164d1fc0f319497c166fcd1e4e128a08ef47b1f939c990f5917cf1e898aad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LAyxA36bF60A.bat
Filesize
199B

MD5
8ccb74cb40c8777beeb24eadf1a4a49b

SHA1
69094c9a937539204aca2a320c57a401fc5d1531

SHA256
307ef82a9b78bf363efc24fe45eae64bf9541e4b3966b730df8f681b177c2717

SHA512
bb393029e17322e2f364bda4eb2e9098ae723ae357893d8b5947d27ec635e4f28cbd29bf9d05b4bc8145a844d3b1b59f03b691836e0e4dfc9b038e56570aef37

Download Submit
C:\Users\Admin\AppData\Local\Temp\LKWRiNCQAq4Y.bat
Filesize
199B

MD5
0b726035dc8a95df54e11d38fbc222fa

SHA1
b71533f0592bbc512c62118797ae84b5d32a87bd

SHA256
19df51bd581a6274a07cad3bd2485a449d3f0a24d8289d161f56fb2e396a925d

SHA512
f242f6c3527321cd911d38c9c51535deebae96e03a8252ece8a15ff1e5be36cf1ee23d499b5becb5b048264f52eac723ee211d11cf96456ac3bc8750a290f0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MHz6Xuy6l7Pn.bat
Filesize
199B

MD5
e43c5032c88e797a8bd3f764b36398a4

SHA1
128ca93d78e9dc3ac2441f5c33e9767b9fa8944b

SHA256
de59894b2e3fa8d96f6db304fdc1ce1c6eb9d283dbbd4bf115c56cae58820909

SHA512
da351a583dc75c5b40eac4b99b098f97ab4966bed9a4b8155395be2fd822d54a8436d37bb5f539270772756b696e89f0a95d0afa343a9d661d2a4f0a12d11456

Download Submit
C:\Users\Admin\AppData\Local\Temp\McITpRt0OaOq.bat
Filesize
199B

MD5
f46cca0c89f8578f03e9e7c541ecdbd1

SHA1
3bf82ca8734562e29a6d87855cb70df20e13c2c9

SHA256
c51a8722e7769901124940d1d64384b55ff9aeed3f35791deb150694e7367d8d

SHA512
8c32f82c92241fa8ff49096e932699c1dc277181df93dfa8a0c91a91617a0db3727125444608e9720eca39cabe8be9644ad98a84ca2f3642b7a48963e4e23e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\NPNcEMLGIDOV.bat
Filesize
199B

MD5
2ff0475d6a77515292e4fd324c0ac16e

SHA1
b998784bbdfd2e1ef9f85dadab05a013fc4f02a0

SHA256
5c6928d8149ed45153713f99ad149f0e213b777853041fca00c57c34b3ea2c98

SHA512
534137f5c77a17e19fd9f860176f8614b2e81d6c5519015f567c228a3376a8f6b8402fafa59efd5d6096dbe0d3c71f504fd6ac357d2e0e29e0baa2524fb4d423

Download Submit
C:\Users\Admin\AppData\Local\Temp\NcPz9GhwmM4t.bat
Filesize
199B

MD5
7b248ee050a499026cd66f239823c5e1

SHA1
a3648e93849a36a6f7e5e0b14bc8b29be211875e

SHA256
dc9c6491654e248dbe719ea5f3ad184b6756b2761f11f3a94effd725013d5625

SHA512
173d3c418418acbe7b3981e80fc7521b1d8dbde03da3728d9cb5003fd16a460f7f70783d77e99aae4ce97a1ccd825d7e8492c676ca76bf89a57be86d516fd9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\NrgzEmf3vT8D.bat
Filesize
199B

MD5
d8dcf5d01c4c5d85e09e844f35a5a7b2

SHA1
63422d09aac2a8f1d3a2773eeecb3c12f540be03

SHA256
8af9a954566485dfd84584efd5c0422e4b29d788c86d36541c6d6ec2ec546a3b

SHA512
c1b6fe736aed32bc71d801c3b10b09c0d9390cf9af0be3d6614b42da913170468f5e9da0f3de14d0ab192a0ad7988a78275a281d15f4855ed0ca59d5859b454d

Download Submit
C:\Users\Admin\AppData\Local\Temp\O0nHL2rN8lsh.bat
Filesize
199B

MD5
10866d332cb6bb60d64e4c5395cabe28

SHA1
2e6a4ebe65a72fbc83ed4673b6d27a56227a69b3

SHA256
bb13df7b0cbf74cf90782e2ca362ffb2c78791a50cd4e65cd5f66b323fea7fb3

SHA512
fba37ffcf6b97da574fbf28b27b8f72a277dcfe853bd8aa3a7c76a8094d4b7a851e3c8f92f444c83daf36ff38bbaea4acf46868023bf790debac06cd76815802

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEYdhoaeOXf8.bat
Filesize
199B

MD5
87c0ca2ec5f590e7bd46d2409e544487

SHA1
55136f43f37ee4c1d9e1926375356479454099cb

SHA256
38f12e41027cb5d39166ca7dc4cfff6fe71da628e7c5e6eb9750df569e68c719

SHA512
87c671c6c4a926a4064be19fbb08528e8ec68ec12e23937b573145fb44c9a29b74211aaa6f1b043543defbe544be67145d0945e6eadb419975132e9bf0ad63d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PI9wIfsMuIfN.bat
Filesize
199B

MD5
8a82b089996d60771a1d7de0096f2a40

SHA1
0943ebbd99fd689cab0a92f824b82299c638ebda

SHA256
48b66c5531be478abd429b0d5190280eb3c566e49c838c9fcdd4a9f17d2dbadf

SHA512
3bf5f09efbb7b533211cfee070eed8dd78dd1fd1c428f9beb9f41dd08ad5a72ea3fba7362af6023a9389f665ca631b77bcdc62fd37823e44f2c416ab686aa29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PR8SFirmmaqg.bat
Filesize
199B

MD5
a2e85fdc6b8843a0866c595c8f17b645

SHA1
f72713e22f3619c6d8f8662dbdcf76291a372959

SHA256
31e7968999b152ce11bcf6ed68f1cb1cd247ddd2d142cf80cae034cf7c9ead7b

SHA512
1c2053893c23a735ea962802292c64774e1c9309dc2699d91b83132d75a64287648bd4a2a0b1265c560e3e33e3498b3f6af2c5d9eab6bd771f97591a0310b921

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pa3cGyHHqPcc.bat
Filesize
199B

MD5
5d4afb00ebef76c04403eaff97462689

SHA1
02309d1b2b219c846321ce4857801179232b9d15

SHA256
07068a04190a1f9c4f2ff4b022d956c9a5ba0f9ca1da4edc873bea7573ff595d

SHA512
1c208ea44be4cf6b22d8d9a941d81046e652d29f525c6e58b264a91c46dc8fbd9bd9e99c5257b9403202c90ce22c7174966a265b2e8efe133f5a5417638e79b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q1dNfiNfddH1.bat
Filesize
199B

MD5
6d7b31fe9896fd63a4c07f2503cc4bfc

SHA1
f1770aa259a1d801bdcc483fad564414f7ab050c

SHA256
1149b36cd55db3962b4d56b76ca875612407b043d9689d04ddd2a26006075241

SHA512
7ff89bc2cc20dcedd565a0fc287b08634664859d3159bd72913c5225a3bafcc3fdd51c9694b33d04ffb4f42ab356a27119d9529879f6e4f4f3b3c8cce300ec23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q4zocqnFLh9a.bat
Filesize
199B

MD5
16b6cf614dd2649946efa9122d14852c

SHA1
0b2b8c020a11087cda330944692688d44e41c120

SHA256
3e6b42a268a6a1b2f9a1b5b97f867384001dfdd1d5a58c6246abcfe7bdb3244e

SHA512
f81b7eaf6eabdab3e2deffb2f691037cb0efc96ef43740ce8f605564902e10b8c443cd2f3d3e769ced3941dcf836f81a900c33010bd0a0981dad88240e6562f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHvOYB3hvqDa.bat
Filesize
199B

MD5
5d59edef65088307d33c731810811c2c

SHA1
5ae1e39ccaa2941c5a93b3f35b2a6dd90ed177b0

SHA256
a62b9d9efdd96f1fbd5e0736c762301f236f8075c1c2267dd530a833ba2956fa

SHA512
b19a151a68d0d95775b13730cbe53a7d8b783a8a30de0f4700ec3569d0bc28ada77811dc1b496a03947172ff36cf02f3c4edb1fe5711815119a2a7f1ae2ef8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIjYzwQ42Z9F.bat
Filesize
199B

MD5
6c11b2bc98ec293908e8fc40401b37f2

SHA1
62b83d4649c307e10fec465d102386dc8ce7d58a

SHA256
41e59c9b8edcccb30a008ec8068d7ba47c1ad704c55b56999efe920cbb4c1c1b

SHA512
0aedfafb7edeea7226e677d86fc32528d9ea3feccace4db9244c4dc2a00a5a5f573a3800e242e163e9509b8332d95e38a4a988d3b1296a0535993d3d55612b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgRYu8XkixsI.bat
Filesize
199B

MD5
87622ebf51bc441db6702ac322ab2e97

SHA1
01fdbba6ecea727e7fae9f9dc3a25a5416229d5c

SHA256
c5ec8c5bb451a303e224ca2d8e62d94d4e9a5b163a035e25b400ead6aea35432

SHA512
551d3201e6ba84fc0ebbed65b0a0251293b7f3ddc49107865e02d7ec1f098383ffbcba01e5ccc3f5beef77fd4a250e0e58ccc19f8a169cd7c19e92413054f562

Download Submit
C:\Users\Admin\AppData\Local\Temp\QxiX5IS7ntvV.bat
Filesize
199B

MD5
e8b59a4f9c6e5d348f9fdcfbbbaca364

SHA1
7934a9ea38b678735fe7d6d3e52c102326538d5f

SHA256
cdb276b3723bf49af756c3193c0042ea6d55da7b2320cf99273f119f0026a35d

SHA512
b6f4d751309a290cbdd8b9e8e3276bdddec88f287f66414f67dbcc5edcd132582b5dfd3677438d14fd222b79f7816f57aa153981647facd477d6d1304974b738

Download Submit
C:\Users\Admin\AppData\Local\Temp\RpkR7A2ov1Kw.bat
Filesize
199B

MD5
c5aacc68994cba805eb75f9cea040d82

SHA1
464f75340469380e224a094b029addde138f262a

SHA256
a98c43b68e84a4ce105f2c3f60cbb5e644740135ada4748edbbc3d84a1fb0ee7

SHA512
b25eee282d579db525d496e77d83f620bb30d7849e62c57a80acb3b8404a9fc7702db30c547e6f05611467e3a63d8c4e69eb584e9532eeb95419a30720fdf672

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYWsIhTBCDh7.bat
Filesize
199B

MD5
307d067fd5bd80e526b3ec169f1d4454

SHA1
7a26a4637f3da157931942cad45e9e44eeb38456

SHA256
2d6c6c022be1c693471c82032b6cee5b8cfbf496fc73be9398cb4191bbd06c18

SHA512
0138d958e16d5f34f13e79528f52a91c9c939e2e81d63aa7e4652ee1d55fc6ce7dd85f560c97e7add8ff249a6e225f0b86df0fee08ea30aeeb5d29b96b4f3e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmOTIb3kldzL.bat
Filesize
199B

MD5
a0973b951f9c6e279df08960d356f71d

SHA1
68aa2e4de10689b16d9c16b961a6dccf1835bf61

SHA256
c4a74f4f9c945d1dca9d533f76bd74bd6b9bac953abd94445511b7e7a2c48198

SHA512
f7807c502b795669e41665582733a59ebf8942839a48eae254b18e4fc64cffc6135109adacf0bf9e8f52f2757d807e52d5ff2e7837a7b0ef98a91ea0bcf80081

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmteVaG1FIRz.bat
Filesize
199B

MD5
a420bdfb9107b2eaeeeac5269651d580

SHA1
d46290c1b7eb134da17a00714941c4737e07fac8

SHA256
265a9514e1f7c4bd5ca8ff55554da35a196b39e8b61d101d7b7f0c6554d98de0

SHA512
c3a0e5708adec9a88eaefed154246b03e1fdba268be99686300d89d8ed0b2bd276b5137eaa62a51c8ca04f3dc84742b7f5bc2ea218fab7eb69b2342eafce0b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\VLN1xVbDBPDG.bat
Filesize
199B

MD5
f254f8e6d09f5a7a8e97216fde6d3a16

SHA1
f92c59cf934a7987338bd19bbfdde6e382968385

SHA256
2b9b4b6a143b0981995941bbdf79e3fdbe6048c48ff027042dd57051261d10b6

SHA512
62e7840650aa9abb6fcc25f834daae71b5e42c3510c25387bb1a3e1133ae024fc3b9678d172c9181678e218ebb34be536b59618ea203c43085c5ac8a938c71ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSaK6BsdO5HS.bat
Filesize
199B

MD5
2076c6666442c22ceb45b76e8496904d

SHA1
8663a7182567080ba43519ac6e1052a34e49f962

SHA256
617528893b875c75101282cb3b6eb5f6001fbe1f28af7373e2512f0f81f15030

SHA512
693783e6e05ec8e5335105df2e1e274cab0657034922d709b88183e70b924cc02689c6c69e1a4ec5e8b4a916276a3bc2a5b0fd454086bf1ade36da969b1a9cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXfWyKpNUqdp.bat
Filesize
199B

MD5
d3aa1a0d1044255e1edf75a5c321a58e

SHA1
7206c2a80305af49a9560368f7f6854f7c9797de

SHA256
b98a0006f86ac64ae8a93c74452cd6865790b06decb6d7e77ee8435cbe5dfd97

SHA512
cc69d6bc8c919f2c4d802a3fc4832c8196520e905f439d08c9319ff29bd9684fed8087112ffd4f808b7baa73b6bdfe883d983b2f1e247088ffad6c871ded8231

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wi0LX0lYvr1G.bat
Filesize
199B

MD5
122a71693645e00a51bb333159a7778d

SHA1
e9c9cd85b682689e751c0c1f5f8c7f98e519ab9d

SHA256
431c01c66f531cad0af0ad9d83f9caf2ebb84341612235c60cb7bd165492e4f4

SHA512
6f399aa8ba73b9b920183a0d1f1cdc6fbae077429ba6e983a0a361ca95b20bafe087fc521c6008c29d5e7109bc33f0e6d785564fbc9fe29c67d5c5c80a6a2b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\WmsjofwZJhFH.bat
Filesize
199B

MD5
c6561e33a19034ef13d1033f2376409b

SHA1
562f000c4a53a3c322f46cb6c02b6ad71dbc1baa

SHA256
ecdff210dba8947b1ae02aeb8214161a65ec634b03ebb06b7252abd24a82946e

SHA512
6d4d837638b8d515febbaedb29a1ccd446c5ba303190d18086d2ce626b91d4f0c7bb5d599e14ec62d3a4c44503586757be053e16fc6575e85605b1e6a10136de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wr7mpSMFkuFa.bat
Filesize
199B

MD5
7a37220ee11c4353db0b111e39e01012

SHA1
6a14abbb67bce444203238ba4f360124e01202f7

SHA256
a9b22494eed36a035c7b4745f3b7b9bc19f3b1f667ba852df0e04cb305b04d30

SHA512
c6c2e0ab314adfac5109dd20ac904a76caa0f49ba5b5f8218b6993acb8186816fda02eae3e9a4dce385dd18c9b70fac1b2e65fa7a5c60585c37b86dafa1f534e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YGdpnK5FHtKI.bat
Filesize
199B

MD5
ea39c67049b2a217af73cc7bd125b873

SHA1
5fa83acc9973b857511bb408e2c8ed87fa14a907

SHA256
9f89c73922ecb6ce163b601ccdf91ff952178de30ca493ff3918730e3c031850

SHA512
809d69877156f5d675b644d086b92e9c3dc775559a484368fd57134dcc2224f895236bbfa83897fdb3978351113c4018dc5d688ef1a51e1cfb3d1f34fe37f8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YZh9nAN7xbYE.bat
Filesize
199B

MD5
c04264ad0beeea53781fa9d405bdda19

SHA1
e7a22dfa228083d39a8add1d7d573353cc37322b

SHA256
2ea57559d66e42f69990505a6b0e14a1fddbdc2b54ba185ffc2d6aaba66b5e2e

SHA512
615e72aa532876517dbefdf0a887023eed33c58c25ba30eac7a43cca53773e96839fd6303d3325780fa3078bb9674a2fb4e5b6a145b2ddd186abfb77f9ab7951

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZPFz8AM6rFkd.bat
Filesize
199B

MD5
125b394002f561620319ca41526f678d

SHA1
a3e45750c0bc1aef3e5168b4311b486a36ce3679

SHA256
2bd2871e79558a841fd59c95704e3c59a049bf5b2afe099b30ad9584e386e8c7

SHA512
373b6b4a04b6acb1644546522a21c2903ca6aef0e6a5c3b8ff3154aa313c7b923ecf75d116fc320d98852cc9e64482ccf69f3c678353326f59c98c5d613e78cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfNa7oQkuiZg.bat
Filesize
199B

MD5
0c0b8200c0b22562b4aacd3d259fb832

SHA1
1df5b3f51ce2e90eac65b35b7d490e4ed187ab7e

SHA256
3c9dcaf9d4dea21651ef1294699de2c43aac844d21397593406d4bdc288ddc2e

SHA512
3dc5af8a3afdc6b59ace68c09cebb9598f55298a4c037a9ef414c9f29e5926c591fe89cb189f2c6bddc86a4d68cdbcf261c8cb79b9bfec648f2dab8fb55e6f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\czPRdpVmyLK8.bat
Filesize
199B

MD5
e6606f72920b2f9dac7d6c8a839d827c

SHA1
005f583e775afb5424c8fe8f123d5b77d62192ad

SHA256
018e44964190dabc9abe35309c33ea8f5102e73553d8d61e34e5b35413018508

SHA512
40e398d8af45582ddbc8de9daa754bc58d38c83ccfe4d3ad6e45ccee0cb810964520a2a517cdbd725933058c5e82bd94e0afd6cb5e74276b91daa666d06b8848

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8EoKm9bj911.bat
Filesize
199B

MD5
c4fc53b453a7eb750ec98410b2b3ed4f

SHA1
823a1e62e87e385d8f14ae55e9767fa4d051f9b2

SHA256
672517097691f5bbbca306359f14447218d54c60c9e70e1d3c3835395ba3290e

SHA512
3a8d2e7661b73a234b7b9b79be2f7106fd21d3d834447c973c7c4bcfcd0988c43fe94c3517e05c91f4cc87311330e9f580e58dcf42fe5ce6e931f333818ccda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dnKMEh4SZn4u.bat
Filesize
199B

MD5
e15c23e5fea223d0191bea91068849bd

SHA1
7d5388887f86ce4163e0edde061686c87ea3bc31

SHA256
7cfa101950577e4f341a74c2b6aea56c5f75116d30c96dcfd677d7094f161491

SHA512
2038954abd24ff70a6db9ab807d5ae15423712487e1e92c56cded7519b01fcf85fb3b2f7eecf5e81b35dba14d806d4eddc599131e55fe5de55faed45fdcc35fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwgUi0AChpoq.bat
Filesize
199B

MD5
807d67092171d94d8d90e61e35128ce1

SHA1
707246fdfedbfd3e1ab8ea03cbb0960b9d84a7fc

SHA256
cb2984457e808e301fcc320db632ff38d919858f0fba64bf57295286ce1efbb7

SHA512
6980d81bdf9a6e4694d026f1eae221e9adf8a4a3e8fc785787c4457777c429d8ac8a70ecca67f65e111cd1edde18af233809aa810b3e85b232654cf62bab256e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eXmnDnhkHld7.bat
Filesize
199B

MD5
2013d370246ea62c6f02372be02708af

SHA1
a8f84af7f01a97fadd309c5b5a3fa1450a649e19

SHA256
92ccab61240ec71ae0c6c4c387a813b1eb7d47d8cc075103498721706b078759

SHA512
0af1ba6a1fdb4992e2bc414eaaf5752390efc41f6a720cd0fbe6de99e29ea4214a66001e2d029a2796ee1db7f722885600ca6435c9f3100e49158e5c05af0670

Download Submit
C:\Users\Admin\AppData\Local\Temp\eg6Wl1mdBvvu.bat
Filesize
199B

MD5
0bfaa0d9a4fccd357bae663bd1dd2bc0

SHA1
2a21b553f69a3e461bb2ad281dead6cfea49e468

SHA256
37b8b32cef8d1dee52105e4bb932244e2b5bb11056f34bfe921ddb435ca767fa

SHA512
63f9245819baee35358bc5d5cfa99d41b633ce2f8487f90551beddf54de6ff897c6873857b928dbb900349fc790dd1fdb0d27d5e2a2523084e9f9e2e080ccd1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\exCh1nbx8cU5.bat
Filesize
199B

MD5
f2d26927bb122799d9c5ea02de148a81

SHA1
e678e4ad613312aa23188970f4b2d88c93c80d3b

SHA256
98482939d46218681a2652615ff9586e8b2c05577a82703fff0791e8925b135e

SHA512
4bd37edd73f54b7cb71730f0934831ee6d6bf305d45f223bd54d958232b95171b5a8947b020dc6448249cabe66b8c4f4088f97c877e5df76e34d599440f95eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4kubUmMgLs0.bat
Filesize
199B

MD5
08505067b2b55bfca6d622b09fbcb055

SHA1
d48dec0b54e86387b311afed72c744b8b53d6e3c

SHA256
ad8a1618bcce4b662841d6c520593fbeb5d5d449e4d690e2aa519dd6ab6c38b1

SHA512
c1fb60796eadcc37f1de2b576064d04b7fc52235dc79e4869bb432e3862892b62429a807c1ded9ff25b870a6fb5d0ac408845d6c7e2036c115e3dd61bdab2a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\feGSUUNpl4vL.bat
Filesize
199B

MD5
bf06de53938652fcc73f183682e7941e

SHA1
0ba5bfe89563e1099731dafa3e0fc79faf2f204c

SHA256
b31de2d67120718f8f976ab86475a5d51b9a7c503aacfeb6b93b302f9776e963

SHA512
1e69d0ce4bc73f73dec9e1e2faad06c81e8cbcfdd1500cd29caabf2d52b068caa1421e96d5ffd18dc12016518360ee0d4244b667d97b0ce48147070d9b7e628d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjqFj0HmoEim.bat
Filesize
199B

MD5
fdafdbc615808f5d7b929ac6e59aad41

SHA1
c5626d72b9cc67f19ebfc680b93cb0adaf67d4c2

SHA256
867d54533fa1e4a6933f554bfd46dba055cecd9c0210ebdc97f243a798909a57

SHA512
fb38a114e611c77ad1c8479fd0b2344a758beccb7734334d3cb1ec8b465dfdd54763a9b11562841fb774b06ffd84f6ce5e18e4a1623ca9ba548348ded145bf6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gj09BPDQZsEB.bat
Filesize
199B

MD5
8d1e11cd2fa9372a6c4655a3d745da05

SHA1
87e1cc799152e8b6b1bec993a8e44f8a8d0863e0

SHA256
b8e5558df440b124d2de46766f6c5b81d6dfe4da6a2525e2c087e2a9704acd28

SHA512
38bb04171bfc7a2872819ceb24d1e2705d0b6ce319bc21fa6b49c0e9b6066c9aef2297cb2b870c4f2996bdb4baf091cae962cf71ff393f80be07927390396389

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmJtRpRcb1jb.bat
Filesize
199B

MD5
2b44bdbb2105e26277fa50f5735b7492

SHA1
323f1d645d1b65f851738a18ab5f8a4aeedf2eb5

SHA256
fe00316cbed6aa1386a5167899ea5a82da4e2e96aa8d47eb90efaa1b9872cb16

SHA512
89c61ad8e398a51c71e2da8b58670a380380a5f28d942a36df16d06aef368f2a596abd25a8bf9428dc73e72b6519b8cd8c4e53b17b1f3ffdf6c68e6bcef8d5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\gvBEAuREwxmS.bat
Filesize
199B

MD5
7dc11ac388031280e5e4fa2b21214573

SHA1
ef5e97f538a492d8e3ba93c47db08abe1116a9d8

SHA256
a7252f8989ad0669377a74ba5c0de41f8861318489af4d326d6a53dd57865b00

SHA512
a4cb4a39119ec3bd3ffd3bfcdf9c0899fd53a22eeae22a5f26dce4b0dec3dd246ee928685dc8fa4a6c604f7704ec367e4c0500aa471c74fc5398dbede295ade8

Download Submit
C:\Users\Admin\AppData\Local\Temp\hv58tvBzLycd.bat
Filesize
199B

MD5
dbb9231e97e2032a149ef1802b141319

SHA1
44e4f0bf06943bebfc9c5b0f667efb4c3015a11f

SHA256
98e0b6f853eee81806bf7b0cd1c46099172ce5f31c4eda1f18a31e71342a78ed

SHA512
a2722d1495f1efa067eca9f41cd145b218e7043ea745995daca65329c87e3e02a4719381e9ab574492dc1c6812540d339f367a7734bc2857c402abdeeabb6a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg83utsisLlW.bat
Filesize
199B

MD5
c45724c65601631500c49a2f7069afee

SHA1
584c7f01f64280c10c15683bf60914abc2fb954e

SHA256
a34602b519212c07eb88a640a6d58ffa2f7a838ca42100c8c9b35848d112c1b2

SHA512
ce5c73314817d058585e0a68dfc6abe236e983a53a53c2e486513896171bc08f40067eaa8dc639137b474f4e6a0e17ec3c596badf70529de5222119f5db653ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2uDCZevVKC5.bat
Filesize
199B

MD5
2946c60ae717d8f37ccf06e86dee6f0b

SHA1
405832cf23ec59196d27e8a1bdc767e56ec83379

SHA256
ab4c8771f7fd5a2b2b326288b34109defd218b97f71b93a155be047b2bf6860d

SHA512
e1706163e21bb97c9a0319933690edaab48f0c96d6ea6d706453f56614da50a43493aec83bc9690c84277a5b5d77dd53516dc0c61933cf2eafd32016363f2484

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYuk9GU2cxCZ.bat
Filesize
199B

MD5
d27961ca0d6c2cb4c33bd1dfad9d4359

SHA1
68d6db0851ab5f21383b7a5a85acc7c13f486261

SHA256
cac3e1885b04667516856d502e3e04b7feaea68ad9b3081a493bea907399ab61

SHA512
13b3db1767c401f4d41ee61b7d09a4b01b1aefc0296d550188640c4ab08e149fac1f27c5c94f7f92ed69f7777ef6271210031164f0324cf986d06f51f227e7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mFqg6DYNq88m.bat
Filesize
199B

MD5
e6d3824aab20912acc2ab2ece675c4ed

SHA1
99a932b9a14c5ef775267cde59440b42b820541a

SHA256
23d681069d4be7e9aec876917881415fb9977a558ae3c3c0aa8278df194ac8e0

SHA512
556033aca15e42a80ed3c39b76040ed1725a01b4dab9923953eb86dcadcdaca28be1d4f35da85c09bf461a6082d70724dbe4426d60ad7e92499aff0a974bda66

Download Submit
C:\Users\Admin\AppData\Local\Temp\mk7S78LKNuuc.bat
Filesize
199B

MD5
18c8c3d6f55e1b121a35f664fbe3fa81

SHA1
15a118b817e4dd2232bb5b4b7b83ca28d8d4e353

SHA256
40ce060f94834dce89f616cdd8401fad2e4778f78b9713d69495d8fede511f11

SHA512
0f718f2fe65e2a7b8f324f6174e54b289e0a3ed5fcf3d5155f7c13fd8e567890a87802aa6b2b79d273347084ec78bcffeb5686d83594da0e25ee4e2f69394fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nF7cMDcwOZnu.bat
Filesize
199B

MD5
c2ce0ba000e98a772ed7a0e243b660e6

SHA1
0cee80e5b956f2efc92a933ff15476b35c2bbe7d

SHA256
a1b8b475df1b8e8711e3b4eb96700cbc129d192c1f4826e26b6aa775f5c68177

SHA512
0c7d63bd543ffa7056ba12d885c4dc30e0b28dc7de43e90230c151054c2d1aa47a42e3f2e0a24cf27cbfa9c052ed62afc2abf1e82b05ebeaca2f970499355081

Download Submit
C:\Users\Admin\AppData\Local\Temp\nQEmsIWfenom.bat
Filesize
199B

MD5
425906022ac54b71186965c327641649

SHA1
a007e28b183f7b17f907465a9a9b891cf1b1abe3

SHA256
821624704bad07d9262516c67fb7bd45ccffcdbeb9f7c1b45f72cd6cecfac959

SHA512
44d7326794edb80e06a874f62599ce3184f0857534c16a8cd73464346c94efb989463fa4716da973c7e5319571cc4b8359bcc8d092d3876ab94a19dea0c12211

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3ssle8pWLKP.bat
Filesize
199B

MD5
6cbf7810732a594e6e81173bdf0218a0

SHA1
b83abdd3b89ee32ad0b28f2d908935c2797062f7

SHA256
31413fdfee9d2abfe3899b1ab5428d479cc319c9efd3d0e5117df3739c780ebf

SHA512
7398d853cd78a923f8f70a1d2d09bedfefea1fed27b9e45c6c893f89bbbb3f0ad2d56728df48cf742de3d91670a8bb4790e3bee970b21de1eb68914bf5dbc126

Download Submit
C:\Users\Admin\AppData\Local\Temp\qLIuMqAfmeDC.bat
Filesize
199B

MD5
280088b3a7057866c91d0969c046704d

SHA1
501a89d7e04b2e07d99963aa9c23cf83e5266c7a

SHA256
0ccaf98e981c505f2cf1c12cf50dab15c50cb593d807b6703540d7b79e4a2b94

SHA512
edf6ab89d1e52e26e3fb14b0add04916c438099c47e9d61781e1750f82110235be195585a7e76f8cbc39ed52d1f0941104cc48ec3e8824518b2cd2678a6912ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\qe3P26sZImqU.bat
Filesize
199B

MD5
f289a5222e86dd19f3c61c1ed7fa0eb9

SHA1
8e9f271f7f20480fc97b88a0cc9b86ba5144dd7e

SHA256
bca389d8478e34ad15aa7885159cb956a4f92605793b11224af0b8b8497c9b50

SHA512
9f181fb516d1aa47c8c8f2ea3a4ceb115befcc10c6c2e1d1efb5fceb62cbcece29cdca269c50744601482dce5c52980955850bb278d86f4af50363105c47b140

Download Submit
C:\Users\Admin\AppData\Local\Temp\qz7PLUacFAdO.bat
Filesize
199B

MD5
d583347e87b4af477655181b1c655ae0

SHA1
55d35351a35e4f8bd943abf92bd89e4974184d48

SHA256
912745c5be35f78ff454b50de94e8c27cb90c5137be24e5db972edbf9a8744f5

SHA512
07a6a605d39ac912af677a8c35b7fd67963f26a4f3511f3ab1a1c9d9d07c00859a481db500211fc1c162640105ef019ba3f14be6b0e270a5f0fbe408c6dcbb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\r8CsJGu6RYjU.bat
Filesize
199B

MD5
1f84faea3df1c89933916fc67085791f

SHA1
986a958508605d24c090fc43f2eeab71d9235c3e

SHA256
1c75c097ac7a85eda94aa1506402440fcbf8d5d61d7e793478794b80266fa565

SHA512
a97f389c75579ea46f1a4d8907b194cbdad152abaf6c8f66824487a804c60e1ca1375eb0e110e90aff05d2391c5ff3ffd300e3665a6094e57774df4a5aa8698c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rDCUao8J4Nhw.bat
Filesize
199B

MD5
f8f55712b108821a873b0965260815fb

SHA1
57725ee398105b35cffe7328963d71881d1cb361

SHA256
98cd849401394bb5a56a03b7b4bc9a8ae05fb0ad8c08fcba48ecbc40c2e32505

SHA512
65d66fa61f4ab548986e339ab44719839c643c6f45741023f849beb9bf0df47092dd1951443f95f6200a2817bb9fa2467e7f7b716190467dd170dd820aabf64d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgIP8R08p00A.bat
Filesize
199B

MD5
9ae23aa9a7f9afc49ba9256ddc63a068

SHA1
7c2e1b2d1b342ea820dca039fb592018df41495b

SHA256
9b09c6b88f72afbbabad1203e609cd6dbbaded2c6ec9ddfd883223b100a67c30

SHA512
98f067b06143f2d4b123717ea89ecf276091fb60d317ce68c74e6a3b30affa04643803ac06af9646e88f8227c0412e840dbcc2b22da53e3dce37b7b8be73cc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\suTh7XtuAnvk.bat
Filesize
199B

MD5
95bf0091f62babe8bfafa4d82f6ee3c7

SHA1
eb61f4cfd3dd35b4b731af25490e0550673b9047

SHA256
f94956d56c3abb86513d98165cebfaa07b379d1e3d2c69d0c93a01b437e5811d

SHA512
1eb7b4f13356152d298cb4982dfdd31218f102e7d7bace9807329d5f17a41a87cc357df07ad2e3919ed9c380bcc9156ed28de6e3baadba98ee6c0e980b204e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\uDbmeyngwxLU.bat
Filesize
199B

MD5
d9160788ebcb5977cc58b46340df9efe

SHA1
bb9b22e0047c9d99f58ecec1f677c8d898322303

SHA256
9d7ee58ce40ca93d9c8c9e5b0306aa112a96a3e9086dbe6a57f52d86d5161233

SHA512
f76ea3b8ee998dd0e8184a9effdb18e58873cf37abce70b2f39997a3802214afe3341528697b4b285987a44448a43c307877203aceb6c8e1f9c5d0d203274c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uWnXaMnQRdkW.bat
Filesize
199B

MD5
fa7557055c7cc27db84eab6ba6c79413

SHA1
dd4bdee02ba656b578982cff319f156cfea588cc

SHA256
126d5dcb3313275b2eb478d15e676778167dc59b058ca1283b1f40aa34bea3fc

SHA512
b4473a20cada800398f7a36b768c3527ceae53572cc1a420c8e32fc7eff2c1c942e47abe9b16a9b978324f09f3761f0236eedaf7007566e99824a7fb33fa7fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ug1nigOUrpRu.bat
Filesize
199B

MD5
114a268a7d496dc8baa760e66222ce16

SHA1
edb99a09b0d52d4ae00481fe563a93537da36976

SHA256
ae1ebe97f181aa8138cb9d20f2bf7c9c39caba2f7945f9007791bb19c77f4c39

SHA512
8f47b92a90b1e7d1c08f2cd9a79b2ba8781f5444f935097263028ccee6ad461479ce73206fb56b8fdc884bc2671b6d77ce276234c7e91ab3edc2ec056e358b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\vSKzuMNtlea0.bat
Filesize
199B

MD5
89664aeb796a735f8ab0c2a82be64296

SHA1
2448e9d3715138dd39683c1bfc4ebef488a792bc

SHA256
80ec45d29f94bc7605a09474bb8bfc3d2ad29a8de446e352034c15cf22498234

SHA512
67e63ec19d83b23f087c0db58442dc6b8d89598104280762882609b5b9a07aec55e5f924cd6d66885b7030abd88e134ca0a60283c506fc946184eaaae0b66917

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd4FUKrPJxew.bat
Filesize
199B

MD5
4ba18605dde8a522f625e5c22e403d83

SHA1
d22129e3977b78b4d62e99c5db69757d6e1659d2

SHA256
9005caccaf69a9d99cf0f4fa25f0a1c8bdd8389fa5e4e39c6f9e59542bcd7ff8

SHA512
d4f2baef2a16da1b6d9919ee048d077db749b2f76f84135c8b6be5c5f05af3c8376e7c775198f32dd9c76fb1c5f65b6e363e47cd1b6d679e54ba2c1017ea5f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\x6N6sGf86s9W.bat
Filesize
199B

MD5
9acaca92257103781885a00bc52975c5

SHA1
3595986a53cc580b71af4e53c7cd6e28b389c25b

SHA256
d68117aed70a32bc0bd9e79824c6f1e9185f8558c641b8a4449155ee0f606c99

SHA512
502097e465c990eb63a98b58c71fab1324a673ef11ca90389cd6f372fbc8d397403e1791860cef233788bec3c7500087a25366b0a4b0e8c474ab9d0c41d84e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\x6g5YWHPYIIi.bat
Filesize
199B

MD5
ba5c2a83fe8300971655131998ad5ae0

SHA1
7d4a6a293888aa63cb898ea0ee8382f5bd2fe434

SHA256
191d17160bc43ed04016c9ddffeff4b564535f164539794bbf17427ad034b1b9

SHA512
28e8ba7d28becf149ca44cd59254968c70a5758062c9db3d94508608ec13c700d257bda5afb04adace332738ae97a1f7435469fd29f650d737d2deaa4ba9d60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhI9dpLDNewe.bat
Filesize
199B

MD5
a9c64f3f003f0770a9f707cf185c7513

SHA1
5686fa6fdc4362096e399aa199f8266003ece075

SHA256
a04fc37bde68ed70cae0cb7b914244d1be6e7041097f522c43489cb94fbc346f

SHA512
6e641454c0504f44c3e283aef4f43c2dcee28da570c9b2a54eeba35521db00b8d0939d7bf4cd636086a4d0dd7f312d101e231d4ac1540b15f88dad945fbc3fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvwYHpHnJAmM.bat
Filesize
199B

MD5
1e247021fe23f8667a3d2da1ee466031

SHA1
c26f8fd324c12874948d54f01ea140e522b9a94f

SHA256
245deaa6d02a7d3b3cf0754c926c3b3a3a08dafc371fa8629bc845490ffc3376

SHA512
586b2693abb49d3086741d9fc9462a1e710c76a0149e0085852aada07266d97db5eed0383f4d1e25590238acf90b46637461e7d87c402b658e16fbdff20fd722

Download Submit
C:\Users\Admin\AppData\Local\Temp\z3VODNkDwK3T.bat
Filesize
199B

MD5
06881a6d36848cd73d04a86f78aed189

SHA1
387bc57fa95bb8aedcc0752b54a811cc9b6804fb

SHA256
ca8de607c9d02414d75b4c4f3f54ebb18226c16a0d83caa2dabd81da3c1cfe31

SHA512
eaf74e5bda0283c5b64bd0761ef4b230824f6830647c65ca6b3a72e6c3785e8c3f647eb0dcc4892ab2c216881a65a372552cce763e5ab94799a619b0b99de89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdLnro68UX0f.bat
Filesize
199B

MD5
cf51b78cf5b7c25fae8f2fd73fbc842d

SHA1
3c4fdd43d0823fd443ae0cde758bc47814f92297

SHA256
2cf5ba9f10b8adb18b6e6b2fc11bbda914105bab7f1d930fe938c8c2cc1ddc49

SHA512
143bc6d94f8f5f3f64dcbdb0dbe585bae2d35fc9cac06de7224a6ac9dea40f3761dc999cdd551ff447b0e6034f5718a5f315ef782ed7044cce85a08a0dd69216

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/316-125-0x0000000000A70000-0x0000000000D94000-memory.dmp

Filesize
3.1MB

Download
memory/408-223-0x0000000000B10000-0x0000000000E34000-memory.dmp

Filesize
3.1MB

Download
memory/448-824-0x0000000001090000-0x00000000013B4000-memory.dmp

Filesize
3.1MB

Download
memory/560-504-0x0000000001140000-0x0000000001464000-memory.dmp

Filesize
3.1MB

Download
memory/668-56-0x00000000003A0000-0x00000000006C4000-memory.dmp

Filesize
3.1MB

Download
memory/680-349-0x0000000000300000-0x0000000000624000-memory.dmp

Filesize
3.1MB

Download
memory/772-137-0x0000000001260000-0x0000000001584000-memory.dmp

Filesize
3.1MB

Download
memory/820-451-0x0000000000B80000-0x0000000000EA4000-memory.dmp

Filesize
3.1MB

Download
memory/848-1007-0x00000000002B0000-0x00000000005D4000-memory.dmp

Filesize
3.1MB

Download
memory/944-68-0x00000000008A0000-0x0000000000BC4000-memory.dmp

Filesize
3.1MB

Download
memory/960-773-0x0000000001370000-0x0000000001694000-memory.dmp

Filesize
3.1MB

Download
memory/1048-250-0x0000000000070000-0x0000000000394000-memory.dmp

Filesize
3.1MB

Download
memory/1160-513-0x0000000001240000-0x0000000001564000-memory.dmp

Filesize
3.1MB

Download
memory/1200-621-0x0000000001000000-0x0000000001324000-memory.dmp

Filesize
3.1MB

Download
memory/1308-383-0x0000000001080000-0x00000000013A4000-memory.dmp

Filesize
3.1MB

Download
memory/1332-442-0x0000000000090000-0x00000000003B4000-memory.dmp

Filesize
3.1MB

Download
memory/1476-715-0x0000000000E70000-0x0000000001194000-memory.dmp

Filesize
3.1MB

Download
memory/1548-530-0x00000000012B0000-0x00000000015D4000-memory.dmp

Filesize
3.1MB

Download
memory/1576-259-0x0000000000C20000-0x0000000000F44000-memory.dmp

Filesize
3.1MB

Download
memory/1608-697-0x0000000000360000-0x0000000000684000-memory.dmp

Filesize
3.1MB

Download
memory/1656-596-0x0000000000390000-0x00000000006B4000-memory.dmp

Filesize
3.1MB

Download
memory/1696-400-0x0000000000260000-0x0000000000584000-memory.dmp

Filesize
3.1MB

Download
memory/1704-842-0x0000000001390000-0x00000000016B4000-memory.dmp

Filesize
3.1MB

Download
memory/1812-113-0x0000000000210000-0x0000000000534000-memory.dmp

Filesize
3.1MB

Download
memory/1816-149-0x0000000000010000-0x0000000000334000-memory.dmp

Filesize
3.1MB

Download
memory/1964-232-0x0000000000130000-0x0000000000454000-memory.dmp

Filesize
3.1MB

Download
memory/1972-1041-0x0000000000240000-0x0000000000564000-memory.dmp

Filesize
3.1MB

Download
memory/1980-815-0x0000000000F20000-0x0000000001244000-memory.dmp

Filesize
3.1MB

Download
memory/1996-974-0x00000000013B0000-0x00000000016D4000-memory.dmp

Filesize
3.1MB

Download
memory/2000-587-0x00000000002E0000-0x0000000000604000-memory.dmp

Filesize
3.1MB

Download
memory/2020-10-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2020-2-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2020-1-0x00000000000D0000-0x00000000003F4000-memory.dmp

Filesize
3.1MB

Download
memory/2020-0-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

Filesize
4KB

Download
memory/2028-638-0x0000000000850000-0x0000000000B74000-memory.dmp

Filesize
3.1MB

Download
memory/2084-90-0x0000000000200000-0x0000000000524000-memory.dmp

Filesize
3.1MB

Download
memory/2148-79-0x0000000000C30000-0x0000000000F54000-memory.dmp

Filesize
3.1MB

Download
memory/2288-160-0x0000000000230000-0x0000000000554000-memory.dmp

Filesize
3.1MB

Download
memory/2296-957-0x00000000009A0000-0x0000000000CC4000-memory.dmp

Filesize
3.1MB

Download
memory/2304-706-0x0000000000040000-0x0000000000364000-memory.dmp

Filesize
3.1MB

Download
memory/2340-9-0x0000000000CC0000-0x0000000000FE4000-memory.dmp

Filesize
3.1MB

Download
memory/2340-8-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2340-21-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2340-11-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2420-172-0x00000000012F0000-0x0000000001614000-memory.dmp

Filesize
3.1MB

Download
memory/2448-939-0x00000000001C0000-0x00000000004E4000-memory.dmp

Filesize
3.1MB

Download
memory/2480-486-0x0000000000D50000-0x0000000001074000-memory.dmp

Filesize
3.1MB

Download
memory/2508-268-0x00000000013A0000-0x00000000016C4000-memory.dmp

Filesize
3.1MB

Download
memory/2552-806-0x0000000000190000-0x00000000004B4000-memory.dmp

Filesize
3.1MB

Download
memory/2628-671-0x0000000000DA0000-0x00000000010C4000-memory.dmp

Filesize
3.1MB

Download
memory/2656-23-0x0000000000050000-0x0000000000374000-memory.dmp

Filesize
3.1MB

Download
memory/2676-1050-0x0000000000A90000-0x0000000000DB4000-memory.dmp

Filesize
3.1MB

Download
memory/2680-833-0x00000000000E0000-0x0000000000404000-memory.dmp

Filesize
3.1MB

Download
memory/2700-495-0x0000000000030000-0x0000000000354000-memory.dmp

Filesize
3.1MB

Download
memory/2704-460-0x00000000010B0000-0x00000000013D4000-memory.dmp

Filesize
3.1MB

Download
memory/2776-469-0x00000000012E0000-0x0000000001604000-memory.dmp

Filesize
3.1MB

Download
memory/2788-102-0x0000000000E50000-0x0000000001174000-memory.dmp

Filesize
3.1MB

Download
memory/2812-34-0x0000000000EA0000-0x00000000011C4000-memory.dmp

Filesize
3.1MB

Download
memory/2852-45-0x00000000013C0000-0x00000000016E4000-memory.dmp

Filesize
3.1MB

Download
memory/2868-214-0x0000000000280000-0x00000000005A4000-memory.dmp

Filesize
3.1MB

Download
memory/2924-409-0x0000000001210000-0x0000000001534000-memory.dmp

Filesize
3.1MB

Download
memory/2972-680-0x0000000000E60000-0x0000000001184000-memory.dmp

Filesize
3.1MB

Download
memory/2988-724-0x0000000000170000-0x0000000000494000-memory.dmp

Filesize
3.1MB

Download
memory/2996-948-0x0000000000080000-0x00000000003A4000-memory.dmp

Filesize
3.1MB

Download
memory/3056-358-0x0000000000D30000-0x0000000001054000-memory.dmp

Filesize
3.1MB

Download
memory/3060-241-0x0000000001280000-0x00000000015A4000-memory.dmp

Filesize
3.1MB

Download
memory/3064-1016-0x0000000000EC0000-0x00000000011E4000-memory.dmp

Filesize
3.1MB

Download