quasar | ef907fd66d7532ecf1127f0a6c0b67282ff684aa5a20a563d475b146c3e8a064

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Size

1.2MB
MD5

7638784288ea865f0301c5aa5c55f660
SHA1

66a030a6a3e64d425b522bb03f07dfba61e62734
SHA256

ef907fd66d7532ecf1127f0a6c0b67282ff684aa5a20a563d475b146c3e8a064
SHA512

9701ec935dc8b08662d72aed92c355751fbf0fcf0484819675d5d8471ed10dcf6bddc40f6d702b4bba5212cfb2849abd808ab8944815bad3d829935360e676ed
SSDEEP

12288:o69mvoUS5tL67Iq7tQFPaDwQTIdcEimYryWReOTu4u5Z1OEkwM0u0LVmZm/OO56W:wChI8aT0

Score

10^/10

quasar discovery spyware trojan

Malware Config

Signatures

Quasar RAT 5 IoCs

Quasar is an open source Remote Access Tool.

trojan spyware quasar

description	flow	ioc	Process
Key opened		\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
	2	ip-api.com	Process not Found
	9	ip-api.com	Process not Found
	16	ip-api.com	Process not Found
	18	ip-api.com	Process not Found

Quasar family
quasar

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
9	ip-api.com
16	ip-api.com
18	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3000	PING.EXE
3028	PING.EXE
2596	PING.EXE
1808	PING.EXE
2732	PING.EXE
2936	PING.EXE
2932	PING.EXE
2112	PING.EXE
2036	PING.EXE
2636	PING.EXE
2380	PING.EXE
2684	PING.EXE
580	PING.EXE
2560	PING.EXE
1816	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2932	PING.EXE
580	PING.EXE
1816	PING.EXE
2036	PING.EXE
2636	PING.EXE
2596	PING.EXE
1808	PING.EXE
2560	PING.EXE
2732	PING.EXE
2380	PING.EXE
3028	PING.EXE
2112	PING.EXE
3000	PING.EXE
2936	PING.EXE
2684	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	2780	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	2356	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	1736	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	1340	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	1744	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	888	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	2800	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	1632	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	2372	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	2352	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	1360	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	1732	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	888	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
Token: SeDebugPrivilege	2548	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 3064	2236	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	31
PID 2236 wrote to memory of 3064	2236	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	31
PID 2236 wrote to memory of 3064	2236	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	31
PID 2236 wrote to memory of 3064	2236	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	31
PID 3064 wrote to memory of 2552	3064	cmd.exe	33
PID 3064 wrote to memory of 2552	3064	cmd.exe	33
PID 3064 wrote to memory of 2552	3064	cmd.exe	33
PID 3064 wrote to memory of 2552	3064	cmd.exe	33
PID 3064 wrote to memory of 2560	3064	cmd.exe	34
PID 3064 wrote to memory of 2560	3064	cmd.exe	34
PID 3064 wrote to memory of 2560	3064	cmd.exe	34
PID 3064 wrote to memory of 2560	3064	cmd.exe	34
PID 3064 wrote to memory of 2780	3064	cmd.exe	35
PID 3064 wrote to memory of 2780	3064	cmd.exe	35
PID 3064 wrote to memory of 2780	3064	cmd.exe	35
PID 3064 wrote to memory of 2780	3064	cmd.exe	35
PID 2780 wrote to memory of 1868	2780	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	36
PID 2780 wrote to memory of 1868	2780	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	36
PID 2780 wrote to memory of 1868	2780	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	36
PID 2780 wrote to memory of 1868	2780	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	36
PID 1868 wrote to memory of 2956	1868	cmd.exe	38
PID 1868 wrote to memory of 2956	1868	cmd.exe	38
PID 1868 wrote to memory of 2956	1868	cmd.exe	38
PID 1868 wrote to memory of 2956	1868	cmd.exe	38
PID 1868 wrote to memory of 2732	1868	cmd.exe	39
PID 1868 wrote to memory of 2732	1868	cmd.exe	39
PID 1868 wrote to memory of 2732	1868	cmd.exe	39
PID 1868 wrote to memory of 2732	1868	cmd.exe	39
PID 1868 wrote to memory of 2356	1868	cmd.exe	40
PID 1868 wrote to memory of 2356	1868	cmd.exe	40
PID 1868 wrote to memory of 2356	1868	cmd.exe	40
PID 1868 wrote to memory of 2356	1868	cmd.exe	40
PID 2356 wrote to memory of 2996	2356	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	41
PID 2356 wrote to memory of 2996	2356	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	41
PID 2356 wrote to memory of 2996	2356	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	41
PID 2356 wrote to memory of 2996	2356	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	41
PID 2996 wrote to memory of 2376	2996	cmd.exe	43
PID 2996 wrote to memory of 2376	2996	cmd.exe	43
PID 2996 wrote to memory of 2376	2996	cmd.exe	43
PID 2996 wrote to memory of 2376	2996	cmd.exe	43
PID 2996 wrote to memory of 2380	2996	cmd.exe	44
PID 2996 wrote to memory of 2380	2996	cmd.exe	44
PID 2996 wrote to memory of 2380	2996	cmd.exe	44
PID 2996 wrote to memory of 2380	2996	cmd.exe	44
PID 2996 wrote to memory of 1736	2996	cmd.exe	45
PID 2996 wrote to memory of 1736	2996	cmd.exe	45
PID 2996 wrote to memory of 1736	2996	cmd.exe	45
PID 2996 wrote to memory of 1736	2996	cmd.exe	45
PID 1736 wrote to memory of 2132	1736	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	46
PID 1736 wrote to memory of 2132	1736	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	46
PID 1736 wrote to memory of 2132	1736	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	46
PID 1736 wrote to memory of 2132	1736	JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe	46
PID 2132 wrote to memory of 2116	2132	cmd.exe	48
PID 2132 wrote to memory of 2116	2132	cmd.exe	48
PID 2132 wrote to memory of 2116	2132	cmd.exe	48
PID 2132 wrote to memory of 2116	2132	cmd.exe	48
PID 2132 wrote to memory of 3000	2132	cmd.exe	49
PID 2132 wrote to memory of 3000	2132	cmd.exe	49
PID 2132 wrote to memory of 3000	2132	cmd.exe	49
PID 2132 wrote to memory of 3000	2132	cmd.exe	49
PID 2132 wrote to memory of 1340	2132	cmd.exe	50
PID 2132 wrote to memory of 1340	2132	cmd.exe	50
PID 2132 wrote to memory of 1340	2132	cmd.exe	50
PID 2132 wrote to memory of 1340	2132	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
1⤵
- Quasar RAT
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RiRdfRvspGmG.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2552
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\HjPVNMxu67Sb.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2732
    - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8H2I6oXACowv.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2JotbSjWzTKA.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vMbV66vrm8hO.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cIiVbfEejMER.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:344
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SJgNJZGg0Dvl.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nZbxa9ORyYfJ.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\qCuMJhrGug0p.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        19⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ljpmaYfgNIGz.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        21⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\vxpFkFFew5qt.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        23⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eO6400AWaHHq.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:544
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        25⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YQsfVeMrNwe4.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        27⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\BMBvDTULoNUD.bat" "
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7638784288ea865f0301c5aa5c55f660.exe"
        29⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5OxXi7ggb2sR.bat" "
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2JotbSjWzTKA.bat

Filesize
243B

MD5
c938999a966d8cfbb8319c214e068acd

SHA1
4f688fc724abd6067208d48aff0c111fe7f516ce

SHA256
82eaaa4fc4e88b48eb00ad90c13e603f2e90f0efe67360f7b421621407cadc81

SHA512
7447043a70c7dc35ee3bd84f11801f51c3a697d1a38304aa238e4b2a3501df686d9bcb2d57a6938fd24ecb0d7af1be731ccfd5539d7e87aab518c8c03f4b047b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5OxXi7ggb2sR.bat

Filesize
243B

MD5
4328478585c3c00d02e27b9545e601ae

SHA1
fc46f79657d7e1cb8f3a3b7e289c003a1f2b572e

SHA256
c9c62d0d42df1414179266ff8c651cb3a26df25a41e66435744f51042f359f4d

SHA512
9d254cf8679a1b459b88f3fb7249afc64a0de19cb7adbbbc4911b0add9223461cc5ccbc6412359222bd29e12a63fb42cb351777485e60d050e6fd722f8d7169f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8H2I6oXACowv.bat

Filesize
243B

MD5
f3399350fdf230ef42d8e580edf7db45

SHA1
147b4b66974d92ce3740a7a4c2fb2cb3d7cc6836

SHA256
f866367dd85aba8f14950825acb20dafac2481e8ff89975890eccfd0c2c9d65d

SHA512
7e1417037658ad03bf596a44363591d0d5e4e52918137cd9c1b6ac59eaf11d611c682a1ce923be2fa5af178a929f23291ea4ceba1ccddd5b0aa7624a7e9117c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BMBvDTULoNUD.bat

Filesize
243B

MD5
9452a9f7a43cb1ed2e6beee343092d5b

SHA1
1ec6feccd6258d75d1266284893ad2f0f999d352

SHA256
41c4c7c38c6564fa75f75efa17a527e8a361d0cfc741f79def543e51bf0b18ab

SHA512
225ce8c59e4568be46179c6c1bad9a89c7da78ef2a275b20c38cf279468dfa3ae0dade484c831490d73d23f710ec610a31973a9f1e3a08914da2ebf80c679ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HjPVNMxu67Sb.bat

Filesize
243B

MD5
870da4061459733872a3632d1eb91c14

SHA1
8fbeb6b2edbe647a262fa2f609bcc51548855f39

SHA256
f8364240afec8a333fdda3198f8029844bf593b1ece8a88c36579f3d7ccd966b

SHA512
50067864a58d05f6dcee689a5a3ecac14cac90f8145c426c9b8ebe3cc96720351274282de704272103dcadd2516a8fe22ea19b28d4a43a84daa2acb2e74747d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RiRdfRvspGmG.bat

Filesize
243B

MD5
3fc81d7e33341a97917d49bee4b5966b

SHA1
16792815831df968123ef0710cd178982774e14c

SHA256
e942214bd9374833e111150e8fe8907d00660aca9f73bbb74ea8b8dc9916eb5d

SHA512
bd93da229f6cdfff294ef7dfd853036777c2318629ed56a3f4365a2b810df495d999e5c58c1b00c5ae37643691877a1aeca73ffc2bb86a5838605e11d5fc4b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SJgNJZGg0Dvl.bat

Filesize
243B

MD5
09115f21493f69e559d5018821f4a78c

SHA1
992bac7bf06c7e6579ccc92e8315695c5d688bc3

SHA256
ecca53caa95d74e659b8e1196b7a58dcdf9f7871d9709ff38ca90f3227cd4f07

SHA512
21cbfde9e442e281260c026e362ce3e2c051f0b66d0a709b377edf0f1fef75e50311213d06a3ef52ce2efa3e4341f9522e49b8d2354a4c353c88241eb8319c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQsfVeMrNwe4.bat

Filesize
243B

MD5
45e2a4e48767792b9368f1618e179418

SHA1
42a131effb2de7a623b159637da164307d36f864

SHA256
5c92627f978aa2e008718b337e45dd8e40f119e4f7ed5ba076924237ad9296bf

SHA512
56559c880c0ca7ee8f64f18f4e035bf8950a893484bad5e990101d5d3f3b9f8ba2bcc100d215e815f74f6997c26b5d1cedcb80867aebd29149a194646490562e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIiVbfEejMER.bat

Filesize
243B

MD5
f6e6a33988dc86ff8fac327e392b5162

SHA1
7ed31e794ac1369d3d07517bc27c0d5c8271fc0d

SHA256
7551e257e33c96cd2e646100fa106123e88d726e17aace032c5d9d29422cdb05

SHA512
aec4407a1d2f13a0719a140832434579af3ffe7d4154e08c2b4e9fa02175effe4ccef08c46b9daf10499b1306bb3d73d7c49519a36f177a4833b1f58755ad2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eO6400AWaHHq.bat

Filesize
243B

MD5
fc1b194461b6125acdeba6d7a76b9f05

SHA1
0b1973546ef582e79dcd65de12ea10a0689211c8

SHA256
765ea924e483f107ae2830c0fc9d5bc2589732bdb931b263bcf75295f1f6fb05

SHA512
caa5e58773d736c3cbf82d0d69d74e8adea4991225c795cd95dc64841ce432b46389409566a7795742596bc13473a73c9d12c2c54fb5b7b8a6691db16edf8500

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljpmaYfgNIGz.bat

Filesize
243B

MD5
2b551ca41d0fc6cc4bba80bba85387d1

SHA1
2d9f75674287355f8a66601cc1a65b4d265bd7bf

SHA256
2667e28ed0aa86297c6f72f523b9eadf3cb5a77c78239d618889b4dcaf4a3e5b

SHA512
c0d47c544468b78b85574e000a49fc57a5bd7a252359de0227be81d4dc66b22410b31b0e2fd34ef8a65310682997399f0a9a05b0d6f6f5f7f89bec479adc70da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nZbxa9ORyYfJ.bat

Filesize
243B

MD5
b6275aa2726e31b4740f6c0bb7324bf6

SHA1
74b10972d7ab00a99f96850bab73c5aaf4dbad17

SHA256
01711d4bd7629423bbcf49422b70e9643fd880d45c40c586fc02f56ce3d5241f

SHA512
f068df9c1cf1b9b5129c58fcb57705155e82c3f5b56c66a98efefedeaa24c4436ee1c11c9474ccb4a510f1f383c2a6bb74ad068323d19fa5f58e9e5d96c5f023

Download Submit
C:\Users\Admin\AppData\Local\Temp\qCuMJhrGug0p.bat

Filesize
243B

MD5
29a624506f5750e6689fa4af0e1484ec

SHA1
dc1f33dc1a816c5a8babb7e132d5a03d29ed86fe

SHA256
5e5150b7428b21b7f7823a560823805dad3ed5934e0741af86f849a65a2c21ac

SHA512
c503b753f79ed43b3ea05dc30976ef2754b0b423fd6eb8ab98c96bf2673054475ce99b87572ebf0006b1de4d2e886ac80964fc7334eb97afc6a83bec952926c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vMbV66vrm8hO.bat

Filesize
243B

MD5
43c7fad3852dd3bb2fd2c3beecfbad66

SHA1
a739a1ad5046afaecaa8c86cddd29c2217c59a06

SHA256
9cd61ddd1fd8a49427ea7b12539398773578294459f9097da8d4014695d8290a

SHA512
a90b1e26efb5282dfcfb68dee1200776e866997c4cc27238f87c18243d9daccb3f4d3c41f67dec6f9376ba7bd64dced1f762ec2dcefdd26e50143dd4d8a82f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxpFkFFew5qt.bat

Filesize
243B

MD5
4715fa05aae735cc9d9428362e1d36ce

SHA1
2438253da7ca3ba232808cb297a84a7ddfd04dc7

SHA256
d0664eae1b4f70ff2e28513e8d965e2ab283139e1f6a384f66cb1140cc6ea190

SHA512
04a0ff7b04a7401bed06a1bc915f294e6cd4a80b440337c6952da69162749dff0f01b2e631256c288e93e19dd9add84cc7bf6a615d101b73b19ede19953586b2

Download Submit
memory/888-136-0x0000000000D40000-0x0000000000E80000-memory.dmp

Filesize
1.2MB

Download
memory/888-64-0x00000000002D0000-0x0000000000410000-memory.dmp

Filesize
1.2MB

Download
memory/1340-44-0x0000000000110000-0x0000000000250000-memory.dmp

Filesize
1.2MB

Download
memory/1360-114-0x0000000000150000-0x0000000000290000-memory.dmp

Filesize
1.2MB

Download
memory/1632-84-0x00000000002C0000-0x0000000000400000-memory.dmp

Filesize
1.2MB

Download
memory/1732-124-0x0000000000D40000-0x0000000000E80000-memory.dmp

Filesize
1.2MB

Download
memory/1736-34-0x0000000001310000-0x0000000001450000-memory.dmp

Filesize
1.2MB

Download
memory/1744-54-0x0000000000CB0000-0x0000000000DF0000-memory.dmp

Filesize
1.2MB

Download
memory/2236-1-0x0000000000200000-0x0000000000340000-memory.dmp

Filesize
1.2MB

Download
memory/2236-12-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2236-2-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download
memory/2236-3-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2236-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

Filesize
4KB

Download
memory/2292-135-0x0000000077270000-0x000000007736A000-memory.dmp

Filesize
1000KB

Download
memory/2292-134-0x0000000077150000-0x000000007726F000-memory.dmp

Filesize
1.1MB

Download
memory/2352-104-0x0000000000C40000-0x0000000000D80000-memory.dmp

Filesize
1.2MB

Download
memory/2356-24-0x0000000001310000-0x0000000001450000-memory.dmp

Filesize
1.2MB

Download
memory/2372-94-0x00000000000A0000-0x00000000001E0000-memory.dmp

Filesize
1.2MB

Download
memory/2548-146-0x00000000012A0000-0x00000000013E0000-memory.dmp

Filesize
1.2MB

Download
memory/2780-14-0x0000000000930000-0x0000000000A70000-memory.dmp

Filesize
1.2MB

Download
memory/2800-74-0x0000000000C10000-0x0000000000D50000-memory.dmp

Filesize
1.2MB

Download