Analysis
-
max time kernel
1193s -
max time network
1198s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
29-06-2024 22:47
General
-
Target
sp00fer.exe
-
Size
3.1MB
-
MD5
a121d9d691a400786000dee14a808ab1
-
SHA1
14ab065be3cfe0a7aa7808cb8891f7c75affc395
-
SHA256
7849231d077a00fd9129c2c6cecbb3287afc5656b8dfd263fdf57e2432d4f335
-
SHA512
e0a162b3d00ef69b96bd4a43f9a0c3297005e8a8db84233010d420bf87ff337ed4139b4cc27594fdd194416a03fe8a7be90b03a8f10e34b72f70d399d6917929
-
SSDEEP
49152:zvulL26AaNeWgPhlmVqvMQ7XSKLCO1JRLoGdFTHHB72eh2NT:zveL26AaNeWgPhlmVqkQ7XSKLCE
Score
10/10
Malware Config
Extracted
Family
quasar
Version
1.4.1
Botnet
Office04
C2
pringelsy-51954.portmap.host:51954
Mutex
6dc28d35-3024-44a7-a559-f9991015fa39
Attributes
-
encryption_key
3107DF2D44BB6914C55BEA57D100135AB0F278DF
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
799
-
startup_key
Quasar Client Startup
-
subdirectory
Common Files
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Checks computer location settings 2 TTPs 56 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 57 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 56 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 58 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 58 IoCs
-
Suspicious use of FindShellTrayWindow 57 IoCs
-
Suspicious use of SendNotifyMessage 57 IoCs
-
Suspicious use of SetWindowsHookEx 53 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sp00fer.exe"C:\Users\Admin\AppData\Local\Temp\sp00fer.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9milzwDyGjow.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kNmGobdPK4ej.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AE5Czrl8ZSxU.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAwaLImXzJgM.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6kamOhoB7mVe.bat" "11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35GueDsOjmBq.bat" "13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2dqcK1cdBzLb.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CjqbtOpWkCeY.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bktKbHWPKI9H.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d8rhUQqspRVX.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgjAKEgxfQIT.bat" "23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeBu7aPugWui.bat" "25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XBEumwPGwjzM.bat" "27⤵
-
C:\Windows\system32\chcp.comchcp 6500128⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yflMFBI3IkUM.bat" "29⤵
-
C:\Windows\system32\chcp.comchcp 6500130⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wN2haC3sLfVk.bat" "31⤵
-
C:\Windows\system32\chcp.comchcp 6500132⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f33⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oxaI8cRKxP8O.bat" "33⤵
-
C:\Windows\system32\chcp.comchcp 6500134⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost34⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f35⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQb2sGQ7zpsX.bat" "35⤵
-
C:\Windows\system32\chcp.comchcp 6500136⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost36⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f37⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqljrWh26B6i.bat" "37⤵
-
C:\Windows\system32\chcp.comchcp 6500138⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost38⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f39⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAPHP3eO1gh0.bat" "39⤵
-
C:\Windows\system32\chcp.comchcp 6500140⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost40⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f41⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VxQvzUuU56wx.bat" "41⤵
-
C:\Windows\system32\chcp.comchcp 6500142⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost42⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f43⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROlRyT63dnEl.bat" "43⤵
-
C:\Windows\system32\chcp.comchcp 6500144⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost44⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f45⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gpbav95kcfqP.bat" "45⤵
-
C:\Windows\system32\chcp.comchcp 6500146⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost46⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"46⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f47⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iHeRBYZjR8bE.bat" "47⤵
-
C:\Windows\system32\chcp.comchcp 6500148⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost48⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"48⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f49⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1nUwduxQH15t.bat" "49⤵
-
C:\Windows\system32\chcp.comchcp 6500150⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost50⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"50⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f51⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l94FOAWDHegm.bat" "51⤵
-
C:\Windows\system32\chcp.comchcp 6500152⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost52⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f53⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5daePeklLQFv.bat" "53⤵
-
C:\Windows\system32\chcp.comchcp 6500154⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost54⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f55⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m4vW7oyX5GsO.bat" "55⤵
-
C:\Windows\system32\chcp.comchcp 6500156⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost56⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"56⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f57⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiqsmBzcOCxq.bat" "57⤵
-
C:\Windows\system32\chcp.comchcp 6500158⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost58⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"58⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f59⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MVwJWKE7k8qj.bat" "59⤵
-
C:\Windows\system32\chcp.comchcp 6500160⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost60⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"60⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f61⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsO3C8uLrnmZ.bat" "61⤵
-
C:\Windows\system32\chcp.comchcp 6500162⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost62⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"62⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f63⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oubrzznW1q2P.bat" "63⤵
-
C:\Windows\system32\chcp.comchcp 6500164⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost64⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"64⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f65⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIeA3PUcpdEE.bat" "65⤵
-
C:\Windows\system32\chcp.comchcp 6500166⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost66⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"66⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f67⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAYToWi2AZ1K.bat" "67⤵
-
C:\Windows\system32\chcp.comchcp 6500168⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost68⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"68⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f69⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgfDczUZzQIv.bat" "69⤵
-
C:\Windows\system32\chcp.comchcp 6500170⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost70⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"70⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f71⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oInC2DXY36Ng.bat" "71⤵
-
C:\Windows\system32\chcp.comchcp 6500172⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost72⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"72⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f73⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o59c2KXZF3hZ.bat" "73⤵
-
C:\Windows\system32\chcp.comchcp 6500174⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost74⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"74⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f75⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ON0bOeGcKPWy.bat" "75⤵
-
C:\Windows\system32\chcp.comchcp 6500176⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost76⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"76⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f77⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9sdHtkTvsKej.bat" "77⤵
-
C:\Windows\system32\chcp.comchcp 6500178⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost78⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"78⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f79⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FANaXMSknSxW.bat" "79⤵
-
C:\Windows\system32\chcp.comchcp 6500180⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost80⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"80⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f81⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ZGq4XwVVzUe.bat" "81⤵
-
C:\Windows\system32\chcp.comchcp 6500182⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost82⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"82⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f83⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LutrLlLbVxoZ.bat" "83⤵
-
C:\Windows\system32\chcp.comchcp 6500184⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost84⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"84⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f85⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iLl9cRymHfiT.bat" "85⤵
-
C:\Windows\system32\chcp.comchcp 6500186⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost86⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"86⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f87⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmNnICVskvHx.bat" "87⤵
-
C:\Windows\system32\chcp.comchcp 6500188⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost88⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"88⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f89⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ka7qntQgyIyY.bat" "89⤵
-
C:\Windows\system32\chcp.comchcp 6500190⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost90⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"90⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f91⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKwvhMSmBeWs.bat" "91⤵
-
C:\Windows\system32\chcp.comchcp 6500192⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost92⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"92⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f93⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAEzsvulKqAb.bat" "93⤵
-
C:\Windows\system32\chcp.comchcp 6500194⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost94⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"94⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f95⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qfONVLCiRvfx.bat" "95⤵
-
C:\Windows\system32\chcp.comchcp 6500196⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost96⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"96⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f97⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAba5Uky3sfZ.bat" "97⤵
-
C:\Windows\system32\chcp.comchcp 6500198⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost98⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"98⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f99⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMDvnZl7UO36.bat" "99⤵
-
C:\Windows\system32\chcp.comchcp 65001100⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost100⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"100⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f101⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2RaCayx6yTxB.bat" "101⤵
-
C:\Windows\system32\chcp.comchcp 65001102⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost102⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"102⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f103⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1qfJK8mxytuS.bat" "103⤵
-
C:\Windows\system32\chcp.comchcp 65001104⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost104⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"104⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f105⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COYL3uSbc1Si.bat" "105⤵
-
C:\Windows\system32\chcp.comchcp 65001106⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost106⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"106⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f107⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i6s8Xtrq4Sff.bat" "107⤵
-
C:\Windows\system32\chcp.comchcp 65001108⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost108⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"108⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f109⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y39opqbpx8xn.bat" "109⤵
-
C:\Windows\system32\chcp.comchcp 65001110⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost110⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"110⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f111⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2KEnJIzI94hQ.bat" "111⤵
-
C:\Windows\system32\chcp.comchcp 65001112⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost112⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"112⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f113⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ejMtZynZqvL8.bat" "113⤵
-
C:\Windows\system32\chcp.comchcp 65001114⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost114⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"114⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f115⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Client.exeFilesize
3.1MB
MD5a121d9d691a400786000dee14a808ab1
SHA114ab065be3cfe0a7aa7808cb8891f7c75affc395
SHA2567849231d077a00fd9129c2c6cecbb3287afc5656b8dfd263fdf57e2432d4f335
SHA512e0a162b3d00ef69b96bd4a43f9a0c3297005e8a8db84233010d420bf87ff337ed4139b4cc27594fdd194416a03fe8a7be90b03a8f10e34b72f70d399d6917929
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.logFilesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
C:\Users\Admin\AppData\Local\Temp\1nUwduxQH15t.batFilesize
199B
MD5a904a14818bd5b1c38d4be831bfb7291
SHA15a7d618fa54b891a0c1b23deccbf8fe7138fa765
SHA25630e4aa39220c2ec3f4c87de031645ff7074e0d20dddf5edbcf4913e36fc10f8c
SHA5129a41205ec03347a60f9428ebf589f24f7918b442c5f34a9d683c043d82b3891c5aaa658a448340e41c2338cdeea2e1d7581ccdf6a2c566e1922acda89921cec6
-
C:\Users\Admin\AppData\Local\Temp\2dqcK1cdBzLb.batFilesize
199B
MD58f3dc61037f4c85bf302e674a1fba3a3
SHA1484433b0ed82d0d1eaece2566817c29f4e657343
SHA2569bed1575bb7c307acb855bcdc4c5337e7f79373a3c95c5f7349ba4578fc6a773
SHA512f33a2ca5bb900c884b279d7edf3047f8194b77f7430f00fb56e5ec590ee7f3c4c450e430f146643df591cae5df9891ec11f99aa116f78fe172047eb6aeda6be9
-
C:\Users\Admin\AppData\Local\Temp\35GueDsOjmBq.batFilesize
199B
MD5ae481b36a543a5a8d60f2c4c38621932
SHA1ef7311f7df2d99928f39fa8926aca25a261de6f5
SHA256c057f12faed7af2f9f8581589f887965c35f4cd94fa264f8898d7436db7bde79
SHA512912120b24d36c280a340f93b2387ee91a1725a7b65201cafae206fc34bd1dbac2c1d2d425ea03b5f9cc24170ad56bec22448433efcd2c70e76463e2c09228e8b
-
C:\Users\Admin\AppData\Local\Temp\5daePeklLQFv.batFilesize
199B
MD5cc73350a3777fb5a02fb02d80d48dcb3
SHA1b5486a1cd948200dbb1db0bf48649f07823f3a27
SHA25685a5c71fb5cf5f79e135ce1f7607733b2685c4e2116d4cb366a4c0f00650dfe3
SHA5129fae069bb1531c801c85ed8e9e591b8634ce8013c4d4b1f39f0f6f87092a67da1bbb89a3bf6a3e34091110c3821668e3cd6a397c45fc37a80286894ffa2ed162
-
C:\Users\Admin\AppData\Local\Temp\6kamOhoB7mVe.batFilesize
199B
MD571ce71d200cf69a8ce88e218e2723603
SHA1bceb5329259b5d114c2a6f49f1628b22e5a31978
SHA256f915cbc57428c95d6b2e79f224824e53169d8b61adf6f7428f98da1734719846
SHA512a75e240f4fb903972f483bb3f14f61f399e6e392df527fa2ee83c22f2d8d112a805c5f1b43739f1ba1583df7df5ffa46978b086ba4656de736ca010912ac213b
-
C:\Users\Admin\AppData\Local\Temp\9milzwDyGjow.batFilesize
199B
MD54b24b26714d12621631450a70fc615b8
SHA190ff08f7108c116eebdd80c204a78a1ff866393a
SHA256b986f6068f56f58cc29f4868508b17577f68009fcee09fad8147c15a59a137ff
SHA512a6282f94ea4cedc984cea0433a8e1083d855935272b1699afd5f95548a3d7fbc396395a37a65fe663f13dd59a92fd6f96cd876fb7a7464fd5e48ecee2297d5f7
-
C:\Users\Admin\AppData\Local\Temp\AE5Czrl8ZSxU.batFilesize
199B
MD5a7fe8aa7c5136be6e86b9bce0d49372d
SHA18ddc65ce61b86148a3d7e2226f2912451618f6f8
SHA256c308b943190efd3f3cf4df8084d202b2a762c816410636930eff51a9bba1b5af
SHA5121accd79d28b1e9c42911aa53a5907556cc0beb44196f41c2f59cc524c748701f688e421cebf22e0ced7c0e692fee19f9c83156a454807e31ce39baab633cc013
-
C:\Users\Admin\AppData\Local\Temp\CjqbtOpWkCeY.batFilesize
199B
MD52671e265823ad106d8e2cc6ae372dc4f
SHA172387f1e9de3f868ec3b33be7f4483c25b57805a
SHA256de7c528e9e645c2777565cc36e2b1d5783465fb0e66d4caab8cb86f886fb4e92
SHA5128562018c6628cc8cea5b826451ea147a9f40a1a7b104458f23053233f76a6ac5546f582493212d375f062dae7fd156d336fb913c4147718b5162f5f52287bdb7
-
C:\Users\Admin\AppData\Local\Temp\Gpbav95kcfqP.batFilesize
199B
MD56a379bffab6019339903c634bfc759d4
SHA1813a187093f75959f999b1e1efe174efd3a5e203
SHA2563e9c0c00daeff32001c85721aac4a3d3b0e1a2a869f480486faf9c77c930233d
SHA512cbe0179706c86b53a1866044367f266c804150d4ce5bacf6f1d2f5f95250037c186710fb748ada85a91693179783cd97780998be62111a9d1d97d68e12a28f51
-
C:\Users\Admin\AppData\Local\Temp\HsO3C8uLrnmZ.batFilesize
199B
MD5b3115de8a7a25b53b8b098b63410f74b
SHA17baa36cc11409ae64e1699c58a3ad8e7f028ce7f
SHA2565e44bf0e27b7543310c48b269ad2f87be9c079c0d2540be1aae4f662e772fdf3
SHA512435271c997659e0ccd53cfaeb7517df83e3ca7547646bf786c9f59e6c85f4451db28cf0d87bdb6d1557e2fb3a20020c137ba8f6a2874cc232be9e9be049720ff
-
C:\Users\Admin\AppData\Local\Temp\LAwaLImXzJgM.batFilesize
199B
MD5f6c25f5c01f89ca28a4f60c7d90effc6
SHA1d5b6c63450ca9c2305b857e78e9347fd0de8f58f
SHA25685cc56c10c7a3a2f8c29ba3a4e06033a1aa1f62473edd855e579d25c94693065
SHA51216644857ba9953daa4b2ca1e6bbdd5f03708ad559a9be02632005629ce1aa4a947c05dff531717a9c0decc6e06f40aab716c0d93357e71a809eb8f4579acc39a
-
C:\Users\Admin\AppData\Local\Temp\LeBu7aPugWui.batFilesize
199B
MD5cea4cfdcc4274a680a6f31a49245c7af
SHA13c7a46af255fea86b4e2f47c9c8d73543074c8e0
SHA256a112b27cc1c518c38a9e85973b3230d5ffcb2fe1ac5060a61eb1dec4b63144ee
SHA5120f45654f95bd17a4670ffec1dc15517261a73b6f6dd02f3c8a88a440aa325be7215aa6e4bf853fbf4e81eb98767d144d8500482775027f53cfeb0863546cbafc
-
C:\Users\Admin\AppData\Local\Temp\MVwJWKE7k8qj.batFilesize
199B
MD570391ac50c0dfb7e30888bb051de1200
SHA1afabbc2705aac155cdabca892d81b025c5ba8cd0
SHA2560e6fa2e0024094933945fb4ae4fe007467bbeb39b7876b7216bff6d2d13e8dc7
SHA512269eb0d5b147377bf13b12ea99660b485bc70663c1b0e09331c8dba8f8f1e39bdb0f2ae9c0d5dab6a8df9b90db05546b5f167cfe5aea0fb82ce11e747cc565bd
-
C:\Users\Admin\AppData\Local\Temp\RAPHP3eO1gh0.batFilesize
199B
MD522e5138c1615c1d4a0e98b7e5b2d8a24
SHA13c81ee09fe251ad2ead4b2b7b1afd1c86db9a36e
SHA256bf906992a53117ac707794d4e9cc09be11a4f89cfdaf08561fde20243734d861
SHA5128e9078f16467cd7b916aca728e519d65a6c367bbc5e6f5ad7b0945ccec5fe6aead30bd77e36812df41b1e9257dab6aa88743a3cd7642bcc5383c1b2a311145f0
-
C:\Users\Admin\AppData\Local\Temp\ROlRyT63dnEl.batFilesize
199B
MD5e910e760d56f7cba21b91bcca8af520a
SHA1b12f6b93dbaade8657ad71e794890722a5899d03
SHA2566f8d82f9e6bae6e82d0b5ea84bd3dbebd1b2f5316ad593fe0ad0718426f49ab6
SHA5123806f90d2223bc0d8b18c9bd24f933e2d39554fad173007dc5a915ec1dd4468d324e258b6b05a89cc6aa4176d792d6c2faa93306ffaea60d1ccb74b2bf715eb0
-
C:\Users\Admin\AppData\Local\Temp\SiqsmBzcOCxq.batFilesize
199B
MD58fb661be6a35c316fc9b6e11cca79616
SHA1f560c4f87eec0d005e20bfdee0cb417e0d3cc81a
SHA256342703a9b35c4a7b250c7bee06190d64789b5130763a84e83fce727bb4809d2f
SHA512d7a2a563f2dd81cef935599736302206291eb2bcd1f0d15e5400e60986828778c344d26f349659a03457d594fec69bf0bdf9b11ba651349bc56ba82fcd0d8a33
-
C:\Users\Admin\AppData\Local\Temp\VxQvzUuU56wx.batFilesize
199B
MD50127f4f318c32e892119db0ef6ab8206
SHA1db8ee9e3c4078463acad89cf9b4703adce714682
SHA256d9b2a24dc5163586004e170882d242012b4cd8a0d3575b36871ca86ad6e4cca7
SHA51220a087e640d434d2a2bfaedf1f7c7c2d12213a661e83f6c8a0c31080b769f8027e39513f4cf9c5b051c2eba675ea570a2b96c1f1ccb16aa38cfb0a75d2982344
-
C:\Users\Admin\AppData\Local\Temp\XBEumwPGwjzM.batFilesize
199B
MD5ebaa209f30f42642062f83de2013bea6
SHA1a656dfbc6a101662f7b1dbc226f2db49c7d28380
SHA256a74dff5c62b739310ba1bb7d9da842f4cc42ca02356d8338839765d0d7654b9a
SHA512e51eacb4b733bc464c3be79590407443d7df0217d1681ccd9970e340dce5e1e2f93e7480cf8c5e2e3691ddfe5574c62697f8be54f30b31cf09aeed005be61791
-
C:\Users\Admin\AppData\Local\Temp\bgjAKEgxfQIT.batFilesize
199B
MD5c87cc7778a41a1b1b849d6c29493e0e5
SHA1d5b60076e9d9ac7f9397cc83619c2b58922c7483
SHA2562b56f241133a17464afe0deacd78569180be2b00c0c85dd7e41c81a66721655e
SHA5123a146a05dc97847300dea5e044e1b50cf8d122b5fcaae10eb63b51bc3dd5f2b7f8b123eca50269e61cfcc47165f764456cba34aafd1ac3769ce71f859cc0d619
-
C:\Users\Admin\AppData\Local\Temp\bktKbHWPKI9H.batFilesize
199B
MD57242875920f50881eef75fe32b9f9ce7
SHA1c886f1db9ab01c0f5ee2c70dbd445f20bf23809f
SHA25650741272e040a427aabda2655911b4fb6fd34a5e7f542fb2f70c469a57ee42a0
SHA51278d7d7a424388ce26fa57bf7c2eae403c7f3812784d67be51f38b2cf56198f1297bc15643c0dcf25bedaa658cae64b4bd69318cb2a0153dad3ddb3f052fd7b13
-
C:\Users\Admin\AppData\Local\Temp\d8rhUQqspRVX.batFilesize
199B
MD55f8fa8c00508f37ea4e7b1ca9c7645ed
SHA1025d23fff0985d6786e2f0568c0be181a7f3cdb0
SHA2564709d4379846f412ef86e7bdc8f756014a88884ccb98afa6323903ad345761a1
SHA51264f3978c4e4f6ef3b42f4975c56e07de0121520c751d29e97c72a136b8e3635f059b14cb6c4d8285db62a0c9e085d294b8e66bb357a5f71be0ea1ba80d8abece
-
C:\Users\Admin\AppData\Local\Temp\hQb2sGQ7zpsX.batFilesize
199B
MD543f838fbadc36ce4e330f687604aa531
SHA158faf8a07bbd512655668cd2834de794d1b59446
SHA256cfe99d0dafe47b5fde8d4e1171d4a130fe66f2ed3fd6c0e7d44500e0121a0654
SHA51280e3584dc90b27783e3a06a5f1ee67900bbcfe7a34a1cc33167c0a0e64fb306de3e29f002ab6f1e131105eea51eb9b4738f8fa08e1f6858abca14f3dc0a37c30
-
C:\Users\Admin\AppData\Local\Temp\iHeRBYZjR8bE.batFilesize
199B
MD59f40c2670dce22f9d0b4f78c9b44e2c4
SHA15b729734070fdae0afc8485de344177b968ed44d
SHA256b784910b80b4465edc54c7d69233756a28e91c081656c15201b952453166e247
SHA512984a2219d30178b7ab3a450c296984dfcb6c1f8e4bb82fee954dc665c9aff2c2b498189e515aba0fef233a835f57b72e6ce97d487b239e983026898cca9f765f
-
C:\Users\Admin\AppData\Local\Temp\kNmGobdPK4ej.batFilesize
199B
MD53d7bf32da5d1527cb527d125fc7ed0c9
SHA1dce760fabae15428aeb5a5017520193132065e2a
SHA25620240d9b2c3b63f6d5a5c4c794d9700ee4cbd2e02f6260722c333b15f1c42a04
SHA512de232870cbd26c9fd64548603ca80d7a857bb8644bed9951134b0fd4233502afa0cf38a3f5bde85a02ea6f18196b7cb0df01a923039addeaf4f31ffab4f1c403
-
C:\Users\Admin\AppData\Local\Temp\l94FOAWDHegm.batFilesize
199B
MD5a6aff218d36c7910e648656e5b97162e
SHA1ffbebf94a0b821fc1307943a20b6cac771cccb6b
SHA25653261430c523d540ae82b1463824f603416cdf5fbea7c8797c0d8f78069c1dca
SHA512d57a994f5bbd2eb19da79303dc22c6010ed71536c90e7859f493e55767058b1a736055095dc2763d1e1b4b618d18952c844c22698db3cf473b936bb2e7aaf4d9
-
C:\Users\Admin\AppData\Local\Temp\m4vW7oyX5GsO.batFilesize
199B
MD53dd0348db3b2683b7a067861436f4dcb
SHA1bfaca2c3467f071936ef7b7f6a57e68831736178
SHA256a3b008a6c486795dee94a510598235db01435be9db5854cdca9cc084c748b542
SHA512c180212abb4eed8f3fb87c9da18faec7c4b20fb7b0c6009a736d0079744604158a543bf26d8a432ac42a1974a22d54f08221dfe84657ce1a35db448a8a26679e
-
C:\Users\Admin\AppData\Local\Temp\oubrzznW1q2P.batFilesize
199B
MD5933266bba4833a996176cd3d177d4bdf
SHA18d89d8c040da879d0b3dc8d49fd84e6bea6b17c6
SHA2562b7164f2545d7812736b5674946c1a77459d74e00879a2eb4a7b2d1fbe526f8f
SHA5127e2feaa4f943f110a27b34923636c623be415dc247149b4a4728db5c975706c463ecfed1dc9df4041ad2a64c0d1c57394ea10a0dc05dcb9ace3341531ecf863d
-
C:\Users\Admin\AppData\Local\Temp\oxaI8cRKxP8O.batFilesize
199B
MD5c194087b34e0217874caad4a05d7d5d1
SHA1dcf78e05f14222a8da86857129aa5f2ed0805ccd
SHA2562541eadd4ffd65fa09cdb19e0ca05dafec1257fd2ff9e3d6aabc8d56e9f90187
SHA512de0ce9559d9465c6c31d18e9abb547ab440c1871422463b682a75fa14d2bd393fa7fbab6df6e16e2a3bb611d49f9f70d73a93b0fc4abf3428443ff6d2c2ce49a
-
C:\Users\Admin\AppData\Local\Temp\tqljrWh26B6i.batFilesize
199B
MD5499b9e431f47f286f93a52cb40445db9
SHA1cf92fcbb35ae90826ecd2c846f38eaa262d30746
SHA2563aff9634454b2f03090ba0d18bf4019ef7f3502d54e40b53aee65dc3069c09cc
SHA512b48b8f4432dfb01d4afc8c9b2a31c9dcf8244ea98aa9b3db7b0dbd58c80d374de23a6acdf66f4b6dcc053a653f5457969e2c38861f9831cd1d18d670f510b37b
-
C:\Users\Admin\AppData\Local\Temp\wN2haC3sLfVk.batFilesize
199B
MD55063706f18294056f8ac6273700a5fe3
SHA1cd65a274446f38b4d927b6c36273a37d1e7a7501
SHA2561d3de1bafc3c4149c0971017a070b73cb3f2d2a74ef24625b7d33bfa8c27a058
SHA5129f7453218c090045574dd79c2c1a8494b6b456acd0aac37a7842fa6b8861d5563afbd57c49fa15236dae73e4ead8e6a4ab6fd3d504757a0fbce206ba70d35375
-
C:\Users\Admin\AppData\Local\Temp\yflMFBI3IkUM.batFilesize
199B
MD546b3352865e70f1eb5657126a8cc1000
SHA17e8834e33af50ea0b13ac4d8e65544642eb6a769
SHA256bfaa8a324f7527fdce16bf15a078b9aae2dd611cc30d789233eacc0223d09f89
SHA5126794c412ed2cfdb0c6e5cf90a7d8e9ff294c7033d09c7f76cdb09799bc5f22c55e45d19f0690eef3331f3ec09992727409878e65bbc7838668d519a76a3263ae
-
memory/1456-0-0x00007FFEE9C43000-0x00007FFEE9C45000-memory.dmpFilesize
8KB
-
memory/1456-1-0x0000000000970000-0x0000000000C94000-memory.dmpFilesize
3.1MB
-
memory/1456-2-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmpFilesize
10.8MB
-
memory/1456-9-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmpFilesize
10.8MB
-
memory/1992-18-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmpFilesize
10.8MB
-
memory/1992-10-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmpFilesize
10.8MB
-
memory/1992-11-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmpFilesize
10.8MB
-
memory/1992-12-0x000000001E310000-0x000000001E360000-memory.dmpFilesize
320KB
-
memory/1992-13-0x000000001E420000-0x000000001E4D2000-memory.dmpFilesize
712KB