Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 23:23
Behavioral task
behavioral1
Sample
13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe
-
Size
358KB
-
MD5
13ddb4c563aa5d65f2a9822d50e3b92f
-
SHA1
2e1ccddf584175c3bd62ac8d0173fdb6ae73ea10
-
SHA256
29b58aa0ac40523e606e3a10258de337d2e76815b279402babc18e2bb410aab9
-
SHA512
ad7f92b70e64b04c3dde1b9519d88c237c62dd74d6929e17e968ce6a969449fd79caa1dca658294234759d17d9f5545ebf6fec87f5aa0c45b469c7fd27598f96
-
SSDEEP
6144:rJqQ4i1FFiEKhtpoidubrUX5v7N/Vyfs5uI:Fpli3poidD5jN/sfs5uI
Malware Config
Extracted
quasar
1.3.0.0
Office04
almammory.hopto.org:1177
QSR_MUTEX_uvFpjg4C7Cxl60AUEGAUEGGMUTEOO
-
encryption_key
WVQm2WP2iovscPfuELDp
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Processes:
13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\SubDir\Client.exe 13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe 11 ip-api.com 52 ip-api.com 71 ip-api.com -
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4196-1-0x00000000007F0000-0x0000000000850000-memory.dmp family_quasar C:\Program Files (x86)\SubDir\Client.exe family_quasar -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 14 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 4624 Client.exe 3080 Client.exe 4300 Client.exe 3192 Client.exe 4600 Client.exe 4152 Client.exe 224 Client.exe 3760 Client.exe 4412 Client.exe 4480 Client.exe 2960 Client.exe 1060 Client.exe 3484 Client.exe 4136 Client.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 52 ip-api.com 71 ip-api.com 11 ip-api.com -
Drops file in Program Files directory 2 IoCs
Processes:
13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\SubDir\Client.exe 13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\SubDir\Client.exe 13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 14 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1800 4624 WerFault.exe Client.exe 952 3080 WerFault.exe Client.exe 2852 4300 WerFault.exe Client.exe 3996 3192 WerFault.exe Client.exe 1404 4600 WerFault.exe Client.exe 3240 4152 WerFault.exe Client.exe 3484 224 WerFault.exe Client.exe 2828 3760 WerFault.exe Client.exe 2544 4412 WerFault.exe Client.exe 1044 4480 WerFault.exe Client.exe 2892 2960 WerFault.exe Client.exe 464 1060 WerFault.exe Client.exe 4580 3484 WerFault.exe Client.exe 3888 4136 WerFault.exe Client.exe -
Runs ping.exe 1 TTPs 14 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1168 PING.EXE 1728 PING.EXE 2220 PING.EXE 636 PING.EXE 4844 PING.EXE 4304 PING.EXE 2148 PING.EXE 4472 PING.EXE 2820 PING.EXE 1496 PING.EXE 2108 PING.EXE 4868 PING.EXE 2340 PING.EXE 2512 PING.EXE -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription pid process Token: SeDebugPrivilege 4196 13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe Token: SeDebugPrivilege 4624 Client.exe Token: SeDebugPrivilege 3080 Client.exe Token: SeDebugPrivilege 4300 Client.exe Token: SeDebugPrivilege 3192 Client.exe Token: SeDebugPrivilege 4600 Client.exe Token: SeDebugPrivilege 4152 Client.exe Token: SeDebugPrivilege 224 Client.exe Token: SeDebugPrivilege 3760 Client.exe Token: SeDebugPrivilege 4412 Client.exe Token: SeDebugPrivilege 4480 Client.exe Token: SeDebugPrivilege 2960 Client.exe Token: SeDebugPrivilege 1060 Client.exe Token: SeDebugPrivilege 3484 Client.exe Token: SeDebugPrivilege 4136 Client.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 4624 Client.exe 3080 Client.exe 4300 Client.exe 3192 Client.exe 4600 Client.exe 4152 Client.exe 224 Client.exe 3760 Client.exe 4412 Client.exe 4480 Client.exe 2960 Client.exe 1060 Client.exe 3484 Client.exe 4136 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.exedescription pid process target process PID 4196 wrote to memory of 4624 4196 13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe Client.exe PID 4196 wrote to memory of 4624 4196 13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe Client.exe PID 4196 wrote to memory of 4624 4196 13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe Client.exe PID 4624 wrote to memory of 4780 4624 Client.exe cmd.exe PID 4624 wrote to memory of 4780 4624 Client.exe cmd.exe PID 4624 wrote to memory of 4780 4624 Client.exe cmd.exe PID 4780 wrote to memory of 4804 4780 cmd.exe chcp.com PID 4780 wrote to memory of 4804 4780 cmd.exe chcp.com PID 4780 wrote to memory of 4804 4780 cmd.exe chcp.com PID 4780 wrote to memory of 2148 4780 cmd.exe PING.EXE PID 4780 wrote to memory of 2148 4780 cmd.exe PING.EXE PID 4780 wrote to memory of 2148 4780 cmd.exe PING.EXE PID 4780 wrote to memory of 3080 4780 cmd.exe Client.exe PID 4780 wrote to memory of 3080 4780 cmd.exe Client.exe PID 4780 wrote to memory of 3080 4780 cmd.exe Client.exe PID 3080 wrote to memory of 4996 3080 Client.exe cmd.exe PID 3080 wrote to memory of 4996 3080 Client.exe cmd.exe PID 3080 wrote to memory of 4996 3080 Client.exe cmd.exe PID 4996 wrote to memory of 2272 4996 cmd.exe chcp.com PID 4996 wrote to memory of 2272 4996 cmd.exe chcp.com PID 4996 wrote to memory of 2272 4996 cmd.exe chcp.com PID 4996 wrote to memory of 2108 4996 cmd.exe PING.EXE PID 4996 wrote to memory of 2108 4996 cmd.exe PING.EXE PID 4996 wrote to memory of 2108 4996 cmd.exe PING.EXE PID 4996 wrote to memory of 4300 4996 cmd.exe Client.exe PID 4996 wrote to memory of 4300 4996 cmd.exe Client.exe PID 4996 wrote to memory of 4300 4996 cmd.exe Client.exe PID 4300 wrote to memory of 4240 4300 Client.exe cmd.exe PID 4300 wrote to memory of 4240 4300 Client.exe cmd.exe PID 4300 wrote to memory of 4240 4300 Client.exe cmd.exe PID 4240 wrote to memory of 4820 4240 cmd.exe chcp.com PID 4240 wrote to memory of 4820 4240 cmd.exe chcp.com PID 4240 wrote to memory of 4820 4240 cmd.exe chcp.com PID 4240 wrote to memory of 2220 4240 cmd.exe PING.EXE PID 4240 wrote to memory of 2220 4240 cmd.exe PING.EXE PID 4240 wrote to memory of 2220 4240 cmd.exe PING.EXE PID 4240 wrote to memory of 3192 4240 cmd.exe Client.exe PID 4240 wrote to memory of 3192 4240 cmd.exe Client.exe PID 4240 wrote to memory of 3192 4240 cmd.exe Client.exe PID 3192 wrote to memory of 2300 3192 Client.exe cmd.exe PID 3192 wrote to memory of 2300 3192 Client.exe cmd.exe PID 3192 wrote to memory of 2300 3192 Client.exe cmd.exe PID 2300 wrote to memory of 1260 2300 cmd.exe chcp.com PID 2300 wrote to memory of 1260 2300 cmd.exe chcp.com PID 2300 wrote to memory of 1260 2300 cmd.exe chcp.com PID 2300 wrote to memory of 636 2300 cmd.exe PING.EXE PID 2300 wrote to memory of 636 2300 cmd.exe PING.EXE PID 2300 wrote to memory of 636 2300 cmd.exe PING.EXE PID 2300 wrote to memory of 4600 2300 cmd.exe Client.exe PID 2300 wrote to memory of 4600 2300 cmd.exe Client.exe PID 2300 wrote to memory of 4600 2300 cmd.exe Client.exe PID 4600 wrote to memory of 1416 4600 Client.exe cmd.exe PID 4600 wrote to memory of 1416 4600 Client.exe cmd.exe PID 4600 wrote to memory of 1416 4600 Client.exe cmd.exe PID 1416 wrote to memory of 3168 1416 cmd.exe chcp.com PID 1416 wrote to memory of 3168 1416 cmd.exe chcp.com PID 1416 wrote to memory of 3168 1416 cmd.exe chcp.com PID 1416 wrote to memory of 4844 1416 cmd.exe PING.EXE PID 1416 wrote to memory of 4844 1416 cmd.exe PING.EXE PID 1416 wrote to memory of 4844 1416 cmd.exe PING.EXE PID 1416 wrote to memory of 4152 1416 cmd.exe Client.exe PID 1416 wrote to memory of 4152 1416 cmd.exe Client.exe PID 1416 wrote to memory of 4152 1416 cmd.exe Client.exe PID 4152 wrote to memory of 4624 4152 Client.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\13ddb4c563aa5d65f2a9822d50e3b92f_JaffaCakes118.exe"1⤵
- Quasar RAT
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XSz1vPRe9SAV.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fjvGBYD5cKi5.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WodemfasJ53z.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWfZOPPSf635.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 6500110⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUubCgjN0crt.bat" "11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 6500112⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\asJCFfYfpjwa.bat" "13⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500114⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rx1aplvSWUIU.bat" "15⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500116⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cFlYsfrCVAXy.bat" "17⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8h228zPjeulx.bat" "19⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500120⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CtP2iBf4B6x4.bat" "21⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500122⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1TybY6RmBsP3.bat" "23⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500124⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HHg89w8uNLFM.bat" "25⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500126⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fw5aBBdrhkqe.bat" "27⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500128⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost28⤵
- Runs ping.exe
-
C:\Program Files (x86)\SubDir\Client.exe"C:\Program Files (x86)\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DcV2DR7o1ARw.bat" "29⤵
-
C:\Windows\SysWOW64\chcp.comchcp 6500130⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost30⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 226829⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 168827⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 221225⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 222023⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 221621⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 224419⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 222017⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 224015⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 224413⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 221211⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 22249⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 22487⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 22125⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 22683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4624 -ip 46241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3080 -ip 30801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4300 -ip 43001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3192 -ip 31921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4600 -ip 46001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4152 -ip 41521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 224 -ip 2241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3760 -ip 37601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4412 -ip 44121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4480 -ip 44801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2960 -ip 29601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1060 -ip 10601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3484 -ip 34841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4136 -ip 41361⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\SubDir\Client.exeFilesize
358KB
MD513ddb4c563aa5d65f2a9822d50e3b92f
SHA12e1ccddf584175c3bd62ac8d0173fdb6ae73ea10
SHA25629b58aa0ac40523e606e3a10258de337d2e76815b279402babc18e2bb410aab9
SHA512ad7f92b70e64b04c3dde1b9519d88c237c62dd74d6929e17e968ce6a969449fd79caa1dca658294234759d17d9f5545ebf6fec87f5aa0c45b469c7fd27598f96
-
C:\Users\Admin\AppData\Local\Temp\1TybY6RmBsP3.batFilesize
199B
MD5fefa2ff436541b116c91443b80625b8c
SHA1cc52017bbe800fe53dd759b382564d2b50a48934
SHA2563119870c9af5922ea32afcb09fe49530a1f93969bf1bea11c74c2a4fb58cc85d
SHA51212bea99d90165955ce4a0dd2239a8c94a46b591ae53f335ced07332b850ba4681f529fc5826ef54f257a96c94abf21e9de8ff680be51daa887b4a1a083111042
-
C:\Users\Admin\AppData\Local\Temp\8h228zPjeulx.batFilesize
199B
MD5d0f9a329627cca722b424f73d459fe0e
SHA1c38b8553e00ac4ec548296a6d459ced909302a14
SHA25664a028f21d2fdff1cb56fcacec3090cbde5624c853f014a5f9ddaf4e6aa49d69
SHA512906ae7dc92612aab0a869dd7ea497b3bd7726a60e57983dfba3ed2ba14e72096224dc580411fbfd0bf7bc46490e8cc205765ed122a1d35276834a964604903be
-
C:\Users\Admin\AppData\Local\Temp\CUubCgjN0crt.batFilesize
199B
MD53ce96b19b77a2d3737abd8e9871dbd97
SHA183ce9f21cf0aba8725df97f6111f9905d973d361
SHA25698fbb062e979cdc71872f550bce487d4044134201c5e1f17b03ccd2c980fbc1e
SHA5123606c9e83a60c93d15e07fbc816ad685c0fda8949c59baa9c428ebb852c6edf09f94cebd3cbd79f64916041befeeed1438eb38e6b191bf12a8fb39176589b813
-
C:\Users\Admin\AppData\Local\Temp\CtP2iBf4B6x4.batFilesize
199B
MD5af1ecb82b1d67b768ef30366e2ab60fd
SHA17b16a8a337b3cc9cfc11d2426578ccc13270d786
SHA256c4b381f7724b0dfbdc996b3de55f0318be15438413b534bbf944b99c06f2bd5f
SHA5127d24529c847ef034faba4255076e64f7e1293ee430b43a92002c2fcb372feef0ae66ab0670e109f6c23d09b0c1351a219af27ce9824dc740d2f93a5c7a1c4001
-
C:\Users\Admin\AppData\Local\Temp\DcV2DR7o1ARw.batFilesize
199B
MD530f347347acacdfa55e63dea09b81a94
SHA1446866b51bb47967d52f00d5fdf68934c571bf59
SHA2566faef9cdc770e8fa00034d116f5740f4b8ffafa170d96a9d5f560a24c7b9482c
SHA512f3417d56cbb5795b31e44e5c4e514a390cba950ced3b5f05511cb9f4c6dd060b2b74bccd053f0f0edbcb193cb0084ec8dece8475287cca18931cbe937f76117c
-
C:\Users\Admin\AppData\Local\Temp\Fw5aBBdrhkqe.batFilesize
199B
MD56ea5a6801982d5f29c3974e029cb4df7
SHA19ef55cc14f08adf546de5a976af5e4b35b7b190e
SHA25635bca3a329a8b79d2a347b67aa117d3068325290eef4329bb2a232d4244ad21f
SHA5125c60831e24f691938266ce0f95c80e703fa14508fdd3a9e2374dfd44ae08e2d94bcc14b02797980826603d3bb7c3c8e3aadcf7ce8c8d99136d60c04f53ee72b6
-
C:\Users\Admin\AppData\Local\Temp\HHg89w8uNLFM.batFilesize
199B
MD5d8fc846adfaeed91f1805b6eceae6dc2
SHA1b141ce74218c019cc67df701f3a10b6f9988b1c1
SHA256f67f2df7a3653204ea3d8796968f2bebd84ac077e8e3644b4ef4a1ec63476750
SHA5125f6b974a7c540d2ff97bb9d23e363046e2c861a9ffc41030d9ae2e42a16723b6b6d4de158278eec718403720fff737870c57b3ddb1094dbe50aa55003ee58918
-
C:\Users\Admin\AppData\Local\Temp\Rx1aplvSWUIU.batFilesize
199B
MD569c03d97839484099d442489d65a6269
SHA1bf522b0df75947142624ac638d1dc4fd52e48a01
SHA256f3d1574d03e894b1e459ef8bf74bed7576c58b79972c8c38d5140ec59ea92d59
SHA512ee5af8a532f4695d1f6f7a4c7752e307fa99f406ed5cd542aeb35cd818aaf58933369db9b8d247a8226f45c5d548d23a1e793d6c215b76ac24085698f911aa6a
-
C:\Users\Admin\AppData\Local\Temp\WodemfasJ53z.batFilesize
199B
MD55d31c04f7f7a43f63f66e316e315a75e
SHA187a10ed0dd72e484102a5a4cd44f27ac65bc9d33
SHA2560be94cb2308b5a1d4cc588496fbb29bb42f58d5d1a749f7fb9eb22174faa1c2b
SHA512d6d046d30b49b047547a4b1e3bb79456a671705d59ded1871d5cdedbe189d91bb3de7347e51e7b220e0d838d744ee6a9194212eff9100d4e727f83cfc2840182
-
C:\Users\Admin\AppData\Local\Temp\XSz1vPRe9SAV.batFilesize
199B
MD5ac86759fb939882d2c64bd6503e028d8
SHA1df363f6366f900332ed9123db6e2cf092d577304
SHA25643816c19bb682cbd1be9007cde896def863ce2d9805f7b2ecd1c2150d179c82b
SHA512fc66f6fa96c18144eb76c1b9c84030b54fbe6daa72502e5f62502185f18557d459fa019543165c1df24241d485df4028d29c9058b39ed5db3bd01a5e571ffc50
-
C:\Users\Admin\AppData\Local\Temp\asJCFfYfpjwa.batFilesize
199B
MD58bb73944ffad413fcad186b32198bb9e
SHA19a6da6da7dca260efcd60e0d57836281ba199d87
SHA2569ada5f5bcdeca670bbbdd7fff4aa31ea3f75b12bf63fe53d4f5d9fa0d6fa2e76
SHA5128d1a5b9c136f738352a5cefb89095f13da3447bd2743b17c7f8dd226a082718e374cf73c7ac53d9c41a7f3858e879f022da1d74dcc7444e96162c69fe8194f98
-
C:\Users\Admin\AppData\Local\Temp\bWfZOPPSf635.batFilesize
199B
MD5f296f8752b87477654047cf33bdd47ac
SHA1d436a001dc409cbc2288417fa31ba8dbe01a1fc2
SHA25613c169b065bcbc08f4b16e1e52a26c1595f5a55afb82747331efb9471e4a1dfd
SHA51292196accf5142fd168640984f64b544976bdb2fcc3857b9a37875eff5731a157aeccac7af1103a4643c40c154aa21327078c5a177ffcd61cbf6ae996e9db5e18
-
C:\Users\Admin\AppData\Local\Temp\cFlYsfrCVAXy.batFilesize
199B
MD5d95d11b808665d1477ce31316fc6ca8d
SHA18d72c7352d5a50db7a20a1ca72af641298847b9a
SHA256d2b766eee62754df5b38789da677e7e5cd6359756ae858b9c6d4fc8839555aed
SHA512bcdda0ce017d52e816f66777b6cb42370a7798fa4342ee1fd1f9cef547967716e91772265aa97be4291c9ee84d85bb6f9639477c6f853390e0f78094ba0fa0fe
-
C:\Users\Admin\AppData\Local\Temp\fjvGBYD5cKi5.batFilesize
199B
MD537f18935728c63d5f313da32c947379f
SHA102db51c8ddff4ccc2a0f494f340482ab8192faed
SHA2564f93253c2066683fa6351e22ae3a41df3fe0c6d5b8013b767699502f5689e396
SHA512b842ee575afc24fc3077208f6da96c566a8226534228d1de5a073a96932cb1b2fc12269b820327ea56f08a8884e522e082c3dd89efed5c67f78583b67628adaa
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD53fc71556a6637738a3fbe02b1961673e
SHA1b8aa247ba3fcc3886b8e5894c63725d015c55c42
SHA256a80237ffe7b94e6b0393e71b226dc5df7f95e1eb1b9235df25bec53f8c5d9b44
SHA5124aed78cec35ba131ac931e169b11a97c27de30afbfe1c5f154cd2444c294f3858c35cb959d1bab589a870af6305210e396ec42a786b69e128d495bd871d42218
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD5cbfac9273dbd82dcc6fe79eb96309ed0
SHA12b3affbc19e90b233cfea6cc5a6356db1c473bdd
SHA2566d5a8dab14433417adea6c1bcace654d1312420b91f3d194509143f1cbec8256
SHA51263edec8f466b03d94554a9f7c9ae6f39d513b4906571d919e5eaa3edce08557426a6f111eaabdbef881edc85d3a3e683502c6b3d6770637f1496e403805540d9
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD5c1f1f48304256dc704d094283c861a81
SHA16c045e91567fdaecdd35e7ffedb46b8734a1ce8b
SHA2568b7356deb8d13aebc6b52bd5818f6ba915210509b67271763fccc3a84defe21e
SHA512037688aba724a825e9c9e66e0479281e1f953396085cc9e84bdef5a6305a76664f0c69b6e400161d4efe0ae17901312ab9b3ae06836312fb69e2bf54009ad166
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD5993f1d7d8bb311eb8d8be3c67560a081
SHA1c2ebd895698165eecba71eca037924cd13d0b31d
SHA256201b78970529b74f52153c0f226f7b0d3661b94551b7e3d0e8fda5a7c9dde284
SHA512fe071ab8393526b1183b256a37b1421689d4ad629b0f38c2d611f7bf5f84c0efa21f1a800ebba6e56490ef8156010dee6951f418f158d188f3e78e5402a0c7b8
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD54f541f11d78c14502a70700bcb6288f6
SHA169990b5b5172305dceabbdb6e1c7490715b2b148
SHA256f777cb29564d33963630ae2a121791c1696d70a036a1647b4679215090b6a8f0
SHA5125f896550721b004350a297f9aa9d2f2b398f946de38a41000d707829c2c5504aa9991ef80d7c1b9a5143d40ca34fbd215bf7106973f03ba0397cbd23774c1813
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD5827d31340e31fd474bcb06d62b6913dc
SHA1f6f9b6012e223f34a455aaed23813d9cc6d5eca2
SHA256bc0a741aba7a13d6ba58d678edcaa529f03e16d2efbea714fdabdd372d21dfa1
SHA5125ff2c801abc8ac0aa6441566740d13ae0256bedc32f6b76e9ff25390c8e6111fb783dde1a1b6241db368fddfb55d1a37b16d437f87b56c1e069d5b1fdd1ff9fc
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD5ec285992d71569769a51e7fa307078ab
SHA13b7cca874667bdd8f3b098317c46d8e8b5d7544d
SHA256901b630a473c4c6d6c6b465c88f0b207fe4ba62495575ad7bcdc24c9ac96424b
SHA5127daca39743ca2f486668c026ef47a2d2e74a3d23a4ea2e3a27a6e91e2940d6f1bda6e8849a27f40887f486c11342df16aee7f03e8f20f7844bcde5c5c5e9fcf3
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD521c4fa1baba3f733376cfce647367ea3
SHA129ab92d7549ec5e172c936474dcb90bc09d3a097
SHA256db1b5d134a07d5320b67a9785d404a94ade27e7efc6e4b80e3428f07c48d8d52
SHA5125a0e456c4debc41f241694061e7ab752ee067e12828faac66932bbd70af13b669cb5c8c12a5298278ce8ca82b26d8877617a124dbff45a587bc28e6221f9ba38
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD58582edb887b4b285519824841155d5ed
SHA1dc2c3ddf9efe2dafd69464c0eea335d3bd4daa3a
SHA25697fa691839366774484db38d4fdfe4ede187cba5abf7708b813ee3675742ab14
SHA512a51b2893d916c450a68922d6b965db87221b3579e8ed2318b97aae4c483e1bb3bf526449239c7e3fd740842c13ffce4cea347a14a31da97dfdf0b7c9284be04b
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD5bbee248e4fbf2fd5cf53f69c3d6f99e7
SHA17340bb3fff37619298881b704bf98c533088e5e7
SHA2560e89115f357dad5e774cb9eb7f52a20d824395b91cbfb7200321194565614b8c
SHA51238ae0040e6ec173ebbd07423d2297c88f8ca67e0324a6aec6b6e18a6231aabecb10d9433b0a4ca320ea63c553d858f732f03f47a35996d2a9c0ceb542f5fa249
-
C:\Users\Admin\AppData\Roaming\Logs\06-26-2024Filesize
224B
MD5133f2f22fe2e24ff6130721c5e5a6f67
SHA13526a5dc9dab08f441463da42e779602597717f4
SHA256deb829bbda78eb8e62bbaad53eb03bb3d2fe74ff4aef576cc43ea71474849c62
SHA5128e4d5f41d770bbcf2929515d68519cdeb0c74edd9522feeccfc08a8e4091722c373068a9bf5cdd1841679712b8fbbb5a836db9d1e8467450684fe02404db68c3
-
memory/4196-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmpFilesize
4KB
-
memory/4196-14-0x0000000074AC0000-0x0000000075270000-memory.dmpFilesize
7.7MB
-
memory/4196-7-0x00000000065A0000-0x00000000065DC000-memory.dmpFilesize
240KB
-
memory/4196-6-0x0000000006060000-0x0000000006072000-memory.dmpFilesize
72KB
-
memory/4196-5-0x0000000005340000-0x00000000053A6000-memory.dmpFilesize
408KB
-
memory/4196-4-0x0000000074AC0000-0x0000000075270000-memory.dmpFilesize
7.7MB
-
memory/4196-3-0x00000000052A0000-0x0000000005332000-memory.dmpFilesize
584KB
-
memory/4196-2-0x0000000005850000-0x0000000005DF4000-memory.dmpFilesize
5.6MB
-
memory/4196-1-0x00000000007F0000-0x0000000000850000-memory.dmpFilesize
384KB
-
memory/4624-22-0x0000000074AC0000-0x0000000075270000-memory.dmpFilesize
7.7MB
-
memory/4624-13-0x0000000074AC0000-0x0000000075270000-memory.dmpFilesize
7.7MB
-
memory/4624-15-0x0000000074AC0000-0x0000000075270000-memory.dmpFilesize
7.7MB
-
memory/4624-17-0x0000000006370000-0x000000000637A000-memory.dmpFilesize
40KB