quasar | 7849231d077a00fd9129c2c6cecbb3287afc5656b8dfd263fdf57e2432d4f335

Analysis

max time kernel
585s
max time network
366s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sp00fer.exe
Size

3.1MB
MD5

a121d9d691a400786000dee14a808ab1
SHA1

14ab065be3cfe0a7aa7808cb8891f7c75affc395
SHA256

7849231d077a00fd9129c2c6cecbb3287afc5656b8dfd263fdf57e2432d4f335
SHA512

e0a162b3d00ef69b96bd4a43f9a0c3297005e8a8db84233010d420bf87ff337ed4139b4cc27594fdd194416a03fe8a7be90b03a8f10e34b72f70d399d6917929
SSDEEP

49152:zvulL26AaNeWgPhlmVqvMQ7XSKLCO1JRLoGdFTHHB72eh2NT:zveL26AaNeWgPhlmVqkQ7XSKLCE

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pringelsy-51954.portmap.host:51954

Mutex

6dc28d35-3024-44a7-a559-f9991015fa39

Attributes

encryption_key
3107DF2D44BB6914C55BEA57D100135AB0F278DF
install_name
Client.exe
log_directory
Logs
reconnect_delay
799
startup_key
Quasar Client Startup
subdirectory
Common Files

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2060-1-0x0000000000310000-0x0000000000634000-memory.dmp	family_quasar
C:\Program Files\Common Files\Client.exe	family_quasar
behavioral1/memory/1280-9-0x0000000000C80000-0x0000000000FA4000-memory.dmp	family_quasar
behavioral1/memory/2896-37-0x0000000000EC0000-0x00000000011E4000-memory.dmp	family_quasar
behavioral1/memory/1636-80-0x00000000002D0000-0x00000000005F4000-memory.dmp	family_quasar
behavioral1/memory/1948-91-0x0000000001110000-0x0000000001434000-memory.dmp	family_quasar
behavioral1/memory/2060-102-0x0000000000260000-0x0000000000584000-memory.dmp	family_quasar
behavioral1/memory/2628-113-0x0000000000BC0000-0x0000000000EE4000-memory.dmp	family_quasar
behavioral1/memory/2816-124-0x0000000000E40000-0x0000000001164000-memory.dmp	family_quasar
behavioral1/memory/2216-189-0x0000000000E70000-0x0000000001194000-memory.dmp	family_quasar
behavioral1/memory/2504-200-0x0000000001140000-0x0000000001464000-memory.dmp	family_quasar
behavioral1/memory/1644-211-0x0000000001340000-0x0000000001664000-memory.dmp	family_quasar
behavioral1/memory/1192-268-0x00000000002C0000-0x00000000005E4000-memory.dmp	family_quasar
behavioral1/memory/2876-277-0x0000000000910000-0x0000000000C34000-memory.dmp	family_quasar
behavioral1/memory/832-286-0x0000000000F20000-0x0000000001244000-memory.dmp	family_quasar

Executes dropped EXE 29 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	process
1280	Client.exe
1592	Client.exe
2896	Client.exe
2956	Client.exe
1528	Client.exe
2192	Client.exe
1636	Client.exe
1948	Client.exe
2060	Client.exe
2628	Client.exe
2816	Client.exe
1288	Client.exe
2616	Client.exe
2300	Client.exe
2136	Client.exe
2172	Client.exe
2216	Client.exe
2504	Client.exe
1644	Client.exe
2064	Client.exe
556	Client.exe
1548	Client.exe
876	Client.exe
2212	Client.exe
2556	Client.exe
1192	Client.exe
2876	Client.exe
832	Client.exe
1252	Client.exe

Drops file in Program Files directory 59 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exesp00fer.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	sp00fer.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File created	C:\Program Files\Common Files\Client.exe	sp00fer.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	sp00fer.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 30 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1160	PING.EXE
288	PING.EXE
2996	PING.EXE
1140	PING.EXE
288	PING.EXE
2588	PING.EXE
1352	PING.EXE
1672	PING.EXE
2792	PING.EXE
2000	PING.EXE
3060	PING.EXE
1732	PING.EXE
2732	PING.EXE
1284	PING.EXE
2592	PING.EXE
2860	PING.EXE
1616	PING.EXE
692	PING.EXE
1144	PING.EXE
2276	PING.EXE
2576	PING.EXE
1768	PING.EXE
2004	PING.EXE
2756	PING.EXE
2264	PING.EXE
3068	PING.EXE
1728	PING.EXE
2656	PING.EXE
2412	PING.EXE
380	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 31 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2952	schtasks.exe
928	schtasks.exe
2468	schtasks.exe
2664	schtasks.exe
2688	schtasks.exe
2528	schtasks.exe
1064	schtasks.exe
552	schtasks.exe
2744	schtasks.exe
1940	schtasks.exe
2176	schtasks.exe
1148	schtasks.exe
1252	schtasks.exe
1884	schtasks.exe
3048	schtasks.exe
2952	schtasks.exe
2744	schtasks.exe
2232	schtasks.exe
2100	schtasks.exe
2740	schtasks.exe
1876	schtasks.exe
2988	schtasks.exe
2512	schtasks.exe
1888	schtasks.exe
1844	schtasks.exe
1816	schtasks.exe
1076	schtasks.exe
2180	schtasks.exe
2364	schtasks.exe
2220	schtasks.exe
1056	schtasks.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

sp00fer.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	2060	sp00fer.exe
Token: SeDebugPrivilege	1280	Client.exe
Token: SeDebugPrivilege	1592	Client.exe
Token: SeDebugPrivilege	2896	Client.exe
Token: SeDebugPrivilege	2956	Client.exe
Token: SeDebugPrivilege	1528	Client.exe
Token: SeDebugPrivilege	2192	Client.exe
Token: SeDebugPrivilege	1636	Client.exe
Token: SeDebugPrivilege	1948	Client.exe
Token: SeDebugPrivilege	2060	Client.exe
Token: SeDebugPrivilege	2628	Client.exe
Token: SeDebugPrivilege	2816	Client.exe
Token: SeDebugPrivilege	1288	Client.exe
Token: SeDebugPrivilege	2616	Client.exe
Token: SeDebugPrivilege	2300	Client.exe
Token: SeDebugPrivilege	2136	Client.exe
Token: SeDebugPrivilege	2172	Client.exe
Token: SeDebugPrivilege	2216	Client.exe
Token: SeDebugPrivilege	2504	Client.exe
Token: SeDebugPrivilege	1644	Client.exe
Token: SeDebugPrivilege	2064	Client.exe
Token: SeDebugPrivilege	556	Client.exe
Token: SeDebugPrivilege	1548	Client.exe
Token: SeDebugPrivilege	876	Client.exe
Token: SeDebugPrivilege	2212	Client.exe
Token: SeDebugPrivilege	2556	Client.exe
Token: SeDebugPrivilege	1192	Client.exe
Token: SeDebugPrivilege	2876	Client.exe
Token: SeDebugPrivilege	832	Client.exe
Token: SeDebugPrivilege	1252	Client.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

pid	process
1280	Client.exe
1592	Client.exe
2896	Client.exe
2956	Client.exe
1528	Client.exe
2192	Client.exe
1636	Client.exe
1948	Client.exe
2060	Client.exe
2628	Client.exe
2816	Client.exe
1288	Client.exe
2616	Client.exe
2300	Client.exe
2136	Client.exe
2172	Client.exe
2216	Client.exe
2504	Client.exe
1644	Client.exe
2064	Client.exe
556	Client.exe
1548	Client.exe
876	Client.exe
2212	Client.exe
2556	Client.exe
1192	Client.exe
2876	Client.exe
832	Client.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

pid	process
1280	Client.exe
1592	Client.exe
2896	Client.exe
2956	Client.exe
1528	Client.exe
2192	Client.exe
1636	Client.exe
1948	Client.exe
2060	Client.exe
2628	Client.exe
2816	Client.exe
1288	Client.exe
2616	Client.exe
2300	Client.exe
2136	Client.exe
2172	Client.exe
2216	Client.exe
2504	Client.exe
1644	Client.exe
2064	Client.exe
556	Client.exe
1548	Client.exe
876	Client.exe
2212	Client.exe
2556	Client.exe
1192	Client.exe
2876	Client.exe
832	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

1280 Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sp00fer.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 2060 wrote to memory of 2220	2060	sp00fer.exe	schtasks.exe
PID 2060 wrote to memory of 2220	2060	sp00fer.exe	schtasks.exe
PID 2060 wrote to memory of 2220	2060	sp00fer.exe	schtasks.exe
PID 2060 wrote to memory of 1280	2060	sp00fer.exe	Client.exe
PID 2060 wrote to memory of 1280	2060	sp00fer.exe	Client.exe
PID 2060 wrote to memory of 1280	2060	sp00fer.exe	Client.exe
PID 1280 wrote to memory of 2688	1280	Client.exe	schtasks.exe
PID 1280 wrote to memory of 2688	1280	Client.exe	schtasks.exe
PID 1280 wrote to memory of 2688	1280	Client.exe	schtasks.exe
PID 1280 wrote to memory of 564	1280	Client.exe	cmd.exe
PID 1280 wrote to memory of 564	1280	Client.exe	cmd.exe
PID 1280 wrote to memory of 564	1280	Client.exe	cmd.exe
PID 564 wrote to memory of 2732	564	cmd.exe	chcp.com
PID 564 wrote to memory of 2732	564	cmd.exe	chcp.com
PID 564 wrote to memory of 2732	564	cmd.exe	chcp.com
PID 564 wrote to memory of 1728	564	cmd.exe	PING.EXE
PID 564 wrote to memory of 1728	564	cmd.exe	PING.EXE
PID 564 wrote to memory of 1728	564	cmd.exe	PING.EXE
PID 564 wrote to memory of 1592	564	cmd.exe	Client.exe
PID 564 wrote to memory of 1592	564	cmd.exe	Client.exe
PID 564 wrote to memory of 1592	564	cmd.exe	Client.exe
PID 1592 wrote to memory of 3048	1592	Client.exe	schtasks.exe
PID 1592 wrote to memory of 3048	1592	Client.exe	schtasks.exe
PID 1592 wrote to memory of 3048	1592	Client.exe	schtasks.exe
PID 1592 wrote to memory of 2680	1592	Client.exe	cmd.exe
PID 1592 wrote to memory of 2680	1592	Client.exe	cmd.exe
PID 1592 wrote to memory of 2680	1592	Client.exe	cmd.exe
PID 2680 wrote to memory of 1108	2680	cmd.exe	chcp.com
PID 2680 wrote to memory of 1108	2680	cmd.exe	chcp.com
PID 2680 wrote to memory of 1108	2680	cmd.exe	chcp.com
PID 2680 wrote to memory of 2592	2680	cmd.exe	PING.EXE
PID 2680 wrote to memory of 2592	2680	cmd.exe	PING.EXE
PID 2680 wrote to memory of 2592	2680	cmd.exe	PING.EXE
PID 2680 wrote to memory of 2896	2680	cmd.exe	Client.exe
PID 2680 wrote to memory of 2896	2680	cmd.exe	Client.exe
PID 2680 wrote to memory of 2896	2680	cmd.exe	Client.exe
PID 2896 wrote to memory of 2512	2896	Client.exe	schtasks.exe
PID 2896 wrote to memory of 2512	2896	Client.exe	schtasks.exe
PID 2896 wrote to memory of 2512	2896	Client.exe	schtasks.exe
PID 2896 wrote to memory of 2552	2896	Client.exe	cmd.exe
PID 2896 wrote to memory of 2552	2896	Client.exe	cmd.exe
PID 2896 wrote to memory of 2552	2896	Client.exe	cmd.exe
PID 2552 wrote to memory of 2808	2552	cmd.exe	chcp.com
PID 2552 wrote to memory of 2808	2552	cmd.exe	chcp.com
PID 2552 wrote to memory of 2808	2552	cmd.exe	chcp.com
PID 2552 wrote to memory of 2588	2552	cmd.exe	PING.EXE
PID 2552 wrote to memory of 2588	2552	cmd.exe	PING.EXE
PID 2552 wrote to memory of 2588	2552	cmd.exe	PING.EXE
PID 2552 wrote to memory of 2956	2552	cmd.exe	Client.exe
PID 2552 wrote to memory of 2956	2552	cmd.exe	Client.exe
PID 2552 wrote to memory of 2956	2552	cmd.exe	Client.exe
PID 2956 wrote to memory of 2528	2956	Client.exe	schtasks.exe
PID 2956 wrote to memory of 2528	2956	Client.exe	schtasks.exe
PID 2956 wrote to memory of 2528	2956	Client.exe	schtasks.exe
PID 2956 wrote to memory of 1480	2956	Client.exe	cmd.exe
PID 2956 wrote to memory of 1480	2956	Client.exe	cmd.exe
PID 2956 wrote to memory of 1480	2956	Client.exe	cmd.exe
PID 1480 wrote to memory of 1656	1480	cmd.exe	chcp.com
PID 1480 wrote to memory of 1656	1480	cmd.exe	chcp.com
PID 1480 wrote to memory of 1656	1480	cmd.exe	chcp.com
PID 1480 wrote to memory of 3060	1480	cmd.exe	PING.EXE
PID 1480 wrote to memory of 3060	1480	cmd.exe	PING.EXE
PID 1480 wrote to memory of 3060	1480	cmd.exe	PING.EXE
PID 1480 wrote to memory of 1528	1480	cmd.exe	Client.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sp00fer.exe
"C:\Users\Admin\AppData\Local\Temp\sp00fer.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\pNCSbKHvknyF.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2732

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1728

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\OVdLqpm0Semr.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:1108

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2592

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Pw9FXDljQuGb.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:2808

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2588

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hmPB5b0H8f4l.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:1656

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:3060

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1528

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yFZOSRo7BBA8.bat" "
11⤵
PID:1344

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:2976

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1352

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
12⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2192

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bF3LPsafJKni.bat" "
13⤵
PID:2140

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:2584

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:2860

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
14⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1636

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\y8dzC5oj4MNO.bat" "
15⤵
PID:2336

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:1080

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:1160

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
16⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1948

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Zp5KWQJUOz1k.bat" "
17⤵
PID:288

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:2040

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:2264

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
18⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2060

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lONklQKUJdAH.bat" "
19⤵
PID:2216

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:2840

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:1144

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
20⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2628

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\M5KuTGNpj4Bi.bat" "
21⤵
PID:2624

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:2540

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:2656

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
22⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2816

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
23⤵
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\hvXcJTH2bIjR.bat" "
23⤵
PID:2528

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:1440

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:2276

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
24⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1288

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
25⤵
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wscmzVERbVxK.bat" "
25⤵
PID:2548

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:2124

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:1672

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
26⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2616

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
27⤵
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Vv4qYhDwvwKf.bat" "
27⤵
PID:2080

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:2380

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:1732

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
28⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2300

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
29⤵
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\K7Ma8zm6JHrP.bat" "
29⤵
PID:2108

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:1936

C:\Windows\system32\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:1616

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
30⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2136

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
31⤵
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\z6TQ8BINDMus.bat" "
31⤵
PID:576

C:\Windows\system32\chcp.com
chcp 65001
32⤵
PID:3024

C:\Windows\system32\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:2732

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
32⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2172

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
33⤵
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KjGDVkHS3llc.bat" "
33⤵
PID:1504

C:\Windows\system32\chcp.com
chcp 65001
34⤵
PID:3028

C:\Windows\system32\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:2412

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
34⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2216

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
35⤵
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\bQbmObBxJ2DK.bat" "
35⤵
PID:2052

C:\Windows\system32\chcp.com
chcp 65001
36⤵
PID:2736

C:\Windows\system32\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:2792

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
36⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2504

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
37⤵
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cPo2p9o3N5ws.bat" "
37⤵
PID:2776

C:\Windows\system32\chcp.com
chcp 65001
38⤵
PID:2496

C:\Windows\system32\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:2576

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
38⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1644

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
39⤵
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\gXhBUfLOZdfF.bat" "
39⤵
PID:2268

C:\Windows\system32\chcp.com
chcp 65001
40⤵
PID:1272

C:\Windows\system32\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:1768

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
40⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2064

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
41⤵
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XRBJgSSEK6Sv.bat" "
41⤵
PID:2584

C:\Windows\system32\chcp.com
chcp 65001
42⤵
PID:932

C:\Windows\system32\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:380

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
42⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:556

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
43⤵
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eJjeV6kUCFRq.bat" "
43⤵
PID:1080

C:\Windows\system32\chcp.com
chcp 65001
44⤵
PID:1160

C:\Windows\system32\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:692

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
44⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1548

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
45⤵
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\63g6e5gsgvgx.bat" "
45⤵
PID:2392

C:\Windows\system32\chcp.com
chcp 65001
46⤵
PID:1692

C:\Windows\system32\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:288

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
46⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:876

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
47⤵
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KXynwquGj2tz.bat" "
47⤵
PID:3028

C:\Windows\system32\chcp.com
chcp 65001
48⤵
PID:2428

C:\Windows\system32\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:2996

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
48⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2212

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
49⤵
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yDDfSJepBgO7.bat" "
49⤵
PID:2684

C:\Windows\system32\chcp.com
chcp 65001
50⤵
PID:2608

C:\Windows\system32\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:2004

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
50⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2556

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
51⤵
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HrSPdogOkfxy.bat" "
51⤵
PID:2320

C:\Windows\system32\chcp.com
chcp 65001
52⤵
PID:1840

C:\Windows\system32\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:1284

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
52⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1192

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
53⤵
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\wQZiJiljLdQ2.bat" "
53⤵
PID:1524

C:\Windows\system32\chcp.com
chcp 65001
54⤵
PID:1544

C:\Windows\system32\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:2756

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
54⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2876

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
55⤵
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5kqcvFbhhKWS.bat" "
55⤵
PID:1240

C:\Windows\system32\chcp.com
chcp 65001
56⤵
PID:664

C:\Windows\system32\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:1140

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
56⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:832

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
57⤵
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\WDsLM4ooe3Zx.bat" "
57⤵
PID:704

C:\Windows\system32\chcp.com
chcp 65001
58⤵
PID:2336

C:\Windows\system32\PING.EXE
ping -n 10 localhost
58⤵
- Runs ping.exe
PID:3068

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
58⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
59⤵
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2FrAAZ8zGOoi.bat" "
59⤵
PID:612

C:\Windows\system32\chcp.com
chcp 65001
60⤵
PID:2408

C:\Windows\system32\PING.EXE
ping -n 10 localhost
60⤵
- Runs ping.exe
PID:288

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
60⤵
PID:2388

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
61⤵
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NQfsxCVZHON9.bat" "
61⤵
PID:1504

C:\Windows\system32\chcp.com
chcp 65001
62⤵
PID:2996

C:\Windows\system32\PING.EXE
ping -n 10 localhost
62⤵
- Runs ping.exe
PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Client.exe
Filesize
3.1MB

MD5
a121d9d691a400786000dee14a808ab1

SHA1
14ab065be3cfe0a7aa7808cb8891f7c75affc395

SHA256
7849231d077a00fd9129c2c6cecbb3287afc5656b8dfd263fdf57e2432d4f335

SHA512
e0a162b3d00ef69b96bd4a43f9a0c3297005e8a8db84233010d420bf87ff337ed4139b4cc27594fdd194416a03fe8a7be90b03a8f10e34b72f70d399d6917929

Download Submit
C:\Users\Admin\AppData\Local\Temp\2FrAAZ8zGOoi.bat
Filesize
199B

MD5
3249ddbfe3be9a4b1cd38fc5f58cb466

SHA1
5abb5c5ca17d0350339df17705c20034e2a3ee5e

SHA256
8905cbfc6f421fc3ceb1eae55c479150513bf4c1ed21a2b3fcd6af239ef01292

SHA512
c0526a4e0ee914ad86c088a29fe9e2f72b47de57f28e85d24139af8fd3e2b27b0edc1994fe33a49a513d7a8d8bd8e978ed1c006f9d2a804e497f1b427f50eeb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5kqcvFbhhKWS.bat
Filesize
199B

MD5
90452b9b669e8ae0c96557eba629004b

SHA1
1968eb8bc184dcc059185940a88f14acd92729d9

SHA256
8a7e2ca525719f773561e72ddf7482eddb982d3a830ae4dfa19304cd3ada88b5

SHA512
e6bc287d2d9bf77551c1188b375e033f676226f3cd597095dd830da1e05f1b322f6f3e90b36c7ca6de9f7ea3dc8cded5c2e7c5eca4276e04d51d180407318de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\63g6e5gsgvgx.bat
Filesize
199B

MD5
9a234d2b8b736bca7f50c78ac22de0d1

SHA1
8fdc23328f50e5704ed2b3cef73aea15fc948b80

SHA256
0e9e685f94bbb6a47946be06058737066945bcf9fdde61e2573592c4923f42f5

SHA512
b680b6e185039b5e05f6249b04cbeff0c4fb682d91c84072a19e7557324c4444c6941dc612c4ffb7033775055697acb5743ff153be5ed800c27a40d004d53f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\HrSPdogOkfxy.bat
Filesize
199B

MD5
1cbcad8048bc6bd31dc4a064515b2e1e

SHA1
d279be55b989d65aae2143c128857d0830089d23

SHA256
9f775e34f241c5c15eb614387d68f87e41ef6f0b5d3d4ce567754c7ecbaf34a0

SHA512
0f1c4b2ac3da376ea021fcbcee5c68a3e307356f50e83fbb4ead63ae6cf145d4923e1e36cfb869bacce35fd2a8dc81c20a55e620b26ffea374a24046b6e06795

Download Submit
C:\Users\Admin\AppData\Local\Temp\K7Ma8zm6JHrP.bat
Filesize
199B

MD5
20fc33849ea3b66abdffc91eecaf93ae

SHA1
36f6dce971afc0b6ffc19dce82bf14c21ec21d37

SHA256
56c6eaac324c4253de737c3c5386f8c8d5d47f5bcc39e1b0ca104e2e9cbde5c3

SHA512
c8510bd5ee6447ca16a570bfe60ca91a6923051976e650a775cb97c8fd28b3b4f90182a823f7dc77efc0620cf541dd1485290f217d652ee97c4c051e9da356e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KXynwquGj2tz.bat
Filesize
199B

MD5
631e72aac7a126f85f67e3bfdbb5b804

SHA1
28a5e507c3f13bdae6938d62310f75150a5e72cf

SHA256
936a75d78374d4dddcb77bd1b71a258a73ef096fd2262bd99909180d43865d84

SHA512
cc3c811077de10c378805798d76d3e17d004be6e9241c856bb5ed3dce8d8a44f84b7e835ae30486fbf3038aaafcbc11d7be57971179a31bd4f423d7efd2fcd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\KjGDVkHS3llc.bat
Filesize
199B

MD5
bca02e992ca3f6ce1a64d1ed7f4e8497

SHA1
327b6c13aeb10a3a990b00f27d90e5d42f11ad23

SHA256
673b1cf1437295dacc9aa95501d7767b8298b5f0d19622665663a80c9de62bd1

SHA512
ec4b063c739baeeb217c032ac2119ba439e974c59d0bb5e9f958052d3a1cd4a392b362c47915147617d3c735f65e64014ff82e59b348564693675a2fd574db68

Download Submit
C:\Users\Admin\AppData\Local\Temp\M5KuTGNpj4Bi.bat
Filesize
199B

MD5
6bb5f84ed8f7ea329baea856cbe310ac

SHA1
cb4e96f4f4978d23f2f04d40801cbea354b95296

SHA256
bf66e323e0d0c27bac6499a5bfaf02c6f7b6739bc94ea4e5397cbcb1116f10c3

SHA512
8d3f62b128ba1157ca07dd34be29d2ce6739e256ff6e82ce2fd7878b9bb57324a59d43cd7490d0dae58eee841004538e9e5ba951b391911c17e354b1a7f896fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQfsxCVZHON9.bat
Filesize
199B

MD5
20a176e4950ac16e585e667cfad94651

SHA1
60d4749b526789809e73712ffba4c0dd58f9fddf

SHA256
c9f1ffaad7275ce277b478cc709b5702cc2d4f465f3418fba2221d37b9d8baa0

SHA512
5edfefe4f3357e43c93ccec92cfa29ba7d1143722557181f85bf225a7f41f5aa5d3c245f26c104b695d93c589f23d18f23667d1e5df1f70366f7710de7b2c62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OVdLqpm0Semr.bat
Filesize
199B

MD5
5513594fc854a67805fb690674b67924

SHA1
f497b6297dab9a8330e476b49f826705d51e316d

SHA256
30bb7a4ae830ab155a8b8e6c453ce0cff244922c0d0edba6320820d3431e06b5

SHA512
16fd1b55fc21b5f1391a88915707e45af898109d4188fc91b78160f461d3ee9dc5b155e43de89816437354569e4efd4f733b43cb61ec32cfb5375a54ce6923ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pw9FXDljQuGb.bat
Filesize
199B

MD5
b3b6396f99b901bcd81f4c515a7ce86e

SHA1
5f42b12f877b7159089b69c8b2d260134733da7e

SHA256
0c4b76936777e437da801777b290aeaa32fe5cea5f3dc634751277f42b9a12a2

SHA512
dbe0b3229e0302280db3d7789cc32aa74b42dfd440e64e5d4cc3a92d17e4139cfa1d32625a85ab8a9dd3be64ce0fb5b54931bc45e84c7ba8db2e56bde74b4baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vv4qYhDwvwKf.bat
Filesize
199B

MD5
6c0600b6e651955f89b80855fadd0eeb

SHA1
774d232cbd70a5b332090bbb9e89cbf2b66c2527

SHA256
fb63e4f608d487047fbb22d5e4f857a21d6f5b6921965b5ff3d788ee0bd6b977

SHA512
abb087ca026a61681b880d2b78b604791e7ff3b04c328b9d0661c9f384a0524f2d66a81024a115c693836baf89da938a1ea4ca44d6616fd3dc8953362edbbe41

Download Submit
C:\Users\Admin\AppData\Local\Temp\WDsLM4ooe3Zx.bat
Filesize
199B

MD5
7635f4a0394958e52768eaa21cfffcab

SHA1
ed8d75b12c82d513234f8c001ec592d12bdc1878

SHA256
42f2a287d2c59f5d84aa717dc170d0215d4b0456e96a561a2bc874576b4a5792

SHA512
be17f9ca609ed908208e535bec649a80c608ce75fe70023a5f8ce0cb8981acd41bbe9d09782afbc415a6494c97a0ea8d27a34d33be4056a943cd96772c1169ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\XRBJgSSEK6Sv.bat
Filesize
199B

MD5
dc7c4c9918b3ac6b93c92ef6e531e39e

SHA1
52fd2d30cd25e614f9bb2c065fbba22b1593bedd

SHA256
29e1fd1861884178816ab5cf9971740eac423b6d867059559b392c660243b749

SHA512
f5c6eebd045750d2ee326a5bf363968ac131b3a231b3395f8ecc28e11595bc1d98d83304eeb038177320921773a47d3098edc0b41799e6f86891d860760acfaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zp5KWQJUOz1k.bat
Filesize
199B

MD5
4fa7b8ccc2ff29578cb06d7f031a38ff

SHA1
0d30ebda02fcb5a172260a86cd0a1825ee6a63e0

SHA256
748a89f80b82735297ba797623e7abc0557b4497a3f09fe3ebf059e7b6b88ff6

SHA512
292e28ff05846c35bb4bf8ef2ec058a1eb10958caf438b0e44e167e1d28aacb7166465187ccb8492d1c241b3cc1fce78f7e8ff13e5828a7b1f666e1857f0b7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bF3LPsafJKni.bat
Filesize
199B

MD5
26d57da7a9173c0be1a092082c48daca

SHA1
6bd86dffd9e3ba219efe9c18a2c6a18cd3739066

SHA256
888731a2de3fee1ccd3375dd2507d1c3e5d4a0a408c6d5adb12cef670b767f1c

SHA512
df4bc5378d6e92675b6d34a4f26b5387d737f382f350e2432346caac21f37125155e83155f1e236ce92814e6942db133dec0f4d4502b8765b66f042f0bd49065

Download Submit
C:\Users\Admin\AppData\Local\Temp\bQbmObBxJ2DK.bat
Filesize
199B

MD5
7fe52795d11803eeab7cd440b60593bc

SHA1
1ca4376367fce5c4c0b6c5c0c9ad8ed09ac7495a

SHA256
c95c8fb62247782ef0ecfe1b2ea6ecfa6f962e2f04759784d51623ec61923b9a

SHA512
2130c5bd0e6fd4d5ebc0d346ae6c7ab43a957f2e1f137c46c4ca1eb794f71d46a404d7d3166ac859eb4464def792b3486b855c5969eb48844b4a6e2423188135

Download Submit
C:\Users\Admin\AppData\Local\Temp\cPo2p9o3N5ws.bat
Filesize
199B

MD5
e4f25d693e3e574344c75c8060581cb3

SHA1
b9691eb126247325710f58feb5e030aa14e9050f

SHA256
0f7e16b8058f1b234004c34e740cabcf0c400c9f8b92a425e8108ab5f0371fed

SHA512
36087d7a8f5a034388971b3c426a255485a047b8d590956c75a677c886d6ade5aeda4024881158c248408d028c028af1c638753fa5a03d46316bfcf6a5ceff5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eJjeV6kUCFRq.bat
Filesize
199B

MD5
3156efe6361beaf2ea72899e80c75ff5

SHA1
9b76123a6152ec8d34f3f61285ae6d5d469430b5

SHA256
dcde11b7fc770f5b8de6954d9c5ba073265044816ffab4d71a4cadf4b48d17e2

SHA512
b8535d55a31511f7b29e2e0c8b450d1e3465fde0d60728d2f0d89a30cabe7ce019a52d7a1583b1f28403e565317326f90ca524fc476001537f11e1eb689adfea

Download Submit
C:\Users\Admin\AppData\Local\Temp\gXhBUfLOZdfF.bat
Filesize
199B

MD5
e0f5431e82b42bddade95fc570a89f17

SHA1
ddccf05da9a2da0f537f2a3f9e965b14c231cdd5

SHA256
4e85a6d4628f6e04e7059f2f00a046379ae9b069ef949f3854c6280fd2b0b7a6

SHA512
cfc1dd90a9f7a73ec7962548c5c85b95d4a808eea092744b1bf6b98a82d5c3a573c9be9f7f90bdfb982c271ed796478bb903d7dd1d53c2eedfce7e747c538530

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmPB5b0H8f4l.bat
Filesize
199B

MD5
c718186c8e24123ad47a0c81cfcdf1ee

SHA1
237c4e71833a2ba54a88607357fd82f69c033241

SHA256
f6069f0d04558b87c163cf652b6ca6a124c0d897218634d3b214d3abe6580efe

SHA512
02081e7528b2d9fa8f22a58ad70bd74e300588ad991106ff85df1b05de5238c489ac3f9604a5311c7a2a09fba5b7b07db47523ee42548e9ac35d4f3f1812577d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvXcJTH2bIjR.bat
Filesize
199B

MD5
35870f137efab2ec91df6342489618aa

SHA1
bd089e2c4f0a3bc0d766cca43d5f3cf71320d5a8

SHA256
cbcd4346cfc2481d1b87c01c2894446e401cc72d9eb560a5c7c412f76a35a071

SHA512
de52cdbe91e85eb3d8570fab811442465c9a073035b66f20c93279ddde601949fcadf5aee12d520f3881de67274d7233a7924612761da6535d8e0e70ae7371ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\lONklQKUJdAH.bat
Filesize
199B

MD5
a02c476cbd4433012de2a0fe36ae761b

SHA1
855e791e594bdc6507a6daa12280003c2d2ac99a

SHA256
a0f9d52864fb55d063d171bab4e9349be110b3dc6e96a86c195aca712964acce

SHA512
86a709cf67441ed974cae1548c113df8c0b109871c3d73ef53b66034371218285346f76b40fc894c838e55269cdd60d466afa57d4d993708d5c3057511bf66bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pNCSbKHvknyF.bat
Filesize
199B

MD5
1a71efba494aa28c26595bc8cde78f3a

SHA1
963685e4c0857bc456176099be4b5175bc1023ee

SHA256
f855253b160c83dfec1d126dd7744ec93e3bbf5133d9e969c5d8e808f29b6832

SHA512
c2084ad080b567d3e606c0092bf9d166e07f160cca95d14fb41ccebc071101dcece15ab54ac5b91508ae750649f01420a0edf6d6620454ba6123d78280991012

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQZiJiljLdQ2.bat
Filesize
199B

MD5
3c04d79b0ab9243f76f6b3cb3ffdcd83

SHA1
f11d4f608e80b474b10af7d92e5e53bfc63fdec2

SHA256
84e0bc7bc281fbcc9c09d37f4aab6d66ff06ef2b751e6412496b8a1dc4dc22fc

SHA512
6582374dae21480074a6a5465ffc0fa3c09821b6500887eee97d0cb1222f31169b2b9add21b8e5a4eae355181c9fcccadf57a50f18ea5558aec97447abec480e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wscmzVERbVxK.bat
Filesize
199B

MD5
05689bcfacfa6f9ba2beeb2cb4925310

SHA1
a07009d9279181ddb9cb7a5a6b3a39d6d23bb308

SHA256
392c449ea47e05f9e0552a8b20cf5d695ddf0a3a6123cd1d95dc408bf75dbd61

SHA512
f7e1337d6d8a47c44fb3a8db93140912ed55eb37c08180fcbfb119110a7c62b826cf4407696cae0198f094bdf573d8fe9a0c069dd7557df2bb9f81bde0a42dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\y8dzC5oj4MNO.bat
Filesize
199B

MD5
95f93823b0153392199428f6245cfae8

SHA1
56c557ce03cabf1cf58e8695420f30c0832ed122

SHA256
7bd660479cfd1f4400297f65cdc4199f74cf1b9b4a2fc6d6739b1c8dc1a1f35e

SHA512
8f8db2466456ae748f67edcf2a577f5fd7435dcf09e018bcf9532aba41fd876451413a4d71053ff5da390a7f3506aaac17b048572f17860b14c127512d6df57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yDDfSJepBgO7.bat
Filesize
199B

MD5
6a7367f5dbafad5ed3b581e1d36ae992

SHA1
d356947669a9d48ea13955c3744c3370be28b974

SHA256
ef6ad147097aa65e70cb7c5e833a20c158abcb5b4def97ab32cae8d8050deb4f

SHA512
f841b417a890c508965f517963223ec0efe8fae2ec0bd519c1ae40e0e408266afbfd185f2320178faa79fca70d9a566a0d2a297c8a40d5af9a0acadee8996d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\yFZOSRo7BBA8.bat
Filesize
199B

MD5
2f96e740256e4a64a5f4d6357f9f0c22

SHA1
29116341fd1aa94a48e9f3bdf26dac061627ac14

SHA256
3907004d4e05442dacc9567235b29a6b3e6b0d92f9caaac55d7b0b1798d1e045

SHA512
7361b29f45f1c027210f751b5028fe3136e25c074c47764deb4224b264b4d5512c23403ea7288a20da4d299dc3cc3f57b54150d8753341a56946b958de7e4246

Download Submit
C:\Users\Admin\AppData\Local\Temp\z6TQ8BINDMus.bat
Filesize
199B

MD5
85cd648fcd85064c4d432178e9bc40f5

SHA1
79bf2562b60bdbd5732ac2414878738e70d08354

SHA256
4c283e6f0629b68db5ce632139f1a2491744cf1db4dad7078dd5eb58ea1c08c0

SHA512
6ad7f53862e5739bf943f4945fa0c3f57bbea8c19c5e15fd11d29b58c1186bb72a535b9465d6635842f80e5c9192d6267501e1a56c4fb0836c3c6996b832b27e

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/832-286-0x0000000000F20000-0x0000000001244000-memory.dmp

Filesize
3.1MB

Download
memory/1192-268-0x00000000002C0000-0x00000000005E4000-memory.dmp

Filesize
3.1MB

Download
memory/1252-295-0x0000000000FD0000-0x00000000012F4000-memory.dmp

Filesize
3.1MB

Download
memory/1280-25-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

Filesize
9.9MB

Download
memory/1280-9-0x0000000000C80000-0x0000000000FA4000-memory.dmp

Filesize
3.1MB

Download
memory/1280-8-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

Filesize
9.9MB

Download
memory/1280-11-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

Filesize
9.9MB

Download
memory/1280-12-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

Filesize
9.9MB

Download
memory/1280-13-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

Filesize
9.9MB

Download
memory/1636-80-0x00000000002D0000-0x00000000005F4000-memory.dmp

Filesize
3.1MB

Download
memory/1644-211-0x0000000001340000-0x0000000001664000-memory.dmp

Filesize
3.1MB

Download
memory/1948-91-0x0000000001110000-0x0000000001434000-memory.dmp

Filesize
3.1MB

Download
memory/2060-1-0x0000000000310000-0x0000000000634000-memory.dmp

Filesize
3.1MB

Download
memory/2060-0-0x000007FEF5A33000-0x000007FEF5A34000-memory.dmp

Filesize
4KB

Download
memory/2060-2-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

Filesize
9.9MB

Download
memory/2060-10-0x000007FEF5A30000-0x000007FEF641C000-memory.dmp

Filesize
9.9MB

Download
memory/2060-102-0x0000000000260000-0x0000000000584000-memory.dmp

Filesize
3.1MB

Download
memory/2216-189-0x0000000000E70000-0x0000000001194000-memory.dmp

Filesize
3.1MB

Download
memory/2504-200-0x0000000001140000-0x0000000001464000-memory.dmp

Filesize
3.1MB

Download
memory/2628-113-0x0000000000BC0000-0x0000000000EE4000-memory.dmp

Filesize
3.1MB

Download
memory/2816-124-0x0000000000E40000-0x0000000001164000-memory.dmp

Filesize
3.1MB

Download
memory/2876-277-0x0000000000910000-0x0000000000C34000-memory.dmp

Filesize
3.1MB

Download
memory/2896-37-0x0000000000EC0000-0x00000000011E4000-memory.dmp

Filesize
3.1MB

Download