Analysis
-
max time kernel
1193s -
max time network
1198s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 22:47
Behavioral task
behavioral1
Sample
sp00fer.exe
Resource
win7-20240611-en
General
-
Target
sp00fer.exe
-
Size
3.1MB
-
MD5
a121d9d691a400786000dee14a808ab1
-
SHA1
14ab065be3cfe0a7aa7808cb8891f7c75affc395
-
SHA256
7849231d077a00fd9129c2c6cecbb3287afc5656b8dfd263fdf57e2432d4f335
-
SHA512
e0a162b3d00ef69b96bd4a43f9a0c3297005e8a8db84233010d420bf87ff337ed4139b4cc27594fdd194416a03fe8a7be90b03a8f10e34b72f70d399d6917929
-
SSDEEP
49152:zvulL26AaNeWgPhlmVqvMQ7XSKLCO1JRLoGdFTHHB72eh2NT:zveL26AaNeWgPhlmVqkQ7XSKLCE
Malware Config
Extracted
quasar
1.4.1
Office04
pringelsy-51954.portmap.host:51954
6dc28d35-3024-44a7-a559-f9991015fa39
-
encryption_key
3107DF2D44BB6914C55BEA57D100135AB0F278DF
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
799
-
startup_key
Quasar Client Startup
-
subdirectory
Common Files
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1456-1-0x0000000000970000-0x0000000000C94000-memory.dmp family_quasar C:\Program Files\Common Files\Client.exe family_quasar -
Checks computer location settings 2 TTPs 56 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 57 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 1992 Client.exe 3092 Client.exe 2760 Client.exe 4372 Client.exe 2688 Client.exe 4524 Client.exe 2268 Client.exe 704 Client.exe 2168 Client.exe 1220 Client.exe 4824 Client.exe 3692 Client.exe 4132 Client.exe 1612 Client.exe 4584 Client.exe 2828 Client.exe 5112 Client.exe 3828 Client.exe 4092 Client.exe 2208 Client.exe 2808 Client.exe 4440 Client.exe 3528 Client.exe 940 Client.exe 980 Client.exe 2484 Client.exe 1972 Client.exe 2036 Client.exe 2180 Client.exe 5032 Client.exe 5036 Client.exe 1692 Client.exe 2020 Client.exe 3212 Client.exe 1996 Client.exe 624 Client.exe 4564 Client.exe 3732 Client.exe 892 Client.exe 392 Client.exe 1496 Client.exe 4080 Client.exe 1580 Client.exe 2752 Client.exe 4264 Client.exe 4668 Client.exe 2444 Client.exe 4756 Client.exe 1672 Client.exe 1428 Client.exe 780 Client.exe 3520 Client.exe 2376 Client.exe 4608 Client.exe 2420 Client.exe 4404 Client.exe 5044 Client.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exesp00fer.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription ioc process File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File created C:\Program Files\Common Files\Client.exe sp00fer.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe sp00fer.exe File opened for modification C:\Program Files\Common Files sp00fer.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files\Client.exe Client.exe File opened for modification C:\Program Files\Common Files Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 56 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2996 PING.EXE 548 PING.EXE 4048 PING.EXE 816 PING.EXE 1448 PING.EXE 2956 PING.EXE 3492 PING.EXE 1468 PING.EXE 4112 PING.EXE 3820 PING.EXE 4020 PING.EXE 2412 PING.EXE 2996 PING.EXE 2000 PING.EXE 5000 PING.EXE 1224 PING.EXE 3624 PING.EXE 4472 PING.EXE 4852 PING.EXE 5100 PING.EXE 4268 PING.EXE 2728 PING.EXE 3720 PING.EXE 1104 PING.EXE 3324 PING.EXE 512 PING.EXE 3396 PING.EXE 2400 PING.EXE 1548 PING.EXE 4136 PING.EXE 3668 PING.EXE 4884 PING.EXE 4876 PING.EXE 4864 PING.EXE 448 PING.EXE 3624 PING.EXE 2340 PING.EXE 116 PING.EXE 876 PING.EXE 5040 PING.EXE 2624 PING.EXE 688 PING.EXE 2432 PING.EXE 4680 PING.EXE 180 PING.EXE 4712 PING.EXE 3084 PING.EXE 844 PING.EXE 1280 PING.EXE 1764 PING.EXE 2492 PING.EXE 5084 PING.EXE 4616 PING.EXE 2436 PING.EXE 2132 PING.EXE 3176 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 58 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2296 schtasks.exe 4500 schtasks.exe 4728 schtasks.exe 3816 schtasks.exe 3692 schtasks.exe 3144 schtasks.exe 636 schtasks.exe 3280 schtasks.exe 2208 schtasks.exe 1096 schtasks.exe 4084 schtasks.exe 3764 schtasks.exe 4128 schtasks.exe 4544 schtasks.exe 4956 schtasks.exe 4448 schtasks.exe 4428 schtasks.exe 4328 schtasks.exe 3492 schtasks.exe 4380 schtasks.exe 1184 schtasks.exe 1496 schtasks.exe 3216 schtasks.exe 3344 schtasks.exe 3168 schtasks.exe 4152 schtasks.exe 3324 schtasks.exe 412 schtasks.exe 2200 schtasks.exe 3884 schtasks.exe 700 schtasks.exe 116 schtasks.exe 516 schtasks.exe 3764 schtasks.exe 3848 schtasks.exe 1244 schtasks.exe 5024 schtasks.exe 452 schtasks.exe 4660 schtasks.exe 4244 schtasks.exe 4872 schtasks.exe 3280 schtasks.exe 1224 schtasks.exe 1724 schtasks.exe 840 schtasks.exe 3940 schtasks.exe 4020 schtasks.exe 2804 schtasks.exe 2444 schtasks.exe 3880 schtasks.exe 1744 schtasks.exe 980 schtasks.exe 4256 schtasks.exe 5068 schtasks.exe 2648 schtasks.exe 3148 schtasks.exe 548 schtasks.exe 3920 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
Processes:
sp00fer.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription pid process Token: SeDebugPrivilege 1456 sp00fer.exe Token: SeDebugPrivilege 1992 Client.exe Token: SeDebugPrivilege 3092 Client.exe Token: SeDebugPrivilege 2760 Client.exe Token: SeDebugPrivilege 4372 Client.exe Token: SeDebugPrivilege 2688 Client.exe Token: SeDebugPrivilege 4524 Client.exe Token: SeDebugPrivilege 2268 Client.exe Token: SeDebugPrivilege 704 Client.exe Token: SeDebugPrivilege 2168 Client.exe Token: SeDebugPrivilege 1220 Client.exe Token: SeDebugPrivilege 4824 Client.exe Token: SeDebugPrivilege 3692 Client.exe Token: SeDebugPrivilege 4132 Client.exe Token: SeDebugPrivilege 1612 Client.exe Token: SeDebugPrivilege 4584 Client.exe Token: SeDebugPrivilege 2828 Client.exe Token: SeDebugPrivilege 5112 Client.exe Token: SeDebugPrivilege 3828 Client.exe Token: SeDebugPrivilege 4092 Client.exe Token: SeDebugPrivilege 2208 Client.exe Token: SeDebugPrivilege 2808 Client.exe Token: SeDebugPrivilege 4440 Client.exe Token: SeDebugPrivilege 3528 Client.exe Token: SeDebugPrivilege 940 Client.exe Token: SeDebugPrivilege 980 Client.exe Token: SeDebugPrivilege 2484 Client.exe Token: SeDebugPrivilege 1972 Client.exe Token: SeDebugPrivilege 2036 Client.exe Token: SeDebugPrivilege 2180 Client.exe Token: SeDebugPrivilege 5032 Client.exe Token: SeDebugPrivilege 5036 Client.exe Token: SeDebugPrivilege 1692 Client.exe Token: SeDebugPrivilege 2020 Client.exe Token: SeDebugPrivilege 3212 Client.exe Token: SeDebugPrivilege 1996 Client.exe Token: SeDebugPrivilege 624 Client.exe Token: SeDebugPrivilege 4564 Client.exe Token: SeDebugPrivilege 3732 Client.exe Token: SeDebugPrivilege 892 Client.exe Token: SeDebugPrivilege 392 Client.exe Token: SeDebugPrivilege 1496 Client.exe Token: SeDebugPrivilege 4080 Client.exe Token: SeDebugPrivilege 1580 Client.exe Token: SeDebugPrivilege 2752 Client.exe Token: SeDebugPrivilege 4264 Client.exe Token: SeDebugPrivilege 4668 Client.exe Token: SeDebugPrivilege 2444 Client.exe Token: SeDebugPrivilege 4756 Client.exe Token: SeDebugPrivilege 1672 Client.exe Token: SeDebugPrivilege 1428 Client.exe Token: SeDebugPrivilege 780 Client.exe Token: SeDebugPrivilege 3520 Client.exe Token: SeDebugPrivilege 2376 Client.exe Token: SeDebugPrivilege 4608 Client.exe Token: SeDebugPrivilege 2420 Client.exe Token: SeDebugPrivilege 4404 Client.exe Token: SeDebugPrivilege 5044 Client.exe -
Suspicious use of FindShellTrayWindow 57 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 1992 Client.exe 3092 Client.exe 2760 Client.exe 4372 Client.exe 2688 Client.exe 4524 Client.exe 2268 Client.exe 704 Client.exe 2168 Client.exe 1220 Client.exe 4824 Client.exe 3692 Client.exe 4132 Client.exe 1612 Client.exe 4584 Client.exe 2828 Client.exe 5112 Client.exe 3828 Client.exe 4092 Client.exe 2208 Client.exe 2808 Client.exe 4440 Client.exe 3528 Client.exe 940 Client.exe 980 Client.exe 2484 Client.exe 1972 Client.exe 2036 Client.exe 2180 Client.exe 5032 Client.exe 5036 Client.exe 1692 Client.exe 2020 Client.exe 3212 Client.exe 1996 Client.exe 624 Client.exe 4564 Client.exe 3732 Client.exe 892 Client.exe 392 Client.exe 1496 Client.exe 4080 Client.exe 1580 Client.exe 2752 Client.exe 4264 Client.exe 4668 Client.exe 2444 Client.exe 4756 Client.exe 1672 Client.exe 1428 Client.exe 780 Client.exe 3520 Client.exe 2376 Client.exe 4608 Client.exe 2420 Client.exe 4404 Client.exe 5044 Client.exe -
Suspicious use of SendNotifyMessage 57 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 1992 Client.exe 3092 Client.exe 2760 Client.exe 4372 Client.exe 2688 Client.exe 4524 Client.exe 2268 Client.exe 704 Client.exe 2168 Client.exe 1220 Client.exe 4824 Client.exe 3692 Client.exe 4132 Client.exe 1612 Client.exe 4584 Client.exe 2828 Client.exe 5112 Client.exe 3828 Client.exe 4092 Client.exe 2208 Client.exe 2808 Client.exe 4440 Client.exe 3528 Client.exe 940 Client.exe 980 Client.exe 2484 Client.exe 1972 Client.exe 2036 Client.exe 2180 Client.exe 5032 Client.exe 5036 Client.exe 1692 Client.exe 2020 Client.exe 3212 Client.exe 1996 Client.exe 624 Client.exe 4564 Client.exe 3732 Client.exe 892 Client.exe 392 Client.exe 1496 Client.exe 4080 Client.exe 1580 Client.exe 2752 Client.exe 4264 Client.exe 4668 Client.exe 2444 Client.exe 4756 Client.exe 1672 Client.exe 1428 Client.exe 780 Client.exe 3520 Client.exe 2376 Client.exe 4608 Client.exe 2420 Client.exe 4404 Client.exe 5044 Client.exe -
Suspicious use of SetWindowsHookEx 53 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 1992 Client.exe 4524 Client.exe 2268 Client.exe 704 Client.exe 2168 Client.exe 1220 Client.exe 4824 Client.exe 3692 Client.exe 4132 Client.exe 1612 Client.exe 4584 Client.exe 2828 Client.exe 5112 Client.exe 3828 Client.exe 4092 Client.exe 2208 Client.exe 2808 Client.exe 4440 Client.exe 3528 Client.exe 940 Client.exe 980 Client.exe 2484 Client.exe 1972 Client.exe 2036 Client.exe 2180 Client.exe 5032 Client.exe 5036 Client.exe 1692 Client.exe 2020 Client.exe 3212 Client.exe 1996 Client.exe 624 Client.exe 4564 Client.exe 3732 Client.exe 892 Client.exe 392 Client.exe 1496 Client.exe 4080 Client.exe 1580 Client.exe 2752 Client.exe 4264 Client.exe 4668 Client.exe 2444 Client.exe 4756 Client.exe 1672 Client.exe 1428 Client.exe 780 Client.exe 3520 Client.exe 2376 Client.exe 4608 Client.exe 2420 Client.exe 4404 Client.exe 5044 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
sp00fer.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exedescription pid process target process PID 1456 wrote to memory of 2444 1456 sp00fer.exe schtasks.exe PID 1456 wrote to memory of 2444 1456 sp00fer.exe schtasks.exe PID 1456 wrote to memory of 1992 1456 sp00fer.exe Client.exe PID 1456 wrote to memory of 1992 1456 sp00fer.exe Client.exe PID 1992 wrote to memory of 636 1992 Client.exe schtasks.exe PID 1992 wrote to memory of 636 1992 Client.exe schtasks.exe PID 1992 wrote to memory of 1680 1992 Client.exe cmd.exe PID 1992 wrote to memory of 1680 1992 Client.exe cmd.exe PID 1680 wrote to memory of 2596 1680 cmd.exe chcp.com PID 1680 wrote to memory of 2596 1680 cmd.exe chcp.com PID 1680 wrote to memory of 688 1680 cmd.exe PING.EXE PID 1680 wrote to memory of 688 1680 cmd.exe PING.EXE PID 1680 wrote to memory of 3092 1680 cmd.exe Client.exe PID 1680 wrote to memory of 3092 1680 cmd.exe Client.exe PID 3092 wrote to memory of 4448 3092 Client.exe schtasks.exe PID 3092 wrote to memory of 4448 3092 Client.exe schtasks.exe PID 3092 wrote to memory of 4004 3092 Client.exe cmd.exe PID 3092 wrote to memory of 4004 3092 Client.exe cmd.exe PID 4004 wrote to memory of 3724 4004 cmd.exe chcp.com PID 4004 wrote to memory of 3724 4004 cmd.exe chcp.com PID 4004 wrote to memory of 448 4004 cmd.exe PING.EXE PID 4004 wrote to memory of 448 4004 cmd.exe PING.EXE PID 4004 wrote to memory of 2760 4004 cmd.exe Client.exe PID 4004 wrote to memory of 2760 4004 cmd.exe Client.exe PID 2760 wrote to memory of 3168 2760 Client.exe schtasks.exe PID 2760 wrote to memory of 3168 2760 Client.exe schtasks.exe PID 2760 wrote to memory of 4584 2760 Client.exe cmd.exe PID 2760 wrote to memory of 4584 2760 Client.exe cmd.exe PID 4584 wrote to memory of 3740 4584 cmd.exe chcp.com PID 4584 wrote to memory of 3740 4584 cmd.exe chcp.com PID 4584 wrote to memory of 3668 4584 cmd.exe PING.EXE PID 4584 wrote to memory of 3668 4584 cmd.exe PING.EXE PID 4584 wrote to memory of 4372 4584 cmd.exe Client.exe PID 4584 wrote to memory of 4372 4584 cmd.exe Client.exe PID 4372 wrote to memory of 3764 4372 Client.exe schtasks.exe PID 4372 wrote to memory of 3764 4372 Client.exe schtasks.exe PID 4372 wrote to memory of 2668 4372 Client.exe cmd.exe PID 4372 wrote to memory of 2668 4372 Client.exe cmd.exe PID 2668 wrote to memory of 1280 2668 cmd.exe chcp.com PID 2668 wrote to memory of 1280 2668 cmd.exe chcp.com PID 2668 wrote to memory of 2132 2668 cmd.exe PING.EXE PID 2668 wrote to memory of 2132 2668 cmd.exe PING.EXE PID 2668 wrote to memory of 2688 2668 cmd.exe Client.exe PID 2668 wrote to memory of 2688 2668 cmd.exe Client.exe PID 2688 wrote to memory of 4128 2688 Client.exe schtasks.exe PID 2688 wrote to memory of 4128 2688 Client.exe schtasks.exe PID 2688 wrote to memory of 4520 2688 Client.exe cmd.exe PID 2688 wrote to memory of 4520 2688 Client.exe cmd.exe PID 4520 wrote to memory of 1588 4520 cmd.exe chcp.com PID 4520 wrote to memory of 1588 4520 cmd.exe chcp.com PID 4520 wrote to memory of 3624 4520 cmd.exe PING.EXE PID 4520 wrote to memory of 3624 4520 cmd.exe PING.EXE PID 4520 wrote to memory of 4524 4520 cmd.exe Client.exe PID 4520 wrote to memory of 4524 4520 cmd.exe Client.exe PID 4524 wrote to memory of 3280 4524 Client.exe schtasks.exe PID 4524 wrote to memory of 3280 4524 Client.exe schtasks.exe PID 4524 wrote to memory of 2924 4524 Client.exe cmd.exe PID 4524 wrote to memory of 2924 4524 Client.exe cmd.exe PID 2924 wrote to memory of 3680 2924 cmd.exe chcp.com PID 2924 wrote to memory of 3680 2924 cmd.exe chcp.com PID 2924 wrote to memory of 3084 2924 cmd.exe PING.EXE PID 2924 wrote to memory of 3084 2924 cmd.exe PING.EXE PID 2924 wrote to memory of 2268 2924 cmd.exe Client.exe PID 2924 wrote to memory of 2268 2924 cmd.exe Client.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sp00fer.exe"C:\Users\Admin\AppData\Local\Temp\sp00fer.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9milzwDyGjow.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kNmGobdPK4ej.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AE5Czrl8ZSxU.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAwaLImXzJgM.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6kamOhoB7mVe.bat" "11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\35GueDsOjmBq.bat" "13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2dqcK1cdBzLb.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CjqbtOpWkCeY.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bktKbHWPKI9H.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d8rhUQqspRVX.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgjAKEgxfQIT.bat" "23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeBu7aPugWui.bat" "25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XBEumwPGwjzM.bat" "27⤵
-
C:\Windows\system32\chcp.comchcp 6500128⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yflMFBI3IkUM.bat" "29⤵
-
C:\Windows\system32\chcp.comchcp 6500130⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wN2haC3sLfVk.bat" "31⤵
-
C:\Windows\system32\chcp.comchcp 6500132⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f33⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oxaI8cRKxP8O.bat" "33⤵
-
C:\Windows\system32\chcp.comchcp 6500134⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost34⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f35⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hQb2sGQ7zpsX.bat" "35⤵
-
C:\Windows\system32\chcp.comchcp 6500136⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost36⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f37⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqljrWh26B6i.bat" "37⤵
-
C:\Windows\system32\chcp.comchcp 6500138⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost38⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f39⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RAPHP3eO1gh0.bat" "39⤵
-
C:\Windows\system32\chcp.comchcp 6500140⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost40⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f41⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VxQvzUuU56wx.bat" "41⤵
-
C:\Windows\system32\chcp.comchcp 6500142⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost42⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f43⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROlRyT63dnEl.bat" "43⤵
-
C:\Windows\system32\chcp.comchcp 6500144⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost44⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f45⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gpbav95kcfqP.bat" "45⤵
-
C:\Windows\system32\chcp.comchcp 6500146⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost46⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"46⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f47⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iHeRBYZjR8bE.bat" "47⤵
-
C:\Windows\system32\chcp.comchcp 6500148⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost48⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"48⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f49⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1nUwduxQH15t.bat" "49⤵
-
C:\Windows\system32\chcp.comchcp 6500150⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost50⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"50⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f51⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l94FOAWDHegm.bat" "51⤵
-
C:\Windows\system32\chcp.comchcp 6500152⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost52⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f53⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5daePeklLQFv.bat" "53⤵
-
C:\Windows\system32\chcp.comchcp 6500154⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost54⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f55⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m4vW7oyX5GsO.bat" "55⤵
-
C:\Windows\system32\chcp.comchcp 6500156⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost56⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"56⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f57⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiqsmBzcOCxq.bat" "57⤵
-
C:\Windows\system32\chcp.comchcp 6500158⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost58⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"58⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f59⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MVwJWKE7k8qj.bat" "59⤵
-
C:\Windows\system32\chcp.comchcp 6500160⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost60⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"60⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f61⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HsO3C8uLrnmZ.bat" "61⤵
-
C:\Windows\system32\chcp.comchcp 6500162⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost62⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"62⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f63⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oubrzznW1q2P.bat" "63⤵
-
C:\Windows\system32\chcp.comchcp 6500164⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost64⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"64⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f65⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MIeA3PUcpdEE.bat" "65⤵
-
C:\Windows\system32\chcp.comchcp 6500166⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost66⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"66⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f67⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAYToWi2AZ1K.bat" "67⤵
-
C:\Windows\system32\chcp.comchcp 6500168⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost68⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"68⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f69⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgfDczUZzQIv.bat" "69⤵
-
C:\Windows\system32\chcp.comchcp 6500170⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost70⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"70⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f71⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oInC2DXY36Ng.bat" "71⤵
-
C:\Windows\system32\chcp.comchcp 6500172⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost72⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"72⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f73⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o59c2KXZF3hZ.bat" "73⤵
-
C:\Windows\system32\chcp.comchcp 6500174⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost74⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"74⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f75⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ON0bOeGcKPWy.bat" "75⤵
-
C:\Windows\system32\chcp.comchcp 6500176⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost76⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"76⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f77⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9sdHtkTvsKej.bat" "77⤵
-
C:\Windows\system32\chcp.comchcp 6500178⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost78⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"78⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f79⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FANaXMSknSxW.bat" "79⤵
-
C:\Windows\system32\chcp.comchcp 6500180⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost80⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"80⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f81⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ZGq4XwVVzUe.bat" "81⤵
-
C:\Windows\system32\chcp.comchcp 6500182⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost82⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"82⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f83⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LutrLlLbVxoZ.bat" "83⤵
-
C:\Windows\system32\chcp.comchcp 6500184⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost84⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"84⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f85⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iLl9cRymHfiT.bat" "85⤵
-
C:\Windows\system32\chcp.comchcp 6500186⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost86⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"86⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f87⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmNnICVskvHx.bat" "87⤵
-
C:\Windows\system32\chcp.comchcp 6500188⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost88⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"88⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f89⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ka7qntQgyIyY.bat" "89⤵
-
C:\Windows\system32\chcp.comchcp 6500190⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost90⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"90⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f91⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKwvhMSmBeWs.bat" "91⤵
-
C:\Windows\system32\chcp.comchcp 6500192⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost92⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"92⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f93⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xAEzsvulKqAb.bat" "93⤵
-
C:\Windows\system32\chcp.comchcp 6500194⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost94⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"94⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f95⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qfONVLCiRvfx.bat" "95⤵
-
C:\Windows\system32\chcp.comchcp 6500196⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost96⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"96⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f97⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAba5Uky3sfZ.bat" "97⤵
-
C:\Windows\system32\chcp.comchcp 6500198⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost98⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"98⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f99⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMDvnZl7UO36.bat" "99⤵
-
C:\Windows\system32\chcp.comchcp 65001100⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost100⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"100⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f101⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2RaCayx6yTxB.bat" "101⤵
-
C:\Windows\system32\chcp.comchcp 65001102⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost102⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"102⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f103⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1qfJK8mxytuS.bat" "103⤵
-
C:\Windows\system32\chcp.comchcp 65001104⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost104⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"104⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f105⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\COYL3uSbc1Si.bat" "105⤵
-
C:\Windows\system32\chcp.comchcp 65001106⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost106⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"106⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f107⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i6s8Xtrq4Sff.bat" "107⤵
-
C:\Windows\system32\chcp.comchcp 65001108⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost108⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"108⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f109⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y39opqbpx8xn.bat" "109⤵
-
C:\Windows\system32\chcp.comchcp 65001110⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost110⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"110⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f111⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2KEnJIzI94hQ.bat" "111⤵
-
C:\Windows\system32\chcp.comchcp 65001112⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost112⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"112⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f113⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ejMtZynZqvL8.bat" "113⤵
-
C:\Windows\system32\chcp.comchcp 65001114⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost114⤵
- Runs ping.exe
-
C:\Program Files\Common Files\Client.exe"C:\Program Files\Common Files\Client.exe"114⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f115⤵
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Client.exeFilesize
3.1MB
MD5a121d9d691a400786000dee14a808ab1
SHA114ab065be3cfe0a7aa7808cb8891f7c75affc395
SHA2567849231d077a00fd9129c2c6cecbb3287afc5656b8dfd263fdf57e2432d4f335
SHA512e0a162b3d00ef69b96bd4a43f9a0c3297005e8a8db84233010d420bf87ff337ed4139b4cc27594fdd194416a03fe8a7be90b03a8f10e34b72f70d399d6917929
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.logFilesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
C:\Users\Admin\AppData\Local\Temp\1nUwduxQH15t.batFilesize
199B
MD5a904a14818bd5b1c38d4be831bfb7291
SHA15a7d618fa54b891a0c1b23deccbf8fe7138fa765
SHA25630e4aa39220c2ec3f4c87de031645ff7074e0d20dddf5edbcf4913e36fc10f8c
SHA5129a41205ec03347a60f9428ebf589f24f7918b442c5f34a9d683c043d82b3891c5aaa658a448340e41c2338cdeea2e1d7581ccdf6a2c566e1922acda89921cec6
-
C:\Users\Admin\AppData\Local\Temp\2dqcK1cdBzLb.batFilesize
199B
MD58f3dc61037f4c85bf302e674a1fba3a3
SHA1484433b0ed82d0d1eaece2566817c29f4e657343
SHA2569bed1575bb7c307acb855bcdc4c5337e7f79373a3c95c5f7349ba4578fc6a773
SHA512f33a2ca5bb900c884b279d7edf3047f8194b77f7430f00fb56e5ec590ee7f3c4c450e430f146643df591cae5df9891ec11f99aa116f78fe172047eb6aeda6be9
-
C:\Users\Admin\AppData\Local\Temp\35GueDsOjmBq.batFilesize
199B
MD5ae481b36a543a5a8d60f2c4c38621932
SHA1ef7311f7df2d99928f39fa8926aca25a261de6f5
SHA256c057f12faed7af2f9f8581589f887965c35f4cd94fa264f8898d7436db7bde79
SHA512912120b24d36c280a340f93b2387ee91a1725a7b65201cafae206fc34bd1dbac2c1d2d425ea03b5f9cc24170ad56bec22448433efcd2c70e76463e2c09228e8b
-
C:\Users\Admin\AppData\Local\Temp\5daePeklLQFv.batFilesize
199B
MD5cc73350a3777fb5a02fb02d80d48dcb3
SHA1b5486a1cd948200dbb1db0bf48649f07823f3a27
SHA25685a5c71fb5cf5f79e135ce1f7607733b2685c4e2116d4cb366a4c0f00650dfe3
SHA5129fae069bb1531c801c85ed8e9e591b8634ce8013c4d4b1f39f0f6f87092a67da1bbb89a3bf6a3e34091110c3821668e3cd6a397c45fc37a80286894ffa2ed162
-
C:\Users\Admin\AppData\Local\Temp\6kamOhoB7mVe.batFilesize
199B
MD571ce71d200cf69a8ce88e218e2723603
SHA1bceb5329259b5d114c2a6f49f1628b22e5a31978
SHA256f915cbc57428c95d6b2e79f224824e53169d8b61adf6f7428f98da1734719846
SHA512a75e240f4fb903972f483bb3f14f61f399e6e392df527fa2ee83c22f2d8d112a805c5f1b43739f1ba1583df7df5ffa46978b086ba4656de736ca010912ac213b
-
C:\Users\Admin\AppData\Local\Temp\9milzwDyGjow.batFilesize
199B
MD54b24b26714d12621631450a70fc615b8
SHA190ff08f7108c116eebdd80c204a78a1ff866393a
SHA256b986f6068f56f58cc29f4868508b17577f68009fcee09fad8147c15a59a137ff
SHA512a6282f94ea4cedc984cea0433a8e1083d855935272b1699afd5f95548a3d7fbc396395a37a65fe663f13dd59a92fd6f96cd876fb7a7464fd5e48ecee2297d5f7
-
C:\Users\Admin\AppData\Local\Temp\AE5Czrl8ZSxU.batFilesize
199B
MD5a7fe8aa7c5136be6e86b9bce0d49372d
SHA18ddc65ce61b86148a3d7e2226f2912451618f6f8
SHA256c308b943190efd3f3cf4df8084d202b2a762c816410636930eff51a9bba1b5af
SHA5121accd79d28b1e9c42911aa53a5907556cc0beb44196f41c2f59cc524c748701f688e421cebf22e0ced7c0e692fee19f9c83156a454807e31ce39baab633cc013
-
C:\Users\Admin\AppData\Local\Temp\CjqbtOpWkCeY.batFilesize
199B
MD52671e265823ad106d8e2cc6ae372dc4f
SHA172387f1e9de3f868ec3b33be7f4483c25b57805a
SHA256de7c528e9e645c2777565cc36e2b1d5783465fb0e66d4caab8cb86f886fb4e92
SHA5128562018c6628cc8cea5b826451ea147a9f40a1a7b104458f23053233f76a6ac5546f582493212d375f062dae7fd156d336fb913c4147718b5162f5f52287bdb7
-
C:\Users\Admin\AppData\Local\Temp\Gpbav95kcfqP.batFilesize
199B
MD56a379bffab6019339903c634bfc759d4
SHA1813a187093f75959f999b1e1efe174efd3a5e203
SHA2563e9c0c00daeff32001c85721aac4a3d3b0e1a2a869f480486faf9c77c930233d
SHA512cbe0179706c86b53a1866044367f266c804150d4ce5bacf6f1d2f5f95250037c186710fb748ada85a91693179783cd97780998be62111a9d1d97d68e12a28f51
-
C:\Users\Admin\AppData\Local\Temp\HsO3C8uLrnmZ.batFilesize
199B
MD5b3115de8a7a25b53b8b098b63410f74b
SHA17baa36cc11409ae64e1699c58a3ad8e7f028ce7f
SHA2565e44bf0e27b7543310c48b269ad2f87be9c079c0d2540be1aae4f662e772fdf3
SHA512435271c997659e0ccd53cfaeb7517df83e3ca7547646bf786c9f59e6c85f4451db28cf0d87bdb6d1557e2fb3a20020c137ba8f6a2874cc232be9e9be049720ff
-
C:\Users\Admin\AppData\Local\Temp\LAwaLImXzJgM.batFilesize
199B
MD5f6c25f5c01f89ca28a4f60c7d90effc6
SHA1d5b6c63450ca9c2305b857e78e9347fd0de8f58f
SHA25685cc56c10c7a3a2f8c29ba3a4e06033a1aa1f62473edd855e579d25c94693065
SHA51216644857ba9953daa4b2ca1e6bbdd5f03708ad559a9be02632005629ce1aa4a947c05dff531717a9c0decc6e06f40aab716c0d93357e71a809eb8f4579acc39a
-
C:\Users\Admin\AppData\Local\Temp\LeBu7aPugWui.batFilesize
199B
MD5cea4cfdcc4274a680a6f31a49245c7af
SHA13c7a46af255fea86b4e2f47c9c8d73543074c8e0
SHA256a112b27cc1c518c38a9e85973b3230d5ffcb2fe1ac5060a61eb1dec4b63144ee
SHA5120f45654f95bd17a4670ffec1dc15517261a73b6f6dd02f3c8a88a440aa325be7215aa6e4bf853fbf4e81eb98767d144d8500482775027f53cfeb0863546cbafc
-
C:\Users\Admin\AppData\Local\Temp\MVwJWKE7k8qj.batFilesize
199B
MD570391ac50c0dfb7e30888bb051de1200
SHA1afabbc2705aac155cdabca892d81b025c5ba8cd0
SHA2560e6fa2e0024094933945fb4ae4fe007467bbeb39b7876b7216bff6d2d13e8dc7
SHA512269eb0d5b147377bf13b12ea99660b485bc70663c1b0e09331c8dba8f8f1e39bdb0f2ae9c0d5dab6a8df9b90db05546b5f167cfe5aea0fb82ce11e747cc565bd
-
C:\Users\Admin\AppData\Local\Temp\RAPHP3eO1gh0.batFilesize
199B
MD522e5138c1615c1d4a0e98b7e5b2d8a24
SHA13c81ee09fe251ad2ead4b2b7b1afd1c86db9a36e
SHA256bf906992a53117ac707794d4e9cc09be11a4f89cfdaf08561fde20243734d861
SHA5128e9078f16467cd7b916aca728e519d65a6c367bbc5e6f5ad7b0945ccec5fe6aead30bd77e36812df41b1e9257dab6aa88743a3cd7642bcc5383c1b2a311145f0
-
C:\Users\Admin\AppData\Local\Temp\ROlRyT63dnEl.batFilesize
199B
MD5e910e760d56f7cba21b91bcca8af520a
SHA1b12f6b93dbaade8657ad71e794890722a5899d03
SHA2566f8d82f9e6bae6e82d0b5ea84bd3dbebd1b2f5316ad593fe0ad0718426f49ab6
SHA5123806f90d2223bc0d8b18c9bd24f933e2d39554fad173007dc5a915ec1dd4468d324e258b6b05a89cc6aa4176d792d6c2faa93306ffaea60d1ccb74b2bf715eb0
-
C:\Users\Admin\AppData\Local\Temp\SiqsmBzcOCxq.batFilesize
199B
MD58fb661be6a35c316fc9b6e11cca79616
SHA1f560c4f87eec0d005e20bfdee0cb417e0d3cc81a
SHA256342703a9b35c4a7b250c7bee06190d64789b5130763a84e83fce727bb4809d2f
SHA512d7a2a563f2dd81cef935599736302206291eb2bcd1f0d15e5400e60986828778c344d26f349659a03457d594fec69bf0bdf9b11ba651349bc56ba82fcd0d8a33
-
C:\Users\Admin\AppData\Local\Temp\VxQvzUuU56wx.batFilesize
199B
MD50127f4f318c32e892119db0ef6ab8206
SHA1db8ee9e3c4078463acad89cf9b4703adce714682
SHA256d9b2a24dc5163586004e170882d242012b4cd8a0d3575b36871ca86ad6e4cca7
SHA51220a087e640d434d2a2bfaedf1f7c7c2d12213a661e83f6c8a0c31080b769f8027e39513f4cf9c5b051c2eba675ea570a2b96c1f1ccb16aa38cfb0a75d2982344
-
C:\Users\Admin\AppData\Local\Temp\XBEumwPGwjzM.batFilesize
199B
MD5ebaa209f30f42642062f83de2013bea6
SHA1a656dfbc6a101662f7b1dbc226f2db49c7d28380
SHA256a74dff5c62b739310ba1bb7d9da842f4cc42ca02356d8338839765d0d7654b9a
SHA512e51eacb4b733bc464c3be79590407443d7df0217d1681ccd9970e340dce5e1e2f93e7480cf8c5e2e3691ddfe5574c62697f8be54f30b31cf09aeed005be61791
-
C:\Users\Admin\AppData\Local\Temp\bgjAKEgxfQIT.batFilesize
199B
MD5c87cc7778a41a1b1b849d6c29493e0e5
SHA1d5b60076e9d9ac7f9397cc83619c2b58922c7483
SHA2562b56f241133a17464afe0deacd78569180be2b00c0c85dd7e41c81a66721655e
SHA5123a146a05dc97847300dea5e044e1b50cf8d122b5fcaae10eb63b51bc3dd5f2b7f8b123eca50269e61cfcc47165f764456cba34aafd1ac3769ce71f859cc0d619
-
C:\Users\Admin\AppData\Local\Temp\bktKbHWPKI9H.batFilesize
199B
MD57242875920f50881eef75fe32b9f9ce7
SHA1c886f1db9ab01c0f5ee2c70dbd445f20bf23809f
SHA25650741272e040a427aabda2655911b4fb6fd34a5e7f542fb2f70c469a57ee42a0
SHA51278d7d7a424388ce26fa57bf7c2eae403c7f3812784d67be51f38b2cf56198f1297bc15643c0dcf25bedaa658cae64b4bd69318cb2a0153dad3ddb3f052fd7b13
-
C:\Users\Admin\AppData\Local\Temp\d8rhUQqspRVX.batFilesize
199B
MD55f8fa8c00508f37ea4e7b1ca9c7645ed
SHA1025d23fff0985d6786e2f0568c0be181a7f3cdb0
SHA2564709d4379846f412ef86e7bdc8f756014a88884ccb98afa6323903ad345761a1
SHA51264f3978c4e4f6ef3b42f4975c56e07de0121520c751d29e97c72a136b8e3635f059b14cb6c4d8285db62a0c9e085d294b8e66bb357a5f71be0ea1ba80d8abece
-
C:\Users\Admin\AppData\Local\Temp\hQb2sGQ7zpsX.batFilesize
199B
MD543f838fbadc36ce4e330f687604aa531
SHA158faf8a07bbd512655668cd2834de794d1b59446
SHA256cfe99d0dafe47b5fde8d4e1171d4a130fe66f2ed3fd6c0e7d44500e0121a0654
SHA51280e3584dc90b27783e3a06a5f1ee67900bbcfe7a34a1cc33167c0a0e64fb306de3e29f002ab6f1e131105eea51eb9b4738f8fa08e1f6858abca14f3dc0a37c30
-
C:\Users\Admin\AppData\Local\Temp\iHeRBYZjR8bE.batFilesize
199B
MD59f40c2670dce22f9d0b4f78c9b44e2c4
SHA15b729734070fdae0afc8485de344177b968ed44d
SHA256b784910b80b4465edc54c7d69233756a28e91c081656c15201b952453166e247
SHA512984a2219d30178b7ab3a450c296984dfcb6c1f8e4bb82fee954dc665c9aff2c2b498189e515aba0fef233a835f57b72e6ce97d487b239e983026898cca9f765f
-
C:\Users\Admin\AppData\Local\Temp\kNmGobdPK4ej.batFilesize
199B
MD53d7bf32da5d1527cb527d125fc7ed0c9
SHA1dce760fabae15428aeb5a5017520193132065e2a
SHA25620240d9b2c3b63f6d5a5c4c794d9700ee4cbd2e02f6260722c333b15f1c42a04
SHA512de232870cbd26c9fd64548603ca80d7a857bb8644bed9951134b0fd4233502afa0cf38a3f5bde85a02ea6f18196b7cb0df01a923039addeaf4f31ffab4f1c403
-
C:\Users\Admin\AppData\Local\Temp\l94FOAWDHegm.batFilesize
199B
MD5a6aff218d36c7910e648656e5b97162e
SHA1ffbebf94a0b821fc1307943a20b6cac771cccb6b
SHA25653261430c523d540ae82b1463824f603416cdf5fbea7c8797c0d8f78069c1dca
SHA512d57a994f5bbd2eb19da79303dc22c6010ed71536c90e7859f493e55767058b1a736055095dc2763d1e1b4b618d18952c844c22698db3cf473b936bb2e7aaf4d9
-
C:\Users\Admin\AppData\Local\Temp\m4vW7oyX5GsO.batFilesize
199B
MD53dd0348db3b2683b7a067861436f4dcb
SHA1bfaca2c3467f071936ef7b7f6a57e68831736178
SHA256a3b008a6c486795dee94a510598235db01435be9db5854cdca9cc084c748b542
SHA512c180212abb4eed8f3fb87c9da18faec7c4b20fb7b0c6009a736d0079744604158a543bf26d8a432ac42a1974a22d54f08221dfe84657ce1a35db448a8a26679e
-
C:\Users\Admin\AppData\Local\Temp\oubrzznW1q2P.batFilesize
199B
MD5933266bba4833a996176cd3d177d4bdf
SHA18d89d8c040da879d0b3dc8d49fd84e6bea6b17c6
SHA2562b7164f2545d7812736b5674946c1a77459d74e00879a2eb4a7b2d1fbe526f8f
SHA5127e2feaa4f943f110a27b34923636c623be415dc247149b4a4728db5c975706c463ecfed1dc9df4041ad2a64c0d1c57394ea10a0dc05dcb9ace3341531ecf863d
-
C:\Users\Admin\AppData\Local\Temp\oxaI8cRKxP8O.batFilesize
199B
MD5c194087b34e0217874caad4a05d7d5d1
SHA1dcf78e05f14222a8da86857129aa5f2ed0805ccd
SHA2562541eadd4ffd65fa09cdb19e0ca05dafec1257fd2ff9e3d6aabc8d56e9f90187
SHA512de0ce9559d9465c6c31d18e9abb547ab440c1871422463b682a75fa14d2bd393fa7fbab6df6e16e2a3bb611d49f9f70d73a93b0fc4abf3428443ff6d2c2ce49a
-
C:\Users\Admin\AppData\Local\Temp\tqljrWh26B6i.batFilesize
199B
MD5499b9e431f47f286f93a52cb40445db9
SHA1cf92fcbb35ae90826ecd2c846f38eaa262d30746
SHA2563aff9634454b2f03090ba0d18bf4019ef7f3502d54e40b53aee65dc3069c09cc
SHA512b48b8f4432dfb01d4afc8c9b2a31c9dcf8244ea98aa9b3db7b0dbd58c80d374de23a6acdf66f4b6dcc053a653f5457969e2c38861f9831cd1d18d670f510b37b
-
C:\Users\Admin\AppData\Local\Temp\wN2haC3sLfVk.batFilesize
199B
MD55063706f18294056f8ac6273700a5fe3
SHA1cd65a274446f38b4d927b6c36273a37d1e7a7501
SHA2561d3de1bafc3c4149c0971017a070b73cb3f2d2a74ef24625b7d33bfa8c27a058
SHA5129f7453218c090045574dd79c2c1a8494b6b456acd0aac37a7842fa6b8861d5563afbd57c49fa15236dae73e4ead8e6a4ab6fd3d504757a0fbce206ba70d35375
-
C:\Users\Admin\AppData\Local\Temp\yflMFBI3IkUM.batFilesize
199B
MD546b3352865e70f1eb5657126a8cc1000
SHA17e8834e33af50ea0b13ac4d8e65544642eb6a769
SHA256bfaa8a324f7527fdce16bf15a078b9aae2dd611cc30d789233eacc0223d09f89
SHA5126794c412ed2cfdb0c6e5cf90a7d8e9ff294c7033d09c7f76cdb09799bc5f22c55e45d19f0690eef3331f3ec09992727409878e65bbc7838668d519a76a3263ae
-
memory/1456-0-0x00007FFEE9C43000-0x00007FFEE9C45000-memory.dmpFilesize
8KB
-
memory/1456-1-0x0000000000970000-0x0000000000C94000-memory.dmpFilesize
3.1MB
-
memory/1456-2-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmpFilesize
10.8MB
-
memory/1456-9-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmpFilesize
10.8MB
-
memory/1992-18-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmpFilesize
10.8MB
-
memory/1992-10-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmpFilesize
10.8MB
-
memory/1992-11-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmpFilesize
10.8MB
-
memory/1992-12-0x000000001E310000-0x000000001E360000-memory.dmpFilesize
320KB
-
memory/1992-13-0x000000001E420000-0x000000001E4D2000-memory.dmpFilesize
712KB