Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 04:13
Behavioral task
behavioral1
Sample
70d30b23348309c31e6428730d77012f_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
70d30b23348309c31e6428730d77012f_JaffaCakes118.exe
-
Size
349KB
-
MD5
70d30b23348309c31e6428730d77012f
-
SHA1
2d3e3669099989d1bcbbf59170eaf0e66d82aef7
-
SHA256
5304204c73f6a5ff58c1a9e784139111a477b274b29f93666ba9e0d5fd4f36f5
-
SHA512
9cff8845e74094fa2daf19666b6817de04d9b96ae85b5a35f2313a4cc520b87f7fb30d88801d3a740877a89a46de4542ad124779148b5ef6ba9917a261effaa1
-
SSDEEP
6144:yKMJx4pweP7kJS3i37EOv2l3e6NfAwfBMyb0ezPcLf/9t:yKoS8wOvEe6lzfBEmQ9t
Malware Config
Extracted
quasar
1.3.0.0
rat2020
rat25565.ddns.net:25565
QSR_MUTEX_N4xtXyWxcnI1berfYb
-
encryption_key
OtebFaj10j3Qk2642HWk
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
EpicGames Client
-
subdirectory
SubDir
Signatures
-
Processes:
schtasks.exepid process 4484 schtasks.exe 11 ip-api.com 57 ip-api.com 86 ip-api.com -
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3508-1-0x0000000000190000-0x00000000001EE000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Client.exe -
Executes dropped EXE 14 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 4672 Client.exe 532 Client.exe 4684 Client.exe 1048 Client.exe 4632 Client.exe 3336 Client.exe 2004 Client.exe 840 Client.exe 2516 Client.exe 3784 Client.exe 1048 Client.exe 2772 Client.exe 1424 Client.exe 4888 Client.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 57 ip-api.com 86 ip-api.com 11 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 14 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2752 4672 WerFault.exe Client.exe 4400 532 WerFault.exe Client.exe 876 4684 WerFault.exe Client.exe 228 1048 WerFault.exe Client.exe 1424 4632 WerFault.exe Client.exe 3232 3336 WerFault.exe Client.exe 3248 2004 WerFault.exe Client.exe 1408 840 WerFault.exe Client.exe 4416 2516 WerFault.exe Client.exe 1664 3784 WerFault.exe Client.exe 3352 1048 WerFault.exe Client.exe 1388 2772 WerFault.exe Client.exe 2672 1424 WerFault.exe Client.exe 2012 4888 WerFault.exe Client.exe -
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1604 schtasks.exe 2672 schtasks.exe 2548 schtasks.exe 4696 schtasks.exe 2876 schtasks.exe 3756 schtasks.exe 2600 schtasks.exe 4396 schtasks.exe 2420 schtasks.exe 4484 schtasks.exe 1744 schtasks.exe 1536 schtasks.exe 2436 schtasks.exe 2944 schtasks.exe 3640 schtasks.exe -
Runs ping.exe 1 TTPs 14 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 3284 PING.EXE 1364 PING.EXE 2392 PING.EXE 2440 PING.EXE 3668 PING.EXE 412 PING.EXE 1916 PING.EXE 3836 PING.EXE 4596 PING.EXE 2940 PING.EXE 2972 PING.EXE 1420 PING.EXE 3204 PING.EXE 4936 PING.EXE -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
70d30b23348309c31e6428730d77012f_JaffaCakes118.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exedescription pid process Token: SeDebugPrivilege 3508 70d30b23348309c31e6428730d77012f_JaffaCakes118.exe Token: SeDebugPrivilege 4672 Client.exe Token: SeDebugPrivilege 532 Client.exe Token: SeDebugPrivilege 4684 Client.exe Token: SeDebugPrivilege 1048 Client.exe Token: SeDebugPrivilege 4632 Client.exe Token: SeDebugPrivilege 3336 Client.exe Token: SeDebugPrivilege 2004 Client.exe Token: SeDebugPrivilege 840 Client.exe Token: SeDebugPrivilege 2516 Client.exe Token: SeDebugPrivilege 3784 Client.exe Token: SeDebugPrivilege 1048 Client.exe Token: SeDebugPrivilege 2772 Client.exe Token: SeDebugPrivilege 1424 Client.exe Token: SeDebugPrivilege 4888 Client.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
Client.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exepid process 4672 Client.exe 532 Client.exe 4684 Client.exe 1048 Client.exe 4632 Client.exe 3336 Client.exe 2004 Client.exe 840 Client.exe 2516 Client.exe 3784 Client.exe 1048 Client.exe 2772 Client.exe 1424 Client.exe 4888 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
70d30b23348309c31e6428730d77012f_JaffaCakes118.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exedescription pid process target process PID 3508 wrote to memory of 4484 3508 70d30b23348309c31e6428730d77012f_JaffaCakes118.exe schtasks.exe PID 3508 wrote to memory of 4484 3508 70d30b23348309c31e6428730d77012f_JaffaCakes118.exe schtasks.exe PID 3508 wrote to memory of 4484 3508 70d30b23348309c31e6428730d77012f_JaffaCakes118.exe schtasks.exe PID 3508 wrote to memory of 4672 3508 70d30b23348309c31e6428730d77012f_JaffaCakes118.exe Client.exe PID 3508 wrote to memory of 4672 3508 70d30b23348309c31e6428730d77012f_JaffaCakes118.exe Client.exe PID 3508 wrote to memory of 4672 3508 70d30b23348309c31e6428730d77012f_JaffaCakes118.exe Client.exe PID 4672 wrote to memory of 2876 4672 Client.exe schtasks.exe PID 4672 wrote to memory of 2876 4672 Client.exe schtasks.exe PID 4672 wrote to memory of 2876 4672 Client.exe schtasks.exe PID 4672 wrote to memory of 4080 4672 Client.exe cmd.exe PID 4672 wrote to memory of 4080 4672 Client.exe cmd.exe PID 4672 wrote to memory of 4080 4672 Client.exe cmd.exe PID 4080 wrote to memory of 340 4080 cmd.exe chcp.com PID 4080 wrote to memory of 340 4080 cmd.exe chcp.com PID 4080 wrote to memory of 340 4080 cmd.exe chcp.com PID 4080 wrote to memory of 2440 4080 cmd.exe PING.EXE PID 4080 wrote to memory of 2440 4080 cmd.exe PING.EXE PID 4080 wrote to memory of 2440 4080 cmd.exe PING.EXE PID 4080 wrote to memory of 532 4080 cmd.exe Client.exe PID 4080 wrote to memory of 532 4080 cmd.exe Client.exe PID 4080 wrote to memory of 532 4080 cmd.exe Client.exe PID 532 wrote to memory of 3756 532 Client.exe schtasks.exe PID 532 wrote to memory of 3756 532 Client.exe schtasks.exe PID 532 wrote to memory of 3756 532 Client.exe schtasks.exe PID 532 wrote to memory of 4448 532 Client.exe cmd.exe PID 532 wrote to memory of 4448 532 Client.exe cmd.exe PID 532 wrote to memory of 4448 532 Client.exe cmd.exe PID 4448 wrote to memory of 2516 4448 cmd.exe chcp.com PID 4448 wrote to memory of 2516 4448 cmd.exe chcp.com PID 4448 wrote to memory of 2516 4448 cmd.exe chcp.com PID 4448 wrote to memory of 2972 4448 cmd.exe PING.EXE PID 4448 wrote to memory of 2972 4448 cmd.exe PING.EXE PID 4448 wrote to memory of 2972 4448 cmd.exe PING.EXE PID 4448 wrote to memory of 4684 4448 cmd.exe Client.exe PID 4448 wrote to memory of 4684 4448 cmd.exe Client.exe PID 4448 wrote to memory of 4684 4448 cmd.exe Client.exe PID 4684 wrote to memory of 2600 4684 Client.exe schtasks.exe PID 4684 wrote to memory of 2600 4684 Client.exe schtasks.exe PID 4684 wrote to memory of 2600 4684 Client.exe schtasks.exe PID 4684 wrote to memory of 5092 4684 Client.exe cmd.exe PID 4684 wrote to memory of 5092 4684 Client.exe cmd.exe PID 4684 wrote to memory of 5092 4684 Client.exe cmd.exe PID 5092 wrote to memory of 1072 5092 cmd.exe chcp.com PID 5092 wrote to memory of 1072 5092 cmd.exe chcp.com PID 5092 wrote to memory of 1072 5092 cmd.exe chcp.com PID 5092 wrote to memory of 3668 5092 cmd.exe PING.EXE PID 5092 wrote to memory of 3668 5092 cmd.exe PING.EXE PID 5092 wrote to memory of 3668 5092 cmd.exe PING.EXE PID 5092 wrote to memory of 1048 5092 cmd.exe Client.exe PID 5092 wrote to memory of 1048 5092 cmd.exe Client.exe PID 5092 wrote to memory of 1048 5092 cmd.exe Client.exe PID 1048 wrote to memory of 2436 1048 Client.exe schtasks.exe PID 1048 wrote to memory of 2436 1048 Client.exe schtasks.exe PID 1048 wrote to memory of 2436 1048 Client.exe schtasks.exe PID 1048 wrote to memory of 1952 1048 Client.exe cmd.exe PID 1048 wrote to memory of 1952 1048 Client.exe cmd.exe PID 1048 wrote to memory of 1952 1048 Client.exe cmd.exe PID 1952 wrote to memory of 2184 1952 cmd.exe chcp.com PID 1952 wrote to memory of 2184 1952 cmd.exe chcp.com PID 1952 wrote to memory of 2184 1952 cmd.exe chcp.com PID 1952 wrote to memory of 412 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 412 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 412 1952 cmd.exe PING.EXE PID 1952 wrote to memory of 4632 1952 cmd.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70d30b23348309c31e6428730d77012f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\70d30b23348309c31e6428730d77012f_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\70d30b23348309c31e6428730d77012f_JaffaCakes118.exe" /rl HIGHEST /f2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:4484 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2876 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bNDnxddwaPjR.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:340
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:2440 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:3756 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1KWje1P5WNNb.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\chcp.comchcp 650016⤵PID:2516
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:2972 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:2600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XmmCuLxbf7bb.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\chcp.comchcp 650018⤵PID:1072
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:3668 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
PID:2436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fbn229WYj30l.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\chcp.comchcp 6500110⤵PID:2184
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
PID:412 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4632 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Creates scheduled task(s)
PID:1604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F4sG4EEPObve.bat" "11⤵PID:1712
-
C:\Windows\SysWOW64\chcp.comchcp 6500112⤵PID:4428
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
PID:1420 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3336 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Creates scheduled task(s)
PID:2672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CkIi6TjLi1Xw.bat" "13⤵PID:3888
-
C:\Windows\SysWOW64\chcp.comchcp 6500114⤵PID:2808
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
PID:3204 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2004 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Creates scheduled task(s)
PID:1744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jCYBMoHsrllv.bat" "15⤵PID:340
-
C:\Windows\SysWOW64\chcp.comchcp 6500116⤵PID:1732
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
PID:3284 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:840 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Creates scheduled task(s)
PID:1536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x3CU36ASxIYt.bat" "17⤵PID:4892
-
C:\Windows\SysWOW64\chcp.comchcp 6500118⤵PID:3772
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
PID:1364 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2516 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Creates scheduled task(s)
PID:3640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bp5IsCiHdxhI.bat" "19⤵PID:1944
-
C:\Windows\SysWOW64\chcp.comchcp 6500120⤵PID:680
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
PID:1916 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3784 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Creates scheduled task(s)
PID:4396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RBsQLgDwQSOB.bat" "21⤵PID:1056
-
C:\Windows\SysWOW64\chcp.comchcp 6500122⤵PID:8
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
PID:2392 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1048 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Creates scheduled task(s)
PID:2548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IGaovnaj7Cj5.bat" "23⤵PID:3240
-
C:\Windows\SysWOW64\chcp.comchcp 6500124⤵PID:1680
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
PID:3836 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2772 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Creates scheduled task(s)
PID:4696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2LBpClZ3uEbG.bat" "25⤵PID:5068
-
C:\Windows\SysWOW64\chcp.comchcp 6500126⤵PID:2060
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
PID:4596 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1424 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f27⤵
- Creates scheduled task(s)
PID:2944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JgyxfF4hhjI9.bat" "27⤵PID:3040
-
C:\Windows\SysWOW64\chcp.comchcp 6500128⤵PID:2804
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost28⤵
- Runs ping.exe
PID:2940 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4888 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "EpicGames Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f29⤵
- Creates scheduled task(s)
PID:2420 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sA3AhKnYMHD2.bat" "29⤵PID:3932
-
C:\Windows\SysWOW64\chcp.comchcp 6500130⤵PID:2752
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost30⤵
- Runs ping.exe
PID:4936 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 193629⤵
- Program crash
PID:2012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 222427⤵
- Program crash
PID:2672 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 219225⤵
- Program crash
PID:1388 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 219223⤵
- Program crash
PID:3352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 218821⤵
- Program crash
PID:1664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 118419⤵
- Program crash
PID:4416 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 222417⤵
- Program crash
PID:1408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 222415⤵
- Program crash
PID:3248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 222413⤵
- Program crash
PID:3232 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 221211⤵
- Program crash
PID:1424 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 9329⤵
- Program crash
PID:228 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 22047⤵
- Program crash
PID:876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 21925⤵
- Program crash
PID:4400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 22483⤵
- Program crash
PID:2752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4672 -ip 46721⤵PID:1576
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 532 -ip 5321⤵PID:3764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4684 -ip 46841⤵PID:1504
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1048 -ip 10481⤵PID:4900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4632 -ip 46321⤵PID:2068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3336 -ip 33361⤵PID:2228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2004 -ip 20041⤵PID:372
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 840 -ip 8401⤵PID:2328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2516 -ip 25161⤵PID:1420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3784 -ip 37841⤵PID:3000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1048 -ip 10481⤵PID:4312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2772 -ip 27721⤵PID:4736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1424 -ip 14241⤵PID:4412
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4888 -ip 48881⤵PID:3668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD51e2fce82b00d25555d3ad8645799c2d8
SHA150c37b87f8508b921bf713bc2a0eb457ebc7cd63
SHA256716ac041c59b71b8c9e0714850a0c319e64848b33d3e9b83199c0a773a4c8e1a
SHA5127be63413300f7ff3f42fa63bc47bf1e78137b8a8405a2d362adcecffc03c2ec53018b811f252d4be6ea7bbae42f9f4311cbdaff32a88df02e1c4ee5886ddacdc
-
Filesize
207B
MD5f9fab44169412cd4a24867fc8d38dde0
SHA110e87cbd6b1277a647f8289dc730d4712d89e531
SHA2567ed1e02ca5bb4fa8202788a791e5c7affd66f369dd135e2c43a237d045246087
SHA512a6286388b4c00f642e0040a21f87c6630d51b6bb8cebd76dddb2ffa57d81105aa4215d9451ac86b9e8a525d96fe3b54b15a6786ac77d4b9fa7c2ddfe6118ac61
-
Filesize
207B
MD53e54dc7ef5a34f42efd3faf3a69ba693
SHA1c2607b2f395aa22fc5c2fc00bf6234fb015bf7ca
SHA256b7f539b810f991bdf1e37144dbfd74def29ba9e7744f4aaec67f492a41267e41
SHA512d896f062add8fb0c01f7b25c7599ad5b390a53951988056968752f1020815b6b3e09ed47814dd24b5c86067cd16b0f819984331ff0ec3810a628b4cf2ca6c543
-
Filesize
207B
MD548e5a810c86d8813f9dd0774d6d7d691
SHA16a9a0e39a9b1d7ff80653ebb6d1e0d6e58c73fdf
SHA2563ff9b3094b688ac9b2ed7ca04467d452f66ba95671ee997f9c1abdf3692080ff
SHA5120155c90eac3098be06dd94d62104bdc7f57316d8dcd63f2ca732aa2a1287651cb7a164e01768dfec4a53a57959dd3f142235acc08a08991294c772f5b17950de
-
Filesize
207B
MD5a7d39c60911909b5ee052eddd9278f60
SHA1b5e5d2a0fff4b7b13fe569bf201a213a67ca182b
SHA256b5e9ea30de36f1845edc58307d4a6ee552e0459df430966955c26b819a43c012
SHA51244d74ace61c954f6e5db2573febaa1c522fe8224c84b6890f911bde57ef51b5db532552b739639e7d3e343be73d82587767408377f8800193853c11c4d55329d
-
Filesize
207B
MD58c4db9579f4c74b9bdb97d2b905a69ec
SHA1e362455d3df2a651aa968cd94b4250b44c393ef7
SHA25698d99abe6d320754c5079ae60c3054e4c24f05080c881540233dec973e35cbc0
SHA512211e70baebff81d9d885d10b35fbee00ee4779a27adab2f4d58213d1dda3fd287459075aa2e0b3a85637e8aa7420853e0e14242f5fb820eb1aa1968baf4b99f3
-
Filesize
207B
MD5863928c2b3e5007bcac41b79d99eb435
SHA1e3866f9e280c190dc20f44c256cef6bbca872d84
SHA256bda72a6e9d5910f69a487e4cdca293426c2b963566da02ea810fa821dbf41d92
SHA512f5b1408f0f58ad0778957654b1eef108b5980c4b1287b4cb50cb6be4eb6339bed489045b6137ea792aafa0d6583418db2886b7e453359f1c1e0be0c22bfdfe65
-
Filesize
207B
MD51af36b2f72a370cf6f33670516d4f891
SHA1d8cc3f711c02e29db027c589daf6d4ccfd54d124
SHA25670fca4c72f7fca82645028d8464de7ce5d99197b489c58719902eacd9aa74b88
SHA51251bb5f8e86c412cba32c2aab04341fbf3ea13e98fe7d447baa3eda15d75ed42104a55fa46916291095c1d114b1cae6d5adcc8321fc8c71e5c282f02b549ae9e1
-
Filesize
207B
MD5ac9f8b8b5f35d087c136330351a3c1b7
SHA15b238fcd2363903cd649e8c736233a36e7877d1c
SHA256ca3cbb79a1e2cf8e47fc9d1abf30b3df791190c153c86bae6ad8bfd062b161be
SHA512410ed54f290cf50ee10fbb7b6d74cf961813638c7287eefb2695d7d5792d39bd4b0444467b3c57d5fc399ffb6270567456942f757325fcbf59df10202e13ccf7
-
Filesize
207B
MD5078ab88f98b78a53229cc66e51606ed6
SHA14ee495b9d080e8f5fa5004ddbaca028a4d1cb268
SHA25658c7ec45e351cb24b0b0bfe035f3e47169badbb01213654b4a1fdc60aafa2400
SHA512c477c8b2e73afc3c67cc203c6c5e3ae55fb4e1c666fc33f389cdeebd09ae57f4c45a070bcd59ce1a71cd56cf9f3f350f294b6615cb40fc14bbecbf8e90eb5911
-
Filesize
207B
MD56aa252370c20a28cdc167a2ed156f44a
SHA119eb58335e68b5748a43b76a6fd40e6bd98a0f65
SHA2564b7038ae7cdb5e69d62853874ba891b8217ac7a647cafb4fb989b2d9f059977e
SHA5124970dea62c28c2bc633906d3f653950cc5eb84d56f73fa99672d45cb6bd987a8d567e966e78fb5c9f565ece0519260e884d3088aac668d923e8fe8fd4f5b3fe1
-
Filesize
207B
MD52a335e9fe2baeb427061f8c8ca472528
SHA11e5ef6b76d05b2bcfd858e059330bb2d3d632fd6
SHA2566741dc59a7afed2bc967863f01ef9b77d9ae4feb502656cd4b5086265eedcc47
SHA512c5c491e3a8c87716a0cd7e70430ed5f138f7a182ca7d8d3a5b95e133e0e25e4914a590290cb67330e657daa25b261fa07ade75ac02cffc9f27218098d2f5d1fa
-
Filesize
207B
MD5c96a279b162ec3b49251dfb1f0dce833
SHA1d39dede365758f997a5af09a605108be61842881
SHA25609e4b682e0cd3a6e656479d898ac54e6a2c1c7fad9322a6eb5ecf47bcb76f138
SHA51245b5c71864c53f52c845e9c5bb03121f38a1dfa94c7fdf5c197d6f31620fca266b0dceeb84ecde2159e68083e2312570cc48a68581d739215e9448e7c191f3bc
-
Filesize
207B
MD538cad013c15041a34b1e072ef8621377
SHA1afa0861117bcc3fe83ad40544b152d64566fd426
SHA2568c2de959ac4aee1f32a0464c07fd2c75a8687575d426757639ae9cdc056659be
SHA512fbd9bcaab5a9145d2854db32dff1359468c15000945c1265449af9e9c77a22b4318153c5c29dfbf7a7c43a860c1c21f3b6e198c8338c00d104d7dbae35a56992
-
Filesize
224B
MD5af43ce6f0f6f1bf5ec56a5c08fb4588d
SHA13829a3d1d0009df8a5090cbeeff96995b3bf69ce
SHA2563a48e7b34c4876ee285a2f7476390bd8393149e1d8e9bc932bfc7cbcb7f9a1d1
SHA51244cb325a409414e3c0f7d006265c0ca999af6d65c4db164e1d1395317a1c50bf6a7b27aae6ca2ebcc9fe2a7f5c18e7d0b0bd5b5cd3f71c204a93aa360f4dfa8d
-
Filesize
224B
MD5f02de948611385a2e29ea14f32c9c3c0
SHA19eaccf47fc03401ffe8e58f34bc29aa563724a35
SHA25621aeae66235e48d4c83991e06318b9558d5f2253fdcf1de0d62cb0ddd3715bc8
SHA512a0975f3bd264904263cf39f026ddee054c401597da2e0cc6eb6084572cf5bdc9395026f9476fafc0ec4a69872645aecfa00e65d88f1286b6291e5e6c57669c08
-
Filesize
224B
MD5f793f2f7a71167ed8dd87d2d25d572e6
SHA1c6723d52c1861a9268900b8f31d53e40b95c40fe
SHA2561daf38bc3255864590c8725d051130d7ab7c03d9f3d339477cd428e8ffb00e7f
SHA512c5cf39305fa64ef3ea4172a406d5e773d9befbbbca8239ef9a267b5e680e06238aca6e71f585b524fecb1919c7f4aada092fea66d9101bd9bc08354dc62d43e6
-
Filesize
224B
MD57d7bebef0a84b6a080aca60450005746
SHA10bbc6b0b3c7646e57dd7b2b09b42f1bb22d78e05
SHA2568d2df6bc1cc817067c66556a0b80dca973b7d22a68b871edf8af0e16d348adb8
SHA5122be4b2196dc0676c016dea004904e911dfe9c0c084eff0362ddfbde803a7890a85060f0313078bb4674797f45ba78d1f4872d3b5be30b646144da11de329f674
-
Filesize
224B
MD5347573b3a2ef718a545d1d82772c48d9
SHA1dc5a4cfd437d725249053ff685102679d2090ed3
SHA2568658ce58d323c735c0661b92fe612f61f4d576f2ed8b0851bb41b9c8269214b2
SHA512e403843265f320054f9a1ccdaf0c3afa52aff0a031c7a2e45546c4da7ec2cbaf2f1a45032145b8cced8523d9a4bc14b3c8514d70f4f229a8d46d409e9cd3c1ba
-
Filesize
224B
MD5e2e758eec142bc0c2127572eda3f7990
SHA1e221da90d99b9556bdf6369661793f5e48fc3fe9
SHA256ec1e7622ef6e0214d07af886f30c541249bc38a92056ef3c67cadb836dd960bb
SHA51260660a1b204e9225554636089d9883554d979181887f49dfb86760c9e7890bb0b5f34292fdbd9c18a51fe1d63fcfbe66b5b66128c9b897dd280238fdba082d0f
-
Filesize
224B
MD57a84527a2683c9bb5edacf918742791e
SHA1791bd124de6e5bb85c6a95df4eada04fe2246568
SHA2561a993b2f2e2bab99fae584aa8ae6043daf231a1f011131f62280c3bc57858050
SHA512e4433309806685203c6227cd63af64dc5886bd4da06a50a11c6656b90846314e32c4bf7b09da2836450828676b13c60f6a4492cc1a7d1ec57ee8a252b08828c5
-
Filesize
224B
MD520c8ef90d3d3baa1b88a5c4ecc62e3a6
SHA1951f9174dde769e4e06e0efc2a0f65f8560ba8a7
SHA256b5afce471b0105e239a1fa3b0bd09cf26d217b6ceed6467a0f3b6550ea78e4ac
SHA512dd15c64b9274a4560966f57fe48254c5a01a58b178eee318b874f14188c080b9c609571f54df1b984215d9d108b1e4922c6f741dc6e2af0ead802227be297392
-
Filesize
224B
MD55cc7b4cf787c842ba3a445af1647faa7
SHA19bdd6037561cce8977e5cfb045d051e218ff9292
SHA256110dafa79c50bf34458d124336fa47b1288b1f7b42794746d2ff224e2b08ba52
SHA5121cf9afc997412086f72ae887174b6554bdca74d662f2e79418aa0e4376ed028027bb971314f3901cc53e07dce666326724c6df0d545a63efd2cd924e85575714
-
Filesize
224B
MD5c88492b3165c800c687eb88cbe301985
SHA1b6d00bda6b8464494d4211d98750903816ca35b2
SHA2568ee48d61a004e013be00317c487bf6e79f354791dec7b03e303542004fd4b4df
SHA512a928bd56f0c2b1269c5b29a4ca23034636478ac9b90120a456e2c7e98109f57b7f0fc7fe7bb83babfd66c04a347abb6bf0a24b3f59d6078604dc40f1fed9202b
-
Filesize
349KB
MD570d30b23348309c31e6428730d77012f
SHA12d3e3669099989d1bcbbf59170eaf0e66d82aef7
SHA2565304204c73f6a5ff58c1a9e784139111a477b274b29f93666ba9e0d5fd4f36f5
SHA5129cff8845e74094fa2daf19666b6817de04d9b96ae85b5a35f2313a4cc520b87f7fb30d88801d3a740877a89a46de4542ad124779148b5ef6ba9917a261effaa1