quasar | 7849231d077a00fd9129c2c6cecbb3287afc5656b8dfd263fdf57e2432d4f335

Analysis

max time kernel
592s
max time network
600s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sp00fer.exe
Size

3.1MB
MD5

a121d9d691a400786000dee14a808ab1
SHA1

14ab065be3cfe0a7aa7808cb8891f7c75affc395
SHA256

7849231d077a00fd9129c2c6cecbb3287afc5656b8dfd263fdf57e2432d4f335
SHA512

e0a162b3d00ef69b96bd4a43f9a0c3297005e8a8db84233010d420bf87ff337ed4139b4cc27594fdd194416a03fe8a7be90b03a8f10e34b72f70d399d6917929
SSDEEP

49152:zvulL26AaNeWgPhlmVqvMQ7XSKLCO1JRLoGdFTHHB72eh2NT:zveL26AaNeWgPhlmVqkQ7XSKLCE

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

pringelsy-51954.portmap.host:51954

Mutex

6dc28d35-3024-44a7-a559-f9991015fa39

Attributes

encryption_key
3107DF2D44BB6914C55BEA57D100135AB0F278DF
install_name
Client.exe
log_directory
Logs
reconnect_delay
799
startup_key
Quasar Client Startup
subdirectory
Common Files

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/644-1-0x0000000000240000-0x0000000000564000-memory.dmp family_quasar
C:\Program Files\Common Files\Client.exe family_quasar

resource	yara_rule
behavioral2/memory/644-1-0x0000000000240000-0x0000000000564000-memory.dmp	family_quasar
C:\Program Files\Common Files\Client.exe	family_quasar

Checks computer location settings 2 TTPs 29 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 30 IoCs

Processes:

pid	process
1692	Client.exe
2264	Client.exe
2504	Client.exe
2436	Client.exe
4916	Client.exe
1316	Client.exe
2696	Client.exe
3972	Client.exe
4732	Client.exe
4920	Client.exe
2544	Client.exe
3692	Client.exe
2044	Client.exe
1448	Client.exe
3472	Client.exe
1380	Client.exe
2988	Client.exe
4300	Client.exe
4856	Client.exe
860	Client.exe
3080	Client.exe
1880	Client.exe
228	Client.exe
1352	Client.exe
1164	Client.exe
2160	Client.exe
432	Client.exe
2492	Client.exe
4508	Client.exe
3512	Client.exe

Drops file in Program Files directory 63 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exesp00fer.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	sp00fer.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File created	C:\Program Files\Common Files\Client.exe	sp00fer.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	sp00fer.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files	Client.exe
File opened for modification	C:\Program Files\Common Files\Client.exe	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 29 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3104	PING.EXE
4184	PING.EXE
2560	PING.EXE
4112	PING.EXE
3252	PING.EXE
1772	PING.EXE
1432	PING.EXE
2688	PING.EXE
3864	PING.EXE
4596	PING.EXE
2568	PING.EXE
4196	PING.EXE
2832	PING.EXE
2552	PING.EXE
2540	PING.EXE
2844	PING.EXE
392	PING.EXE
4616	PING.EXE
4012	PING.EXE
4880	PING.EXE
4952	PING.EXE
3952	PING.EXE
5044	PING.EXE
996	PING.EXE
4908	PING.EXE
4312	PING.EXE
3552	PING.EXE
3432	PING.EXE
2704	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 31 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3284	schtasks.exe
216	schtasks.exe
1592	schtasks.exe
3740	schtasks.exe
2168	schtasks.exe
2248	schtasks.exe
1532	schtasks.exe
4204	schtasks.exe
3528	schtasks.exe
708	schtasks.exe
3656	schtasks.exe
2896	schtasks.exe
4856	schtasks.exe
1856	schtasks.exe
1596	schtasks.exe
116	schtasks.exe
4764	schtasks.exe
1588	schtasks.exe
3328	schtasks.exe
1320	schtasks.exe
4008	schtasks.exe
3300	schtasks.exe
2364	schtasks.exe
3832	schtasks.exe
1176	schtasks.exe
3568	schtasks.exe
3192	schtasks.exe
1708	schtasks.exe
3272	schtasks.exe
3552	schtasks.exe
2304	schtasks.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

sp00fer.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	644	sp00fer.exe
Token: SeDebugPrivilege	1692	Client.exe
Token: SeDebugPrivilege	2264	Client.exe
Token: SeDebugPrivilege	2504	Client.exe
Token: SeDebugPrivilege	2436	Client.exe
Token: SeDebugPrivilege	4916	Client.exe
Token: SeDebugPrivilege	1316	Client.exe
Token: SeDebugPrivilege	2696	Client.exe
Token: SeDebugPrivilege	3972	Client.exe
Token: SeDebugPrivilege	4732	Client.exe
Token: SeDebugPrivilege	4920	Client.exe
Token: SeDebugPrivilege	2544	Client.exe
Token: SeDebugPrivilege	3692	Client.exe
Token: SeDebugPrivilege	2044	Client.exe
Token: SeDebugPrivilege	1448	Client.exe
Token: SeDebugPrivilege	3472	Client.exe
Token: SeDebugPrivilege	1380	Client.exe
Token: SeDebugPrivilege	2988	Client.exe
Token: SeDebugPrivilege	4300	Client.exe
Token: SeDebugPrivilege	4856	Client.exe
Token: SeDebugPrivilege	860	Client.exe
Token: SeDebugPrivilege	3080	Client.exe
Token: SeDebugPrivilege	1880	Client.exe
Token: SeDebugPrivilege	228	Client.exe
Token: SeDebugPrivilege	1352	Client.exe
Token: SeDebugPrivilege	1164	Client.exe
Token: SeDebugPrivilege	2160	Client.exe
Token: SeDebugPrivilege	432	Client.exe
Token: SeDebugPrivilege	2492	Client.exe
Token: SeDebugPrivilege	4508	Client.exe
Token: SeDebugPrivilege	3512	Client.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

pid	process
1692	Client.exe
2264	Client.exe
2504	Client.exe
2436	Client.exe
4916	Client.exe
1316	Client.exe
2696	Client.exe
3972	Client.exe
4732	Client.exe
4920	Client.exe
2544	Client.exe
3692	Client.exe
2044	Client.exe
1448	Client.exe
3472	Client.exe
1380	Client.exe
2988	Client.exe
4300	Client.exe
4856	Client.exe
860	Client.exe
3080	Client.exe
1880	Client.exe
228	Client.exe
1352	Client.exe
1164	Client.exe
2160	Client.exe
432	Client.exe
2492	Client.exe
4508	Client.exe
3512	Client.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

pid	process
1692	Client.exe
2264	Client.exe
2504	Client.exe
2436	Client.exe
4916	Client.exe
1316	Client.exe
2696	Client.exe
3972	Client.exe
4732	Client.exe
4920	Client.exe
2544	Client.exe
3692	Client.exe
2044	Client.exe
1448	Client.exe
3472	Client.exe
1380	Client.exe
2988	Client.exe
4300	Client.exe
4856	Client.exe
860	Client.exe
3080	Client.exe
1880	Client.exe
228	Client.exe
1352	Client.exe
1164	Client.exe
2160	Client.exe
432	Client.exe
2492	Client.exe
4508	Client.exe
3512	Client.exe

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

pid	process
1692	Client.exe
2504	Client.exe
4916	Client.exe
1316	Client.exe
2696	Client.exe
3972	Client.exe
4732	Client.exe
4920	Client.exe
2544	Client.exe
3692	Client.exe
2044	Client.exe
1448	Client.exe
3472	Client.exe
1380	Client.exe
2988	Client.exe
4856	Client.exe
860	Client.exe
3080	Client.exe
1880	Client.exe
228	Client.exe
1352	Client.exe
1164	Client.exe
2160	Client.exe
432	Client.exe
2492	Client.exe
4508	Client.exe
3512	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sp00fer.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	process	target process
PID 644 wrote to memory of 116	644	sp00fer.exe	schtasks.exe
PID 644 wrote to memory of 116	644	sp00fer.exe	schtasks.exe
PID 644 wrote to memory of 1692	644	sp00fer.exe	Client.exe
PID 644 wrote to memory of 1692	644	sp00fer.exe	Client.exe
PID 1692 wrote to memory of 4856	1692	Client.exe	schtasks.exe
PID 1692 wrote to memory of 4856	1692	Client.exe	schtasks.exe
PID 1692 wrote to memory of 2016	1692	Client.exe	cmd.exe
PID 1692 wrote to memory of 2016	1692	Client.exe	cmd.exe
PID 2016 wrote to memory of 1436	2016	cmd.exe	chcp.com
PID 2016 wrote to memory of 1436	2016	cmd.exe	chcp.com
PID 2016 wrote to memory of 1432	2016	cmd.exe	PING.EXE
PID 2016 wrote to memory of 1432	2016	cmd.exe	PING.EXE
PID 2016 wrote to memory of 2264	2016	cmd.exe	Client.exe
PID 2016 wrote to memory of 2264	2016	cmd.exe	Client.exe
PID 2264 wrote to memory of 4008	2264	Client.exe	schtasks.exe
PID 2264 wrote to memory of 4008	2264	Client.exe	schtasks.exe
PID 2264 wrote to memory of 3672	2264	Client.exe	cmd.exe
PID 2264 wrote to memory of 3672	2264	Client.exe	cmd.exe
PID 3672 wrote to memory of 3972	3672	cmd.exe	chcp.com
PID 3672 wrote to memory of 3972	3672	cmd.exe	chcp.com
PID 3672 wrote to memory of 4312	3672	cmd.exe	PING.EXE
PID 3672 wrote to memory of 4312	3672	cmd.exe	PING.EXE
PID 3672 wrote to memory of 2504	3672	cmd.exe	Client.exe
PID 3672 wrote to memory of 2504	3672	cmd.exe	Client.exe
PID 2504 wrote to memory of 708	2504	Client.exe	schtasks.exe
PID 2504 wrote to memory of 708	2504	Client.exe	schtasks.exe
PID 2504 wrote to memory of 3812	2504	Client.exe	cmd.exe
PID 2504 wrote to memory of 3812	2504	Client.exe	cmd.exe
PID 3812 wrote to memory of 3992	3812	cmd.exe	chcp.com
PID 3812 wrote to memory of 3992	3812	cmd.exe	chcp.com
PID 3812 wrote to memory of 2844	3812	cmd.exe	PING.EXE
PID 3812 wrote to memory of 2844	3812	cmd.exe	PING.EXE
PID 3812 wrote to memory of 2436	3812	cmd.exe	Client.exe
PID 3812 wrote to memory of 2436	3812	cmd.exe	Client.exe
PID 2436 wrote to memory of 4764	2436	Client.exe	schtasks.exe
PID 2436 wrote to memory of 4764	2436	Client.exe	schtasks.exe
PID 2436 wrote to memory of 1596	2436	Client.exe	cmd.exe
PID 2436 wrote to memory of 1596	2436	Client.exe	cmd.exe
PID 1596 wrote to memory of 4932	1596	cmd.exe	chcp.com
PID 1596 wrote to memory of 4932	1596	cmd.exe	chcp.com
PID 1596 wrote to memory of 2568	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 2568	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 4916	1596	cmd.exe	Client.exe
PID 1596 wrote to memory of 4916	1596	cmd.exe	Client.exe
PID 4916 wrote to memory of 3192	4916	Client.exe	schtasks.exe
PID 4916 wrote to memory of 3192	4916	Client.exe	schtasks.exe
PID 4916 wrote to memory of 5036	4916	Client.exe	cmd.exe
PID 4916 wrote to memory of 5036	4916	Client.exe	cmd.exe
PID 5036 wrote to memory of 4016	5036	cmd.exe	chcp.com
PID 5036 wrote to memory of 4016	5036	cmd.exe	chcp.com
PID 5036 wrote to memory of 3104	5036	cmd.exe	PING.EXE
PID 5036 wrote to memory of 3104	5036	cmd.exe	PING.EXE
PID 5036 wrote to memory of 1316	5036	cmd.exe	Client.exe
PID 5036 wrote to memory of 1316	5036	cmd.exe	Client.exe
PID 1316 wrote to memory of 4204	1316	Client.exe	schtasks.exe
PID 1316 wrote to memory of 4204	1316	Client.exe	schtasks.exe
PID 1316 wrote to memory of 2832	1316	Client.exe	cmd.exe
PID 1316 wrote to memory of 2832	1316	Client.exe	cmd.exe
PID 2832 wrote to memory of 4860	2832	cmd.exe	chcp.com
PID 2832 wrote to memory of 4860	2832	cmd.exe	chcp.com
PID 2832 wrote to memory of 5044	2832	cmd.exe	PING.EXE
PID 2832 wrote to memory of 5044	2832	cmd.exe	PING.EXE
PID 2832 wrote to memory of 2696	2832	cmd.exe	Client.exe
PID 2832 wrote to memory of 2696	2832	cmd.exe	Client.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sp00fer.exe
"C:\Users\Admin\AppData\Local\Temp\sp00fer.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8437ejfa3Jqc.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:1436

C:\Windows\system32\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1432

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
5⤵
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1AQf1zWYsGXV.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:3972

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:4312

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
7⤵
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H3rNf0EFGPk2.bat" "
7⤵
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:3992

C:\Windows\system32\PING.EXE
ping -n 10 localhost
8⤵
- Runs ping.exe
PID:2844

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
9⤵
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\t3RmombxiHxi.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:4932

C:\Windows\system32\PING.EXE
ping -n 10 localhost
10⤵
- Runs ping.exe
PID:2568

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
11⤵
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqiWikAmQ5zo.bat" "
11⤵
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:4016

C:\Windows\system32\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:3104

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
13⤵
- Scheduled Task/Job: Scheduled Task
PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vr38kIKgT17Z.bat" "
13⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:4860

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:5044

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2696

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
15⤵
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\go4wxzMQR1ZD.bat" "
15⤵
PID:1364

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:2320

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:996

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
17⤵
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T6bdw1iZbDU3.bat" "
17⤵
PID:5012

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:4504

C:\Windows\system32\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:3552

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4732

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
19⤵
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iMQV3SO8OSQj.bat" "
19⤵
PID:4596

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:612

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:392

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4920

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
21⤵
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WZ8EhzHMlKez.bat" "
21⤵
PID:2656

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:764

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:4616

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2544

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
23⤵
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bovTrPTikkeZ.bat" "
23⤵
PID:3904

C:\Windows\system32\chcp.com
chcp 65001
24⤵
PID:1800

C:\Windows\system32\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:4012

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3692

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
25⤵
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RF4ZO4U1Bdd4.bat" "
25⤵
PID:4948

C:\Windows\system32\chcp.com
chcp 65001
26⤵
PID:4772

C:\Windows\system32\PING.EXE
ping -n 10 localhost
26⤵
- Runs ping.exe
PID:3252

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
27⤵
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYy1t8J0fTuh.bat" "
27⤵
PID:2832

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:2440

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:4880

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1448

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
29⤵
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IHNJ1ibp348P.bat" "
29⤵
PID:4924

C:\Windows\system32\chcp.com
chcp 65001
30⤵
PID:5048

C:\Windows\system32\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:4952

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
31⤵
- Scheduled Task/Job: Scheduled Task
PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cQfyaqfAmInH.bat" "
31⤵
PID:1624

C:\Windows\system32\chcp.com
chcp 65001
32⤵
PID:1568

C:\Windows\system32\PING.EXE
ping -n 10 localhost
32⤵
- Runs ping.exe
PID:4184

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1380

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
33⤵
- Scheduled Task/Job: Scheduled Task
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMpELHOEHWfZ.bat" "
33⤵
PID:1028

C:\Windows\system32\chcp.com
chcp 65001
34⤵
PID:3456

C:\Windows\system32\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:2688

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2988

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
35⤵
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qMom6kreZ7rd.bat" "
35⤵
PID:5112

C:\Windows\system32\chcp.com
chcp 65001
36⤵
PID:3916

C:\Windows\system32\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:2560

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4300

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
37⤵
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqMByihvmVnP.bat" "
37⤵
PID:1416

C:\Windows\system32\chcp.com
chcp 65001
38⤵
PID:5116

C:\Windows\system32\PING.EXE
ping -n 10 localhost
38⤵
- Runs ping.exe
PID:2552

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
39⤵
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xCJ5X62jMXFV.bat" "
39⤵
PID:4244

C:\Windows\system32\chcp.com
chcp 65001
40⤵
PID:2924

C:\Windows\system32\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:2540

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:860

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
41⤵
- Scheduled Task/Job: Scheduled Task
PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fbrpqeUALMFC.bat" "
41⤵
PID:1720

C:\Windows\system32\chcp.com
chcp 65001
42⤵
PID:1176

C:\Windows\system32\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:3432

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
42⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3080

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
43⤵
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n1G9WYM7Vybg.bat" "
43⤵
PID:828

C:\Windows\system32\chcp.com
chcp 65001
44⤵
PID:996

C:\Windows\system32\PING.EXE
ping -n 10 localhost
44⤵
- Runs ping.exe
PID:3952

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
44⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1880

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
45⤵
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\grtjy5x2xeET.bat" "
45⤵
PID:4312

C:\Windows\system32\chcp.com
chcp 65001
46⤵
PID:2592

C:\Windows\system32\PING.EXE
ping -n 10 localhost
46⤵
- Runs ping.exe
PID:4908

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
46⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:228

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
47⤵
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ku0uRusxxzLD.bat" "
47⤵
PID:3524

C:\Windows\system32\chcp.com
chcp 65001
48⤵
PID:3960

C:\Windows\system32\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:3864

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
48⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1352

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
49⤵
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsHXPefbcMFX.bat" "
49⤵
PID:976

C:\Windows\system32\chcp.com
chcp 65001
50⤵
PID:452

C:\Windows\system32\PING.EXE
ping -n 10 localhost
50⤵
- Runs ping.exe
PID:4112

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
50⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
51⤵
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2Y91bqOXpQ3V.bat" "
51⤵
PID:1724

C:\Windows\system32\chcp.com
chcp 65001
52⤵
PID:400

C:\Windows\system32\PING.EXE
ping -n 10 localhost
52⤵
- Runs ping.exe
PID:4596

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
52⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2160

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
53⤵
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JhWfCWRCXS1j.bat" "
53⤵
PID:348

C:\Windows\system32\chcp.com
chcp 65001
54⤵
PID:4388

C:\Windows\system32\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:1772

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:432

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
55⤵
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v7sPxfCGtP3E.bat" "
55⤵
PID:5036

C:\Windows\system32\chcp.com
chcp 65001
56⤵
PID:1528

C:\Windows\system32\PING.EXE
ping -n 10 localhost
56⤵
- Runs ping.exe
PID:2704

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
56⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2492

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
57⤵
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0HqSJtuPCEoQ.bat" "
57⤵
PID:4904

C:\Windows\system32\chcp.com
chcp 65001
58⤵
PID:4940

C:\Windows\system32\PING.EXE
ping -n 10 localhost
58⤵
- Runs ping.exe
PID:4196

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
58⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4508

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
59⤵
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmyBg5OA9pqr.bat" "
59⤵
PID:1436

C:\Windows\system32\chcp.com
chcp 65001
60⤵
PID:2716

C:\Windows\system32\PING.EXE
ping -n 10 localhost
60⤵
- Runs ping.exe
PID:2832

C:\Program Files\Common Files\Client.exe
"C:\Program Files\Common Files\Client.exe"
60⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3512

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Program Files\Common Files\Client.exe" /rl HIGHEST /f
61⤵
- Scheduled Task/Job: Scheduled Task
PID:3568

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Client.exe
Filesize
3.1MB

MD5
a121d9d691a400786000dee14a808ab1

SHA1
14ab065be3cfe0a7aa7808cb8891f7c75affc395

SHA256
7849231d077a00fd9129c2c6cecbb3287afc5656b8dfd263fdf57e2432d4f335

SHA512
e0a162b3d00ef69b96bd4a43f9a0c3297005e8a8db84233010d420bf87ff337ed4139b4cc27594fdd194416a03fe8a7be90b03a8f10e34b72f70d399d6917929

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0HqSJtuPCEoQ.bat
Filesize
199B

MD5
aae22f047f7396f30646dc1ac00a92ec

SHA1
f9d8128da4eb2c46a6e0459c051fabd117409cff

SHA256
28f1c7a5a9b47eb6e9d6955204bc62d2f699fe66eba1145ee55a85c26068c458

SHA512
5f29375ab1b814d836e76385af5547ccc1251362d99661bdfc690252653e2b62b940aeaec929763d3718aa276977a201e61e4b52b6857188f0add2c597e37efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AQf1zWYsGXV.bat
Filesize
199B

MD5
925f20c7651d7815404e0a0f4ee436fe

SHA1
b8f6758a3846d2940ce554a145f2df6bf2e7813c

SHA256
599b0a000511def36c561f8169418c011004eae47475c657053a82212ba86e3a

SHA512
ccebb704b583e4a40a589b40b511fb46222e1ae4a51a8ef695ac73aa80fb70b7510ff681f1f369caf2d08a0d4f0d8517de94a5e5ef0dccbd1e43006bcfe0b5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Y91bqOXpQ3V.bat
Filesize
199B

MD5
352d143500edd1537b1a353987f98f25

SHA1
b2e963881cc7df41af0fd42f37ce8e92b2bda891

SHA256
05ff4e523865980b66a8f35a4bda1f45798b14c7b5172364bd1c1a6898c17476

SHA512
2e6ce63302f65da5b7288479fd716e47f23abd57bd0cda5e77e50e22f4046ef77064aff67d276edccb1c9c45665c2e851b40281d1e3b96b72f1fffb3febd8a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8437ejfa3Jqc.bat
Filesize
199B

MD5
d0418da9238eefe7616137ee528cc83f

SHA1
85c5aae0a268e7a400b4a21d0a2bea656303cfde

SHA256
1c12180d25ce9ba9a4cc94ead9bf11a16363dd36f6874fa49c20f643f86d66b0

SHA512
8fdc53eabc26b57645f140011d9c521303ada0af9933dd3364bbe1766e8ef473ff2051db22571ff4fd7852ae48a6760fac25d6c9b9f5f73d6c4d717ee9ea4565

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYy1t8J0fTuh.bat
Filesize
199B

MD5
dccd9367276fd08098d03c8836b2b4ca

SHA1
31addd3b0756b1d8e2a6226812dd2906eddc3f74

SHA256
37ac1c900c097f67277285e2ddce83799679acd1d0c9737047b8070be3f650fe

SHA512
d8db40fdf54fa9e9c123535e2950e1faf1b990aa2fdb415c9ab43fc9ae16b8cc79225858838773482c4e919588548c88e4cfd9c49cd61a5b73bb87f65da7a23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\H3rNf0EFGPk2.bat
Filesize
199B

MD5
5d9696dd9d7d30b895bb00211ea92b19

SHA1
a6949fe55e30a28b194b37184a7203ab00f81b89

SHA256
153d67295308909c2a6d40525406ba73779279ba83f91ffa09a0ddf4201bed0f

SHA512
3812e6129598e9c8c07a3e880e083b137a05ba1789b1462afc52e14738afbb75d86e5a21ebb3601bf24d143fc94ca20935d1732c0cf52ec78174af9f00686ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\IHNJ1ibp348P.bat
Filesize
199B

MD5
d34b7c60e476ed4a56c6e4b22fc422de

SHA1
967dac171e1badf0187dd2a19dec7dd48480386b

SHA256
f809adaf1dc0ae4fc313e3571925ebac6621a07e2f3b9310013636e2804e4c5d

SHA512
9003e54a1de5da0079403afe749876773ba25409ff776dd423cb4170c1fb4046be137bb4229645253709c5656e125200ab843da017fca72a150952b864bf2f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhWfCWRCXS1j.bat
Filesize
199B

MD5
c7e86643aa507b1c40cd59e0f264b578

SHA1
8a29d41b15e4bbb25d9e954e2a998f9c27bd9a33

SHA256
8aa4ef5fd3060f59757c5d490043f3c2a995a76eb3c152060b71cfb67513df4f

SHA512
158cf8cbe609f6bc76520d0b170e8ce991b22ff523c1095fbc4b3cc4f15d32df2def564046473a2cf38c9fa746d5fd66490ef4212c5ef74e5fb6f58d349f539f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ku0uRusxxzLD.bat
Filesize
199B

MD5
0106d8a5518c2a5f9f4e670c3c66d338

SHA1
245a4e50549b81686969b02e7219c096d46f07fb

SHA256
d3a7d81756e71e6924a870dacc307b3701bc52026fedbb1d0542a6ecb9fb141f

SHA512
74205700b3334a3b65d534fad7f542c8dba783eb81cb921167634b9c69f7aa275979d4f5123a30c72c53b23865c9b84f768a9b45b7a90cbd8774d1e2e118aad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RF4ZO4U1Bdd4.bat
Filesize
199B

MD5
dc70ee7303c79bd2f5da66b5b217025c

SHA1
a83682a53ab6c150ed85fcc61dece3bee3944c94

SHA256
68cb95c75134319b675cbe2a66a6f9e48a2777e904ccbf46bb6e1c04b8dfb6a1

SHA512
a4d5956ff2f8bae273ecfc673e4d7461da1ffda6c618693c1ba42fb32023ae0462b9e122bc015c1f3ac4fb524a400f60761500b8f73df57bcde1ab1b33c0c595

Download Submit
C:\Users\Admin\AppData\Local\Temp\RmyBg5OA9pqr.bat
Filesize
199B

MD5
fc1cd6b784eaeeb684d086dee4aa253c

SHA1
71ea8d1ec6be5844075bc86cc0484e073ef2cf67

SHA256
f16c1cb26650da6dfec610d251ad433a9fe28fe4ea55221b8b5c349a210348f6

SHA512
a6c63537d1509ec5e5ddd47943fcd14744a1dad5263447ddf4f70fdefc8c6187aef300c23ee8825e3ef4df89ab897db8f9b7fe79fbe8919659ede0597a86dd4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SqMByihvmVnP.bat
Filesize
199B

MD5
57ad4a2bbd6aa6321ea591e261d0960b

SHA1
3bb29f07b8908299a1eefbace99904f1295b501b

SHA256
c33aa9e1da75bec0aeef1af94c91439851e30ee937e8697fc2982c5781f5bced

SHA512
4fc3f771d52008577fa2624e7f712228ba92794de287fbf451ac064cf62cdd850a591a957493a1d1483b96ff4d309bb42d59d626115e4dfff7cffddfeb178a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\T6bdw1iZbDU3.bat
Filesize
199B

MD5
803e98035196e2d87f85b6f3b473b7c1

SHA1
1727317af4bccad2c07a3bda157ddb35c0c43b4d

SHA256
1225211f583e1836b9d0b7060815c2124ee9984eb7ed6f7cb0a423490cd63a8f

SHA512
5ffaafa04d2e4164ed9c5ac023fd2c9514b2db38967bf07371cf8f902f8224a20a8962f931041dc2ebee10e3806e729abb7ea4b735a2b5c8cee9c3b04948d92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsHXPefbcMFX.bat
Filesize
199B

MD5
d8e8eba0aa3bef9367acad0096ae3bd6

SHA1
eb8f79b8b8e731c4346e325b03dd56e40554bfbd

SHA256
28bb9c7c3a6b80a594f22f4b73da6e8b437229d17ede7937f76c8052a6c8896b

SHA512
bd710451b9791eeebf4da575e54fffd92749c95b29298d7aead898957f7969f8dddcc9a6c2787a1bc776fe925507e129097e0a5ebcc5c46ec3ddddbd831d4900

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMpELHOEHWfZ.bat
Filesize
199B

MD5
197a76677f3b9d507bfed0d331bcbe70

SHA1
5e58345ae10bc330591921e0833de5f113fb491e

SHA256
ac700111c48bf3358e7fef0a112199bbb6100ed6c4ce59b43f6201d4fb25e049

SHA512
12f715c7c53912e47be19b3470fd9c8bccde765d7b3792cd51d0e39a72e0130cee2a5d9579d9484a553c3343558ea1a9a10a0d750e680a37c0b2e00de7199a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bovTrPTikkeZ.bat
Filesize
199B

MD5
2d9de91395be016a1cfad7ae78c9c025

SHA1
a54787244a3d11f247c03f2be6fba29fdac55744

SHA256
b45ba6683339925278c22e70cbdf15280b3abd1a474fa7e4d517f5da0066cdcd

SHA512
68a6d61b0b8b4b440deea5cbf91dbd0a504570808db4621eddad5f1bc2c0e8e7cdbeacb5bbfedec3d0472344b6ff3450b0756da84914ed324785c4c8423fc565

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQfyaqfAmInH.bat
Filesize
199B

MD5
e50d74e20423e8e01e9c4b4e56998baa

SHA1
47e2a4ba8f1e4566d3859294c74850a84393f1d9

SHA256
9df71a55d466c4d36a221663d4374906341ae26a25139881d2f8808c2d715504

SHA512
10f17b461d2a07f888af28f639d6f3d93e07f78f8b5377baec383a93181ac6e932122840a333794370376dbe14577faf1f8cf7aa8f3254cd0269c60e8026b335

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbrpqeUALMFC.bat
Filesize
199B

MD5
603d8b718f69a15f9f7e37c6870d3ecc

SHA1
aa6530004ab214bd69a1c617782338ad4f1362ae

SHA256
41a8605dd057bf402b0fb47b786e1ed88dbeddec4a06cc3ff0f2fdd11dd1d8d7

SHA512
fa983c208a98868d3478793e7ecb0b9204a6ec7c380e41d7afda3ede906f98c097ed86f6450ae3bcc87138c2040ec3274dcdb3e5ef92a96dae5c0b220ac74290

Download Submit
C:\Users\Admin\AppData\Local\Temp\go4wxzMQR1ZD.bat
Filesize
199B

MD5
fab44b62e8f7f5acce4d99f24010f2e6

SHA1
76a76d42db42725c6178f3b8208e774eac07c1da

SHA256
45185528b3ca6e7945075a087386cdfc85f650319e20dd491ea09af8f83558a2

SHA512
1aa70147eecb16b4b961ecb93391260ee13fd22384857d50ddf97eb40fb109e1bb76ad0f76572a3e6ae0770cbbd9ba7a771fe3457c482c2d58faedf37669fbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\grtjy5x2xeET.bat
Filesize
199B

MD5
fbef5910311bef7349f3aeb6a0748048

SHA1
5514294a583b72179cf7e874ceb2b387d2bfe3d1

SHA256
ae905e7e71ce590c407677807b0aaf6582007d2097b677c6832dd934c360b5fe

SHA512
bf81356d2ada60d40d8f9434b26f2a54e8d259afcf8a5c4c4d6f3cf90566538d441d96103b1d07ae53f65ad3d348d10238e7e19fd3ce510760365640584917cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hqiWikAmQ5zo.bat
Filesize
199B

MD5
f7dbd8c5b237cc29a11119d400942782

SHA1
f5b20b295b89d960654967b704ad1839d6f92669

SHA256
0119dba0f11c64c02a76bcac2adf5c1e73f5b5c1c5fc73a90685b5b5ff23a963

SHA512
be8a0fe877fa24f352f069ba3b8b9a97973c32c5d0c70efd129d9f870cb5c486cc6f5ae1d17ca73cc58d4ace6fb8c7ca2818531effb45b1d630800a9a76199ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMQV3SO8OSQj.bat
Filesize
199B

MD5
223203bd28569cb20d0244631b7de870

SHA1
c309d91cdcfc13d1c8ca933c77637647c3f26a72

SHA256
f2fe8e87713c83b1f4df2bf1705bbd19961a741890f2ef024a31423b1e6ff806

SHA512
103d778254431ca97a75fd3b04e439d4d744913b524730a71575e0f4a5473090c8913fc81b700355639025a1de0ed4951369941f5afee9ad03b92e545c9ab0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\n1G9WYM7Vybg.bat
Filesize
199B

MD5
4b22800d10e64aff959d83186aa933cd

SHA1
53f518f229462c1aa3d56e0c7899e33a1bfcd193

SHA256
d1bd6ec9b5744cd45ed72cef86c24e8b453b468a9f37b703bebaa6fbceccd1ac

SHA512
f506c9efec7c7329c38753250efc9921e90b28d82f4215cda2957526c538b05529b44375c0be004b10c4ccaeaffe410b10560c0fd5c597078421c573f130f1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMom6kreZ7rd.bat
Filesize
199B

MD5
7feed49d6276b4817bb77bdf1925bb02

SHA1
266e1cc2254083d157121729cb9b97721c5546a9

SHA256
9aa57b8f9fd3b820183f41569f8845a5c54412f5bc6bbc306ad6fd6d43bc2fa3

SHA512
e67d435b5b4a43752469e70be85e749cb4d1dcb361548ca02587c34235e88560b6f1bcbdacd44d6fe610b78fc9e996e3ccede3718078d403f2ef571ff102d2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\t3RmombxiHxi.bat
Filesize
199B

MD5
1274f6839fd56eb8bbe1ebc7b4692f44

SHA1
6fae98e5972259b8dc20941af1d6f1e5e4b92ab9

SHA256
23f1d8ced1a3bc7bcbcec2c9461240191b69de784c66e061c9c0a9d0e5a188a7

SHA512
448de3a780ece9eca23f1bf232ed7cc095f2a4f09c618784408bee8d1881fec4b624ceafc3691f2df20fa02c7eb20b9dd406f65c39c5e5dc4e462cfce014d71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\v7sPxfCGtP3E.bat
Filesize
199B

MD5
b962b5cea9887b5207648e779516c3aa

SHA1
166d51547d1dcdf3a42b9aa487c2c5651cd162d1

SHA256
4ecd2aa4ec11c1ab9e5696d73784975dcd891c29bb301c89db4e35bc82a6752d

SHA512
e41a07da82b7642170d0c20eb15798022e7810150497d28f16c5084e29ef075a01fa66fb7bd7feb601d3a8d49a2030112ad5341eeb67ee4cf6ceb2984c59c789

Download Submit
C:\Users\Admin\AppData\Local\Temp\vr38kIKgT17Z.bat
Filesize
199B

MD5
782f3d5ee8030d5fe3aa3e5fd6db2369

SHA1
b7aabde1a716a08ac7f8f03668a6411604c4b183

SHA256
6fdc5990778fe05105d18f8355866e82d31e1e5f871a3a3e0ab4144a08b9de1d

SHA512
a520de089eab857f9834c2928061efadfeafbfe8743f291f03b4b271756f810698a9c0dbcf297d6044ee61a08f99d95fcbd70d152a08df4beb82af9a86c872bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xCJ5X62jMXFV.bat
Filesize
199B

MD5
dd2f8cf6b14adcf72b5fa920e7aea058

SHA1
4edb430436f873ae856866eacf52ae6d83ccf4f3

SHA256
ca305b7314cf36e13e1e92c760c42d6541c411a9aaa090cad59f67eb4b7c40fe

SHA512
c4a73ef6503bb31e06a2771c76ec397e4c725a276cd50ed37b564489399d92b3ee13f53a7ce0a27dbe76f4364fc4285281e02ed4b870a1c7076cc26bda68f670

Download Submit
memory/644-0-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp

Filesize
8KB

Download
memory/644-9-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/644-2-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/644-1-0x0000000000240000-0x0000000000564000-memory.dmp

Filesize
3.1MB

Download
memory/1692-12-0x000000001D990000-0x000000001D9E0000-memory.dmp

Filesize
320KB

Download
memory/1692-13-0x000000001DAA0000-0x000000001DB52000-memory.dmp

Filesize
712KB

Download
memory/1692-18-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/1692-11-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download
memory/1692-10-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

Filesize
10.8MB

Download