quasar | c43f7f1986561c8c66d39dd44bf7cd78907d9c1413488b95e3bbfb3b040be4bd

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
Size

376KB
MD5

7eaab8f932552e65b391359fe88db237
SHA1

38e58600b962926d1cfa61429361d51fd58e014d
SHA256

c43f7f1986561c8c66d39dd44bf7cd78907d9c1413488b95e3bbfb3b040be4bd
SHA512

2a6df2cb42da675c9c92657aba78eb9c31a910ed50a876593f6ddbd9bb147735157024d3d8585416fb2fbc575726acd3bd425a1367c0691f778690e81c020702
SSDEEP

6144:6FmF1w9kS+yXKi365ArOkofENOFEYDDyj7REt8mVLZn9sUf7rUwMq9Qw+:JbuXt3EA4/DyPREt8ct37rhv

Score

10^/10

quasar client_04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Client_04

vorphdns.ddns.net:4567

dmmd.ddns.net:4567

Mutex

QSR_MUTEX_UT1r17dYXyTuwWVm2V

Attributes

encryption_key
6nW4MhpEja0m9ojOn8B6
install_name
AdobeUpdater.exe
log_directory
UpdateLogs
reconnect_delay
3000
startup_key
AdobeUpdaterStartup
subdirectory
Adobe

Signatures

Quasar RAT 4 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

pid process

3552 schtasks.exe
13 ip-api.com
37 ip-api.com
75 ip-api.com

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4468-6-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AdobeUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AdobeUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AdobeUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AdobeUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AdobeUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AdobeUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AdobeUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AdobeUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AdobeUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AdobeUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AdobeUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AdobeUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AdobeUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	AdobeUpdater.exe

Executes dropped EXE 34 IoCs

Processes:

AdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exe

pid	process
4632	AdobeUpdater.exe
4728	AdobeUpdater.exe
3904	AdobeUpdater.exe
1196	AdobeUpdater.exe
404	AdobeUpdater.exe
1316	AdobeUpdater.exe
3708	AdobeUpdater.exe
4044	AdobeUpdater.exe
608	AdobeUpdater.exe
1064	AdobeUpdater.exe
692	AdobeUpdater.exe
4728	AdobeUpdater.exe
1176	AdobeUpdater.exe
5052	AdobeUpdater.exe
1860	AdobeUpdater.exe
3012	AdobeUpdater.exe
3216	AdobeUpdater.exe
3324	AdobeUpdater.exe
3664	AdobeUpdater.exe
3228	AdobeUpdater.exe
4660	AdobeUpdater.exe
4116	AdobeUpdater.exe
1956	AdobeUpdater.exe
748	AdobeUpdater.exe
864	AdobeUpdater.exe
3176	AdobeUpdater.exe
3096	AdobeUpdater.exe
4900	AdobeUpdater.exe
1740	AdobeUpdater.exe
4956	AdobeUpdater.exe
4620	AdobeUpdater.exe
1520	AdobeUpdater.exe
892	AdobeUpdater.exe
3744	AdobeUpdater.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

75 ip-api.com
13 ip-api.com
37 ip-api.com

flow	ioc
75	ip-api.com
13	ip-api.com
37	ip-api.com

Suspicious use of SetThreadContext 15 IoCs

Processes:

7eaab8f932552e65b391359fe88db237_JaffaCakes118.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exe

description	pid	process	target process
PID 228 set thread context of 4468	228	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
PID 4632 set thread context of 1196	4632	AdobeUpdater.exe	AdobeUpdater.exe
PID 404 set thread context of 1316	404	AdobeUpdater.exe	AdobeUpdater.exe
PID 3708 set thread context of 4044	3708	AdobeUpdater.exe	AdobeUpdater.exe
PID 608 set thread context of 1064	608	AdobeUpdater.exe	AdobeUpdater.exe
PID 692 set thread context of 1176	692	AdobeUpdater.exe	AdobeUpdater.exe
PID 5052 set thread context of 1860	5052	AdobeUpdater.exe	AdobeUpdater.exe
PID 3012 set thread context of 3216	3012	AdobeUpdater.exe	AdobeUpdater.exe
PID 3324 set thread context of 3664	3324	AdobeUpdater.exe	AdobeUpdater.exe
PID 3228 set thread context of 4660	3228	AdobeUpdater.exe	AdobeUpdater.exe
PID 4116 set thread context of 1956	4116	AdobeUpdater.exe	AdobeUpdater.exe
PID 748 set thread context of 864	748	AdobeUpdater.exe	AdobeUpdater.exe
PID 3176 set thread context of 1740	3176	AdobeUpdater.exe	AdobeUpdater.exe
PID 4956 set thread context of 1520	4956	AdobeUpdater.exe	AdobeUpdater.exe
PID 892 set thread context of 3744	892	AdobeUpdater.exe	AdobeUpdater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1956	1196	WerFault.exe	AdobeUpdater.exe
4748	1316	WerFault.exe	AdobeUpdater.exe
3432	4044	WerFault.exe	AdobeUpdater.exe
924	1064	WerFault.exe	AdobeUpdater.exe
4624	1176	WerFault.exe	AdobeUpdater.exe
5072	1860	WerFault.exe	AdobeUpdater.exe
3948	3216	WerFault.exe	AdobeUpdater.exe
4976	3664	WerFault.exe	AdobeUpdater.exe
3256	4660	WerFault.exe	AdobeUpdater.exe
4732	1956	WerFault.exe	AdobeUpdater.exe
4524	864	WerFault.exe	AdobeUpdater.exe
1092	1740	WerFault.exe	AdobeUpdater.exe
1696	1520	WerFault.exe	AdobeUpdater.exe
4992	3744	WerFault.exe	AdobeUpdater.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3552	schtasks.exe
4864	schtasks.exe
872	schtasks.exe
3852	schtasks.exe
3244	schtasks.exe
4140	schtasks.exe
4920	schtasks.exe
32	schtasks.exe
724	schtasks.exe
1604	schtasks.exe
4248	schtasks.exe
4740	schtasks.exe
2844	schtasks.exe
668	schtasks.exe
3704	schtasks.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4968	PING.EXE
1968	PING.EXE
1404	PING.EXE
2360	PING.EXE
3108	PING.EXE
4020	PING.EXE
3124	PING.EXE
1280	PING.EXE
2476	PING.EXE
4896	PING.EXE
228	PING.EXE
548	PING.EXE
376	PING.EXE
3576	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

7eaab8f932552e65b391359fe88db237_JaffaCakes118.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exe

pid	process
228	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
228	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
4632	AdobeUpdater.exe
4632	AdobeUpdater.exe
4632	AdobeUpdater.exe
4632	AdobeUpdater.exe
692	AdobeUpdater.exe
692	AdobeUpdater.exe
3176	AdobeUpdater.exe
3176	AdobeUpdater.exe
3176	AdobeUpdater.exe
3176	AdobeUpdater.exe
4956	AdobeUpdater.exe
4956	AdobeUpdater.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe7eaab8f932552e65b391359fe88db237_JaffaCakes118.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exeAdobeUpdater.exe

description	pid	process
Token: SeDebugPrivilege	228	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
Token: SeDebugPrivilege	4468	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
Token: SeDebugPrivilege	4632	AdobeUpdater.exe
Token: SeDebugPrivilege	1196	AdobeUpdater.exe
Token: SeDebugPrivilege	1316	AdobeUpdater.exe
Token: SeDebugPrivilege	4044	AdobeUpdater.exe
Token: SeDebugPrivilege	1064	AdobeUpdater.exe
Token: SeDebugPrivilege	692	AdobeUpdater.exe
Token: SeDebugPrivilege	1176	AdobeUpdater.exe
Token: SeDebugPrivilege	1860	AdobeUpdater.exe
Token: SeDebugPrivilege	3216	AdobeUpdater.exe
Token: SeDebugPrivilege	3664	AdobeUpdater.exe
Token: SeDebugPrivilege	4660	AdobeUpdater.exe
Token: SeDebugPrivilege	1956	AdobeUpdater.exe
Token: SeDebugPrivilege	864	AdobeUpdater.exe
Token: SeDebugPrivilege	3176	AdobeUpdater.exe
Token: SeDebugPrivilege	1740	AdobeUpdater.exe
Token: SeDebugPrivilege	4956	AdobeUpdater.exe
Token: SeDebugPrivilege	1520	AdobeUpdater.exe
Token: SeDebugPrivilege	3744	AdobeUpdater.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

pid	process
1196	AdobeUpdater.exe
1316	AdobeUpdater.exe
4044	AdobeUpdater.exe
1064	AdobeUpdater.exe
1176	AdobeUpdater.exe
1860	AdobeUpdater.exe
3216	AdobeUpdater.exe
3664	AdobeUpdater.exe
4660	AdobeUpdater.exe
1956	AdobeUpdater.exe
864	AdobeUpdater.exe
1740	AdobeUpdater.exe
1520	AdobeUpdater.exe
3744	AdobeUpdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe7eaab8f932552e65b391359fe88db237_JaffaCakes118.exeAdobeUpdater.exeAdobeUpdater.execmd.exeAdobeUpdater.exeAdobeUpdater.execmd.exe

description	pid	process	target process
PID 228 wrote to memory of 1396	228	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
PID 228 wrote to memory of 1396	228	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
PID 228 wrote to memory of 1396	228	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
PID 228 wrote to memory of 4468	228	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
PID 228 wrote to memory of 4468	228	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
PID 228 wrote to memory of 4468	228	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
PID 228 wrote to memory of 4468	228	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
PID 228 wrote to memory of 4468	228	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
PID 228 wrote to memory of 4468	228	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
PID 228 wrote to memory of 4468	228	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
PID 228 wrote to memory of 4468	228	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
PID 4468 wrote to memory of 3552	4468	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	schtasks.exe
PID 4468 wrote to memory of 3552	4468	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	schtasks.exe
PID 4468 wrote to memory of 3552	4468	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	schtasks.exe
PID 4468 wrote to memory of 4632	4468	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	AdobeUpdater.exe
PID 4468 wrote to memory of 4632	4468	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	AdobeUpdater.exe
PID 4468 wrote to memory of 4632	4468	7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe	AdobeUpdater.exe
PID 4632 wrote to memory of 4728	4632	AdobeUpdater.exe	AdobeUpdater.exe
PID 4632 wrote to memory of 4728	4632	AdobeUpdater.exe	AdobeUpdater.exe
PID 4632 wrote to memory of 4728	4632	AdobeUpdater.exe	AdobeUpdater.exe
PID 4632 wrote to memory of 3904	4632	AdobeUpdater.exe	AdobeUpdater.exe
PID 4632 wrote to memory of 3904	4632	AdobeUpdater.exe	AdobeUpdater.exe
PID 4632 wrote to memory of 3904	4632	AdobeUpdater.exe	AdobeUpdater.exe
PID 4632 wrote to memory of 1196	4632	AdobeUpdater.exe	AdobeUpdater.exe
PID 4632 wrote to memory of 1196	4632	AdobeUpdater.exe	AdobeUpdater.exe
PID 4632 wrote to memory of 1196	4632	AdobeUpdater.exe	AdobeUpdater.exe
PID 4632 wrote to memory of 1196	4632	AdobeUpdater.exe	AdobeUpdater.exe
PID 4632 wrote to memory of 1196	4632	AdobeUpdater.exe	AdobeUpdater.exe
PID 4632 wrote to memory of 1196	4632	AdobeUpdater.exe	AdobeUpdater.exe
PID 4632 wrote to memory of 1196	4632	AdobeUpdater.exe	AdobeUpdater.exe
PID 4632 wrote to memory of 1196	4632	AdobeUpdater.exe	AdobeUpdater.exe
PID 1196 wrote to memory of 4740	1196	AdobeUpdater.exe	schtasks.exe
PID 1196 wrote to memory of 4740	1196	AdobeUpdater.exe	schtasks.exe
PID 1196 wrote to memory of 4740	1196	AdobeUpdater.exe	schtasks.exe
PID 1196 wrote to memory of 3216	1196	AdobeUpdater.exe	cmd.exe
PID 1196 wrote to memory of 3216	1196	AdobeUpdater.exe	cmd.exe
PID 1196 wrote to memory of 3216	1196	AdobeUpdater.exe	cmd.exe
PID 3216 wrote to memory of 5052	3216	cmd.exe	chcp.com
PID 3216 wrote to memory of 5052	3216	cmd.exe	chcp.com
PID 3216 wrote to memory of 5052	3216	cmd.exe	chcp.com
PID 3216 wrote to memory of 3108	3216	cmd.exe	PING.EXE
PID 3216 wrote to memory of 3108	3216	cmd.exe	PING.EXE
PID 3216 wrote to memory of 3108	3216	cmd.exe	PING.EXE
PID 3216 wrote to memory of 404	3216	cmd.exe	AdobeUpdater.exe
PID 3216 wrote to memory of 404	3216	cmd.exe	AdobeUpdater.exe
PID 3216 wrote to memory of 404	3216	cmd.exe	AdobeUpdater.exe
PID 404 wrote to memory of 1316	404	AdobeUpdater.exe	AdobeUpdater.exe
PID 404 wrote to memory of 1316	404	AdobeUpdater.exe	AdobeUpdater.exe
PID 404 wrote to memory of 1316	404	AdobeUpdater.exe	AdobeUpdater.exe
PID 404 wrote to memory of 1316	404	AdobeUpdater.exe	AdobeUpdater.exe
PID 404 wrote to memory of 1316	404	AdobeUpdater.exe	AdobeUpdater.exe
PID 404 wrote to memory of 1316	404	AdobeUpdater.exe	AdobeUpdater.exe
PID 404 wrote to memory of 1316	404	AdobeUpdater.exe	AdobeUpdater.exe
PID 404 wrote to memory of 1316	404	AdobeUpdater.exe	AdobeUpdater.exe
PID 1316 wrote to memory of 4864	1316	AdobeUpdater.exe	schtasks.exe
PID 1316 wrote to memory of 4864	1316	AdobeUpdater.exe	schtasks.exe
PID 1316 wrote to memory of 4864	1316	AdobeUpdater.exe	schtasks.exe
PID 1316 wrote to memory of 1996	1316	AdobeUpdater.exe	cmd.exe
PID 1316 wrote to memory of 1996	1316	AdobeUpdater.exe	cmd.exe
PID 1316 wrote to memory of 1996	1316	AdobeUpdater.exe	cmd.exe
PID 1996 wrote to memory of 4280	1996	cmd.exe	chcp.com
PID 1996 wrote to memory of 4280	1996	cmd.exe	chcp.com
PID 1996 wrote to memory of 4280	1996	cmd.exe	chcp.com
PID 1996 wrote to memory of 1968	1996	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228

C:\Users\Admin\AppData\Local\Temp\7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe"
2⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "AdobeUpdaterStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe" /rl HIGHEST /f
3⤵
- Quasar RAT
- Creates scheduled task(s)
PID:3552

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
4⤵
- Executes dropped EXE
PID:4728

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
4⤵
- Executes dropped EXE
PID:3904

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "AdobeUpdaterStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mJyiLDagoqBu.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\SysWOW64\chcp.com
chcp 65001
6⤵
PID:5052

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:3108

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:404

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "AdobeUpdaterStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe" /rl HIGHEST /f
8⤵
- Creates scheduled task(s)
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZVXe8EKMJlT9.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\chcp.com
chcp 65001
9⤵
PID:4280

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
9⤵
- Runs ping.exe
PID:1968

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3708

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4044

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "AdobeUpdaterStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ZdE8Q1BUSEI.bat" "
11⤵
PID:2868

C:\Windows\SysWOW64\chcp.com
chcp 65001
12⤵
PID:4696

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
12⤵
- Runs ping.exe
PID:1404

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:608

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "AdobeUpdaterStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe" /rl HIGHEST /f
14⤵
- Creates scheduled task(s)
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HPSo2ykS4CKM.bat" "
14⤵
PID:228

C:\Windows\SysWOW64\chcp.com
chcp 65001
15⤵
PID:4252

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
15⤵
- Runs ping.exe
PID:2360

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
16⤵
- Executes dropped EXE
PID:4728

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1176

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "AdobeUpdaterStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LeaKVNMY1GB2.bat" "
17⤵
PID:2980

C:\Windows\SysWOW64\chcp.com
chcp 65001
18⤵
PID:3788

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
18⤵
- Runs ping.exe
PID:548

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
18⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5052

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1860

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "AdobeUpdaterStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe" /rl HIGHEST /f
20⤵
- Creates scheduled task(s)
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYS2qWekPpjV.bat" "
20⤵
PID:4740

C:\Windows\SysWOW64\chcp.com
chcp 65001
21⤵
PID:2972

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
21⤵
- Runs ping.exe
PID:376

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3012

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3216

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "AdobeUpdaterStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe" /rl HIGHEST /f
23⤵
- Creates scheduled task(s)
PID:3852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UhuwJpMIWTky.bat" "
23⤵
PID:372

C:\Windows\SysWOW64\chcp.com
chcp 65001
24⤵
PID:2044

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
24⤵
- Runs ping.exe
PID:3576

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
24⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3324

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3664

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "AdobeUpdaterStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe" /rl HIGHEST /f
26⤵
- Creates scheduled task(s)
PID:3244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\j6dqsm3PE3PX.bat" "
26⤵
PID:1220

C:\Windows\SysWOW64\chcp.com
chcp 65001
27⤵
PID:3232

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
27⤵
- Runs ping.exe
PID:3124

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3228

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4660

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "AdobeUpdaterStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe" /rl HIGHEST /f
29⤵
- Creates scheduled task(s)
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kKwcZRUCfKZJ.bat" "
29⤵
PID:4088

C:\Windows\SysWOW64\chcp.com
chcp 65001
30⤵
PID:1860

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
30⤵
- Runs ping.exe
PID:1280

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
30⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4116

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "AdobeUpdaterStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe" /rl HIGHEST /f
32⤵
- Creates scheduled task(s)
PID:32

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yBZvGjOmlsNH.bat" "
32⤵
PID:5000

C:\Windows\SysWOW64\chcp.com
chcp 65001
33⤵
PID:3184

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
33⤵
- Runs ping.exe
PID:4896

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:748

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:864

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "AdobeUpdaterStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IXBnWx3l4Bl4.bat" "
35⤵
PID:116

C:\Windows\SysWOW64\chcp.com
chcp 65001
36⤵
PID:3124

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:4968

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
36⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
37⤵
- Executes dropped EXE
PID:3096

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
37⤵
- Executes dropped EXE
PID:4900

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
37⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "AdobeUpdaterStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe" /rl HIGHEST /f
38⤵
- Creates scheduled task(s)
PID:724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIS7lZGwiDVe.bat" "
38⤵
PID:1612

C:\Windows\SysWOW64\chcp.com
chcp 65001
39⤵
PID:4088

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
39⤵
- Runs ping.exe
PID:4020

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
40⤵
- Executes dropped EXE
PID:4620

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
40⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1520

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "AdobeUpdaterStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUWIGNLm5MTu.bat" "
41⤵
PID:4252

C:\Windows\SysWOW64\chcp.com
chcp 65001
42⤵
PID:3460

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:228

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
42⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:892

C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
"C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe"
43⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3744

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "AdobeUpdaterStartup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe" /rl HIGHEST /f
44⤵
- Creates scheduled task(s)
PID:3704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XcMj9CjiBO5a.bat" "
44⤵
PID:5040

C:\Windows\SysWOW64\chcp.com
chcp 65001
45⤵
PID:2328

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
45⤵
- Runs ping.exe
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 2208
44⤵
- Program crash
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2232
41⤵
- Program crash
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 2240
38⤵
- Program crash
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 2244
35⤵
- Program crash
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 2220
32⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 2244
29⤵
- Program crash
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 2216
26⤵
- Program crash
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 1104
23⤵
- Program crash
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1672
20⤵
- Program crash
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 2224
17⤵
- Program crash
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 2216
14⤵
- Program crash
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 2196
11⤵
- Program crash
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 2248
8⤵
- Program crash
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1944
5⤵
- Program crash
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1196 -ip 1196
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1316 -ip 1316
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4044 -ip 4044
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1064 -ip 1064
1⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1176 -ip 1176
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1860 -ip 1860
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3216 -ip 3216
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3664 -ip 3664
1⤵
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4660 -ip 4660
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1956 -ip 1956
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 864 -ip 864
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1740 -ip 1740
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1520 -ip 1520
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3744 -ip 3744
1⤵
PID:3664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7eaab8f932552e65b391359fe88db237_JaffaCakes118.exe.log
Filesize
617B

MD5
99e770c0d4043aa84ef3d3cbc7723c25

SHA1
19829c5c413fccba750a3357f938dfa94486acad

SHA256
33c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5

SHA512
ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ZdE8Q1BUSEI.bat
Filesize
212B

MD5
9cc3cb37ad4f9736883fb54928494439

SHA1
58e03a7566b4e12faa2bf9bc93a013713b4066ec

SHA256
9f1bda5864c981ef1be4575a2b94fea4e188fd58880d3e397acc7486741e13b4

SHA512
19427d69feaf9bfb37606a2de05954731e4e310cd262635beffbe2814c49afb577e6e15ccdaafbe073e724c8a66faa66f8a2e97e0203b0cdce19d71ca7ae7498

Download Submit
C:\Users\Admin\AppData\Local\Temp\HPSo2ykS4CKM.bat
Filesize
212B

MD5
5d9fc815f8c60f8f46be479c84e11b81

SHA1
0d814d9c7cd018f8c59305ddf27a9a66f609e0e8

SHA256
f810bfe3a3df7192911592bcdca40c14cd30c4960b8e675a807660d8ab48b4c4

SHA512
ad5118069eedc573e2fe11c378561389d5481baedde3d75f7d1d2838c0a653d4c288951da4a64318c768c32ff271651b15567a24bed88de828b8167fef1981ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXBnWx3l4Bl4.bat
Filesize
212B

MD5
fb2f128a91d53e509fdc885a408afee9

SHA1
c8cb1e9fc595da37441b3affa7fc12414d19d2b5

SHA256
a70dbdc55471c39be44e8508d768f6618200b83c8c9c1a4f88430305be60b7d9

SHA512
b52f90eaf0f418e2106cd9c1e299fcf09ad49aaceb66cbf5a4a8bc8882e86e9b29df45d4dfd0acc4dffa767ef2c8f30e363c71213ae1e3e9628a578eb34a2a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LeaKVNMY1GB2.bat
Filesize
212B

MD5
6501570a9bea5ca583e1688b2f717051

SHA1
4bb8fd5ede03d49cfb57c548863a0118d81ef5e5

SHA256
81cc646796e7f86d5075b0f62293e1a8f6a6846aaf0618dfd9073d00894adc50

SHA512
6ef5f3efaeb4b3226ef3a23175bad062b5d0fd288923c13c36d67e9ad1399b643c0517422e83009d326e5ba8a56ca49fff157e28029f5dc90c55dacd181b4de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\PIS7lZGwiDVe.bat
Filesize
212B

MD5
32b09f9ae71d2445f7596c44cf07a5c5

SHA1
6f6a9e97e18e8b4ec3370253b3e1e1ef8f4940bf

SHA256
6442dedf6ad10cabba3a2236deff135f64e84e18e55a60e83e0e6471a1d04eb4

SHA512
30abb694f4be9753156d09aff9b4f88812f87e55bbc4042d2bd516c235c4fdd5f5d022f53f25896161d69a76726e2c5a7890323c17ff0aa09ae9526d1a32e096

Download Submit
C:\Users\Admin\AppData\Local\Temp\UhuwJpMIWTky.bat
Filesize
212B

MD5
ca9aa317a498c5dfa98478c59c1ddbe1

SHA1
f52a6b50635422ced949cacb36720e88fc0d61e4

SHA256
d030e67e16a1dd824982737370c510461fdd0c50003352649a1742275b489213

SHA512
d837e668c46c8a0c6d58a2564a02a9f43eb9f2ef7fb35379809b9c8ca5c0d55328da0ef002686873a762cc1cbf514d9aaa8b1957685209afebf3f6ec29665872

Download Submit
C:\Users\Admin\AppData\Local\Temp\XcMj9CjiBO5a.bat
Filesize
212B

MD5
5ee1d02df8d1ac765e9b9a98cbfae524

SHA1
eb76776f07f0ef4ce2f34c969e0651a1a13c589e

SHA256
d49ab31b2f7fdfb3064e2860698d524e4b220d29efb7ffbc4bbef9f3a3f3a2ef

SHA512
70b21f4f4ee1e98d50d13e3609de43c39a8852075f6c6c97b368a1ca51df94546d5ec8dcebfa263789e40a1bb94c4d9c982de3129366e9c2829de5c1a90d7430

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZVXe8EKMJlT9.bat
Filesize
212B

MD5
779456bde0e37b5b3378916d67eda428

SHA1
61c4b1827c95c3765887cbd02fd752989ff6fb46

SHA256
da9e677c66e7216f9efbd450b65a014caa6d6604896cdb720715b9aa006e6715

SHA512
8dc72d560aab3666e096cc9947b3135160581512e52a5b79622bc60fc693ef426df3489299f79cef0a5faf876a5074e03b9ca9037dde4dc3b34c395c1575f965

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYS2qWekPpjV.bat
Filesize
212B

MD5
72a5caa6b4689e819bd5e8d061deb642

SHA1
91dbdf7bbcbf6341f912b86eca1aeb95f17854a6

SHA256
dd653d799f54aad24504d54b9fbef887358d1a2f622cf2b870a822b07c549993

SHA512
126a65438c3104fd9c9776e70fb74b17799f5d98e0eac6ff4edcd5f70524f6daf16c394b6f5c6ceab0ebbcf0242cd9613371d6641a0cb6214a31d94b9de145ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\j6dqsm3PE3PX.bat
Filesize
212B

MD5
bfa2c2b1552ff41e63b0ad5453e33e7b

SHA1
2ec1152728fbdfb2eed43ff96e77f9a04910900c

SHA256
c7954acb33588e6354dba031c273538d65ae5407f0644f98da9d136ce7777230

SHA512
640178c0ad7df3ec77ef1f4a5283917aef1c98e63b41bfcc2ff46165f24c2be880d86bb069ec68ad7cd526a4e8aac964202417ecacf994050264d547c549594c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kKwcZRUCfKZJ.bat
Filesize
212B

MD5
05bc671b87f72484ed5502c638e2c7ee

SHA1
0f0c6a3347dbb9be0e1d30d5fca916f9ce93e37b

SHA256
6404009c7ede2ffdad9ec427d5dc757a56b4c96ab76b438d62702ea6be4d57ec

SHA512
a465b90ad3e216919add7a971f93f267410cccefee00fb0d0c5ec3a1a4714f8d62f7d85ce69acdf76cf937823e938e4bf870fd71772cd38c49724572d178dd63

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJyiLDagoqBu.bat
Filesize
212B

MD5
2cb4ab93026fc9b00818621afc2f6749

SHA1
938a8b688c260b6c5471a88539af2716c604d6f9

SHA256
fca7316002a5d50b4585072a5ac9ece0c0d43c3badad726b1dbb7b2c81d83619

SHA512
db2a9996a99a79d3f0b26bc10206517c4e163af3d8062c5e67372e7113bd4a4ff6ce1a8b0af8a313f83a2f6d09d0908b91ce2f493d9db3fc30456bde6d60cbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUWIGNLm5MTu.bat
Filesize
212B

MD5
869ff81637cf253a1786fbf6abba0296

SHA1
b5e875fa655b1b4e62cb00e3b9f0cb97d2dc6fbb

SHA256
e296d63d29d8c5e12eca79b6a669a6c2c31ede513340ae78cac99d06778538df

SHA512
8b88f740a347e374b53c040740de6838eeb0b78fcc786f42a869c68164a00361982954f73055ea61ade20ee52e0c701bffdedcf10810a8447abdb79e9f408b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yBZvGjOmlsNH.bat
Filesize
212B

MD5
8ffb028f7a63b32c7f1bf12f1e769af8

SHA1
c71e10422e207b6bb0199ef6babd3ca6a73c6f08

SHA256
2cc477d72053a74c9f73c8864cd7e19e416d95fd536c378003919e50850ce61d

SHA512
36bc397b1a7d1beea2d75f8782597f135872424026e34362b6035dfbeb22e6247f46accb6e0600ee6b9706012e1b999b146cdeb1f28ccfd2db6fc9b57af8a8f1

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\AdobeUpdater.exe
Filesize
376KB

MD5
7eaab8f932552e65b391359fe88db237

SHA1
38e58600b962926d1cfa61429361d51fd58e014d

SHA256
c43f7f1986561c8c66d39dd44bf7cd78907d9c1413488b95e3bbfb3b040be4bd

SHA512
2a6df2cb42da675c9c92657aba78eb9c31a910ed50a876593f6ddbd9bb147735157024d3d8585416fb2fbc575726acd3bd425a1367c0691f778690e81c020702

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateLogs\05-28-2024
Filesize
224B

MD5
2c79f9dd94e601ba759b6ab3ea4afe91

SHA1
9f13033fb851b1592ea6bf30d4cf46a508368df5

SHA256
e515bf147d6a60aca230dc591d0dd2828002a92be3db97a5ba6057c9e399ca69

SHA512
7be6f1dc8e240b8e1610e10fb5f6b24e8269b1928b375a0ec5d1d82496efba37b1f23d302a6fad470a1c58d49bf1ac58968191ddac19cdb7c2b7bae4b420db6d

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateLogs\05-28-2024
Filesize
224B

MD5
f26ea248ec640cb81df74a6d4e0099bd

SHA1
5a315df445f6e30301c66f7874255f4129e1cd7e

SHA256
99d33185938f4333a7dc965a9f076e1e2eacb63ff68e3be16f5e852dd1827e3f

SHA512
bf34badbdd6a6ed66e493a15cba6c283d7330149098b0c850a8cf9bf874e02e2daca66f712f8e02cc56d0faca439e99fb3d32c74fa4751c4ad33dfe45e7d2929

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateLogs\05-28-2024
Filesize
224B

MD5
02f1e49e15dd29e5359eb7ba09c34289

SHA1
98df99e9c35c42580d0ecef12d4e55df7604b76c

SHA256
6cb8648f56862210297c8b49b52c6fd7f54816c1e97cba98485ee4d22134bf52

SHA512
5c1973fe59a1a04ee646269fcaf97e532b9f1da4faaf2cca2fcdfb89f7b98b643a09cc4af34fe3667d607d0f87d4ba2c4de8b2867a88a94238775d07feefc904

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateLogs\05-28-2024
Filesize
224B

MD5
cb20efb66ec8c8b65ec9e36186fc50f7

SHA1
4fcfdd3b68ea5a29f987abc2d7c2bde18bcea938

SHA256
96cfb77b751bc5c1e12a95fa2673aa9f51c47d15d76e713f6bec7e4693701905

SHA512
82d4c354531f15ffe04bfa80fec66c133a1b65860e838d9215fc096c244b2d2020502e6a749842fb6e26697763ad064ef197e18ce22522475a78ee486802395b

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateLogs\05-28-2024
Filesize
224B

MD5
64507fd4dd599e0d00b5e0e103947b87

SHA1
b770a2db740d922aa53d58ed2d0c08e578845f70

SHA256
9a72f50147a545b22f8ab2e1075a9ea7a504588e204d242d91f800e4719d2dee

SHA512
9b6948091aa0f6ce6fe076fd517513b83c7442baa2ab9730459e2508d1ea6e6ab87929f5aa77e5d3ac6da992cc94ab9d7afe540648b68ff48f2a8a8078883694

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateLogs\05-28-2024
Filesize
224B

MD5
987b33e70bd743763b275ea93ee68ee8

SHA1
1e56ee3dd81e17156b041d76c7fdc36dcb1049de

SHA256
e8cbbd2f52420b3707e84c55bd7b9b8136dd45cb956fadf5f8d21ef40b1c6800

SHA512
4cf6a418105cb5c334ce4aa02faeb12e3d0f6e68819fac6af2bbbfcb1f8eafd735a7c7f3ecbafc00c23904b51119e46f280765c67cb93c64a565a368c2e81374

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateLogs\05-28-2024
Filesize
224B

MD5
8fb09bf980310be9a39f2463baa0d96d

SHA1
5069a5743ec83483c6751d1bda28b4a187545ac4

SHA256
764a2d4c0e11d8392bf3ed1b3d4649b66efdbd97a4cd320a0733bb4b16b5b017

SHA512
76265df147337853c9674f661659d484cb9da317d3740600212b84531edda981ea188b2d3227204365c2bc48b856375a3da469464da64e8965bbc15e67aa1ac4

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateLogs\05-28-2024
Filesize
224B

MD5
49543e7624fe046c109e8ae10ebcc2e1

SHA1
6e13f3bb86de856a5a4f79fc3ec9cfe926f4ad90

SHA256
84de494a73f94e45e1414fdb2a1bf54e57fbe67f398ea5d1c9bbde9d00097404

SHA512
e6890d3c13054f0cf1a33933c08eadb5da7fb75e4d14efa3b760fb2d507005efb1e41df6d357593b7b02e047a04b91c6def1b3068a13b328f87869d95a0b3c30

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateLogs\05-28-2024
Filesize
224B

MD5
6dd6a1414724729791c3fa96d060dc5f

SHA1
950fc6253139e678cf0d50828119a595df7279ac

SHA256
700886d52eee987a95dc38ed5e9fb3a5ab090b82f451a2ea0644a96fcd59f3a5

SHA512
940361240b9de566e56c1f35234a78308a53e368e8bb0070170393cd49c88a7d99056752969df102069cfb3cc9499b8d9ed0bbce53144d3417350c04b79b57c3

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateLogs\05-28-2024
Filesize
224B

MD5
5efdb701de1d67cdb5b3843f4993e12c

SHA1
960fec4efc6f601b37567292073c28103be35ba3

SHA256
415ddedf403b31ff8b6e81d27f927a8ef65d4c166a765367c5dea0b351641bc2

SHA512
f04cfefe173ca2988d87664c98c828423e81fdccef2f0bcaf412e45ab8bc29cdf5fe6a5aad2990309d1a990c3c3c4fdd6e20f4f37ac8a4b437448fb7f3b3d4df

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateLogs\05-28-2024
Filesize
224B

MD5
79b9dc6343c9212ef17e4a7c0f595e34

SHA1
5e0ec5961e2cca044679b0a2d123f6cdc5cb6de7

SHA256
7ea42b60d3643819cdd3d9fbb99045d3d6cb52338af7a7da68e12ec74aca0e02

SHA512
3aeaa3a56d0eaf170bc7808162e5bc444ac78c04538f46ce0f61f1c7c57e3b556d82f73c24e4fd0fed89b33c88e2ba689d2415fb344df78e74983d1f6c85d448

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateLogs\05-28-2024
Filesize
224B

MD5
2c7ff406d73d922c06879f060487b671

SHA1
550af4b571b65e23aa1f6610d9f4a0779165a542

SHA256
9a3f4c2e454f7e5572c04661d51825c31cffc46102084d50357cefa5dcd6e6e9

SHA512
aff95d41f32beb93b294d2750552e0d55d911804c543550b86cf60ae77f875f68913c8519752ebc0d7687c82da8c446ca5cd7baadba02122a54bca46107da8d0

Download Submit
memory/228-10-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/228-1-0x0000000000680000-0x00000000006E4000-memory.dmp

Filesize
400KB

Download
memory/228-2-0x00000000050F0000-0x000000000518C000-memory.dmp

Filesize
624KB

Download
memory/228-3-0x00000000029A0000-0x00000000029AA000-memory.dmp

Filesize
40KB

Download
memory/228-4-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/228-0-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/228-5-0x0000000005740000-0x0000000005CE4000-memory.dmp

Filesize
5.6MB

Download
memory/1196-30-0x0000000006630000-0x000000000663A000-memory.dmp

Filesize
40KB

Download
memory/4468-12-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/4468-11-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4468-9-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/4468-21-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4468-8-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4468-6-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4468-13-0x0000000006200000-0x0000000006212000-memory.dmp

Filesize
72KB

Download
memory/4468-14-0x0000000006880000-0x00000000068BC000-memory.dmp

Filesize
240KB

Download
memory/4632-20-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4632-28-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download
memory/4632-22-0x0000000074920000-0x00000000750D0000-memory.dmp

Filesize
7.7MB

Download