Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 09:46
Behavioral task
behavioral1
Sample
d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe
-
Size
6.0MB
-
MD5
d04352c69e8d56db5f9eb8f0b6573365
-
SHA1
21d7ec8a608f26756eb8531f3d51f7e0a63f7d8d
-
SHA256
40f9ef6921839b83373e8d981655b24f2b9c6d9b5b342d2bf621c8d6ea5528f8
-
SHA512
b341b0e0eeb9031ed17dcc490b6bbb74fb3f6b563a09c66ce59acc002967a86719d7ac1e31b30068277be0448672a35a330271ac74b032f6216e8fc93160ce41
-
SSDEEP
98304:blFqmwupyhcHp5ooEAnHRVN07KgHDpS18DqBRe7qxKfT1J+tNY3LU4rI2qo:bWJuMg53HRVu7vHDpS1IqBRU7kCs2q
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\chrome.exe family_quasar behavioral2/memory/4564-34-0x0000000000EE0000-0x0000000000F64000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exed04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exechrome.exechrome.exechrome.exechrome.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation chrome.exe -
Executes dropped EXE 15 IoCs
Processes:
chrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 4564 chrome.exe 880 S^X.exe 1856 chrome.exe 1312 chrome.exe 4992 chrome.exe 4564 chrome.exe 5096 chrome.exe 4288 chrome.exe 2372 chrome.exe 4852 chrome.exe 2328 chrome.exe 4824 chrome.exe 3344 chrome.exe 1828 chrome.exe 3088 chrome.exe -
Loads dropped DLL 1 IoCs
Processes:
d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exepid process 4104 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\45b8c97f-5cf8-49f5-b76c-0fc91adff9fb\AgileDotNetRT.dll themida behavioral2/memory/4104-10-0x0000000072940000-0x0000000072F48000-memory.dmp themida behavioral2/memory/4104-11-0x0000000072940000-0x0000000072F48000-memory.dmp themida behavioral2/memory/4104-13-0x0000000072940000-0x0000000072F48000-memory.dmp themida behavioral2/memory/4104-39-0x0000000072940000-0x0000000072F48000-memory.dmp themida -
Processes:
d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exepid process 4104 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1608 schtasks.exe 4764 schtasks.exe 3228 schtasks.exe 928 schtasks.exe 4488 schtasks.exe 4452 schtasks.exe 3476 schtasks.exe 2328 schtasks.exe 1724 schtasks.exe 3468 schtasks.exe 3744 schtasks.exe 2760 schtasks.exe 3000 schtasks.exe 636 schtasks.exe -
Runs ping.exe 1 TTPs 12 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4908 PING.EXE 1688 PING.EXE 1428 PING.EXE 1728 PING.EXE 3336 PING.EXE 4064 PING.EXE 4448 PING.EXE 1340 PING.EXE 4592 PING.EXE 3148 PING.EXE 2896 PING.EXE 1572 PING.EXE -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
chrome.exechrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription pid process Token: SeDebugPrivilege 4564 chrome.exe Token: SeDebugPrivilege 1856 chrome.exe Token: SeDebugPrivilege 880 S^X.exe Token: SeDebugPrivilege 1312 chrome.exe Token: SeDebugPrivilege 4992 chrome.exe Token: SeDebugPrivilege 4564 chrome.exe Token: SeDebugPrivilege 5096 chrome.exe Token: SeDebugPrivilege 4288 chrome.exe Token: SeDebugPrivilege 2372 chrome.exe Token: SeDebugPrivilege 4852 chrome.exe Token: SeDebugPrivilege 2328 chrome.exe Token: SeDebugPrivilege 4824 chrome.exe Token: SeDebugPrivilege 3344 chrome.exe Token: SeDebugPrivilege 1828 chrome.exe Token: SeDebugPrivilege 3088 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exechrome.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exedescription pid process target process PID 4104 wrote to memory of 4564 4104 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe chrome.exe PID 4104 wrote to memory of 4564 4104 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe chrome.exe PID 4104 wrote to memory of 880 4104 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe S^X.exe PID 4104 wrote to memory of 880 4104 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe S^X.exe PID 4104 wrote to memory of 880 4104 d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe S^X.exe PID 4564 wrote to memory of 2328 4564 chrome.exe schtasks.exe PID 4564 wrote to memory of 2328 4564 chrome.exe schtasks.exe PID 4564 wrote to memory of 1856 4564 chrome.exe chrome.exe PID 4564 wrote to memory of 1856 4564 chrome.exe chrome.exe PID 1856 wrote to memory of 636 1856 chrome.exe schtasks.exe PID 1856 wrote to memory of 636 1856 chrome.exe schtasks.exe PID 1856 wrote to memory of 2760 1856 chrome.exe cmd.exe PID 1856 wrote to memory of 2760 1856 chrome.exe cmd.exe PID 2760 wrote to memory of 1184 2760 cmd.exe chcp.com PID 2760 wrote to memory of 1184 2760 cmd.exe chcp.com PID 2760 wrote to memory of 4908 2760 cmd.exe PING.EXE PID 2760 wrote to memory of 4908 2760 cmd.exe PING.EXE PID 2760 wrote to memory of 1312 2760 cmd.exe chrome.exe PID 2760 wrote to memory of 1312 2760 cmd.exe chrome.exe PID 1312 wrote to memory of 1724 1312 chrome.exe schtasks.exe PID 1312 wrote to memory of 1724 1312 chrome.exe schtasks.exe PID 1312 wrote to memory of 4348 1312 chrome.exe cmd.exe PID 1312 wrote to memory of 4348 1312 chrome.exe cmd.exe PID 4348 wrote to memory of 5108 4348 cmd.exe chcp.com PID 4348 wrote to memory of 5108 4348 cmd.exe chcp.com PID 4348 wrote to memory of 1688 4348 cmd.exe PING.EXE PID 4348 wrote to memory of 1688 4348 cmd.exe PING.EXE PID 4348 wrote to memory of 4992 4348 cmd.exe chrome.exe PID 4348 wrote to memory of 4992 4348 cmd.exe chrome.exe PID 4992 wrote to memory of 3468 4992 chrome.exe schtasks.exe PID 4992 wrote to memory of 3468 4992 chrome.exe schtasks.exe PID 4992 wrote to memory of 3068 4992 chrome.exe cmd.exe PID 4992 wrote to memory of 3068 4992 chrome.exe cmd.exe PID 3068 wrote to memory of 2740 3068 cmd.exe chcp.com PID 3068 wrote to memory of 2740 3068 cmd.exe chcp.com PID 3068 wrote to memory of 1428 3068 cmd.exe PING.EXE PID 3068 wrote to memory of 1428 3068 cmd.exe PING.EXE PID 3068 wrote to memory of 4564 3068 cmd.exe chrome.exe PID 3068 wrote to memory of 4564 3068 cmd.exe chrome.exe PID 4564 wrote to memory of 928 4564 chrome.exe schtasks.exe PID 4564 wrote to memory of 928 4564 chrome.exe schtasks.exe PID 4564 wrote to memory of 1128 4564 chrome.exe cmd.exe PID 4564 wrote to memory of 1128 4564 chrome.exe cmd.exe PID 1128 wrote to memory of 1712 1128 cmd.exe chcp.com PID 1128 wrote to memory of 1712 1128 cmd.exe chcp.com PID 1128 wrote to memory of 1728 1128 cmd.exe PING.EXE PID 1128 wrote to memory of 1728 1128 cmd.exe PING.EXE PID 1128 wrote to memory of 5096 1128 cmd.exe chrome.exe PID 1128 wrote to memory of 5096 1128 cmd.exe chrome.exe PID 5096 wrote to memory of 3744 5096 chrome.exe schtasks.exe PID 5096 wrote to memory of 3744 5096 chrome.exe schtasks.exe PID 5096 wrote to memory of 4432 5096 chrome.exe cmd.exe PID 5096 wrote to memory of 4432 5096 chrome.exe cmd.exe PID 4432 wrote to memory of 3280 4432 cmd.exe chcp.com PID 4432 wrote to memory of 3280 4432 cmd.exe chcp.com PID 4432 wrote to memory of 4064 4432 cmd.exe PING.EXE PID 4432 wrote to memory of 4064 4432 cmd.exe PING.EXE PID 4432 wrote to memory of 4288 4432 cmd.exe chrome.exe PID 4432 wrote to memory of 4288 4432 cmd.exe chrome.exe PID 4288 wrote to memory of 2760 4288 chrome.exe schtasks.exe PID 4288 wrote to memory of 2760 4288 chrome.exe schtasks.exe PID 4288 wrote to memory of 2772 4288 chrome.exe cmd.exe PID 4288 wrote to memory of 2772 4288 chrome.exe cmd.exe PID 2772 wrote to memory of 3360 2772 cmd.exe chcp.com -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d04352c69e8d56db5f9eb8f0b6573365_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2328
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ebJgwbDB6XH3.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:1184
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:4908
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
PID:1724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hx2WKEygDu8s.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:5108
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:1688
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
PID:3468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYG7Nicgm3qh.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:2740
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
PID:1428
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Creates scheduled task(s)
PID:928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EcCdLwaLGUaV.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:1712
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:1728
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Creates scheduled task(s)
PID:3744
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8WV6rw0wtRnt.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:3280
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- Runs ping.exe
PID:4064
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Creates scheduled task(s)
PID:2760
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MWPNcA3pyFow.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\system32\chcp.comchcp 6500115⤵PID:3360
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- Runs ping.exe
PID:4448
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2372 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Creates scheduled task(s)
PID:1608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YnSDGTCVUhJf.bat" "16⤵PID:376
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:3316
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- Runs ping.exe
PID:3336
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4852 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Creates scheduled task(s)
PID:4488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\utC17BAm9Ug7.bat" "18⤵PID:3628
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:3368
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- Runs ping.exe
PID:1340
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2328 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Creates scheduled task(s)
PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zxvxjt5vT6a3.bat" "20⤵PID:4396
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:3520
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- Runs ping.exe
PID:4592
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Creates scheduled task(s)
PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BexeV3zdPd2o.bat" "22⤵PID:3640
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:2756
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- Runs ping.exe
PID:3148
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3344 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f24⤵
- Creates scheduled task(s)
PID:3476
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pxkcaaR1WBmk.bat" "24⤵PID:2648
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:4876
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- Runs ping.exe
PID:2896
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1828 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f26⤵
- Creates scheduled task(s)
PID:3228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Zp3cv1V33DWA.bat" "26⤵PID:4880
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:2772
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- Runs ping.exe
PID:1572
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3088 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f28⤵
- Creates scheduled task(s)
PID:3000
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:880
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
207B
MD531d8f300ad9e800d062a5146aeb8bd07
SHA13570d5e782bac76d7b62b27f19169b9b81831482
SHA256517cb5fad924fd85d9715b03bef3ac2e9476eb783ba5e65176b2864897248c60
SHA5121ca25afeff55f0d0e421317865134c9b6a7ad096820f4529fdd32efd54e19ba491f8243a17872f85e77735c8871ef3dfae53ff5e04ed2d30c82de21230639a40
-
Filesize
207B
MD5c1a7f6d29c7995b027b25763c94d1133
SHA136214e3ff9549c1de66e562c25942991268b4a6c
SHA256740df59483e37a35d975d4f26e13357a3c699c24ffc75925112056d7f19f3805
SHA51225f6f3f7d9fca27d4dd28676148a3110854f91de9bf215ae394d409efaf2232b62d605c22215deb83dbf5624c30f67b7887df66985867876071e0337cc511b16
-
Filesize
207B
MD515f1ff39164cb9b3f4703bbed55e743c
SHA14c5b85910ff3304cf85e0ea629df108c3479d78f
SHA2562ec3199065222917b9cdbba2e9a643fde5d7392ac088c72ecadab6e817bbd773
SHA5123990d18569ff9b0cd5f61e33b8ee1757d777b106f2836e3fe2de5b97c2823a9b9214c7dd3827ce1d9d4e2b3a7db2bcf2f41fe676caf60ee4f6e7ad3f28ebf645
-
Filesize
207B
MD5e9933e9799ae14cf8758c16037001676
SHA1b52b4a5eb26a4cfdf045d340e313abc988ba5c17
SHA25683d9f3a44cbda7a58a7e78a03ce7b00fe2603b587d104d7d8224134f4e9bd917
SHA512a07b3ea5162efa9c56ae0724cae0b39133f3dde8700299e8e381b4a98b85aeda5691c605e46808ff106f87ed361fe1a0bf0cd2b04542d32df9c139f0709599da
-
Filesize
207B
MD5e3eb8ab57a2a40bbdef9c33bf549ba38
SHA15dcc9ac9182450b2d88d916e0f6aa6cd9171570f
SHA256b718a2b6978215cd0098965030ca70e2a835420d5c3b002dbc395bae6149e7c7
SHA512a3fe0211a0de1f49519038a8c71c6cf460c8de2f155bd859f3218182687e353e41f8e46fec7779ac81a1b007536631e3f1484b58592a1e2bd4ed61b50ee244bb
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
207B
MD5414f4325e4e796c231c29c48f0d5b0ed
SHA1989efa13d76886d292aaaa14c3b446540f44dafc
SHA2561d1aeb02ef775f8feec3c735ceb3bd01a053bfe459bf6fe4497215d7c5f7451e
SHA512ef829a7ba5f44ea1b9011cc790a06eb6502413f30462ac2c2c83a21e91bfe64144d073ac21d4671f5d4671552256fd83aaa83ca697effed437a23464f9dbd649
-
Filesize
207B
MD50bfeba66d022cb806c5b662132f50cf8
SHA1697d0977017fd5fd7ecb7a8844c8040219a02c52
SHA2564385e64a481a6342868d41a886408ff1d4671867f0787e90f34f02da3a126800
SHA5128cfc58fc58ed292aa34ac953a0b0993a0e5ab5d38ba7c648dcaf38dcea3401f0f59dac2ec29b285f5569313689266e43f3197b7cff3d2da0eb29a878e2fee5f7
-
Filesize
207B
MD5754a5abe1fc2eb7ae1417d8ffe9c3564
SHA1970be84bd2726bd198c08ba07bb5d78c7d41ba0f
SHA256cebe9738f8b54e22053aeadf7598a33a997e34175d9491498590e4630b00405d
SHA51216ee215dfa74a4c000f542371c0fc2828011365b7361b60a6ff2126357a34a6fc602bf782a2dc5b5aa9a24e4e00502e0455998bc7f7f3718365ef8cf95cbbfec
-
Filesize
207B
MD567cbf0a6be8989ffa3f6b2b05ed34333
SHA1ea56d88851947ae90bff5ebfb4bc684b566a692e
SHA256713f720655a407b26c226a2c2707c74bb9ad09ce7afdc67387170f87d79f4f75
SHA5127f7c8097365eb6af0de6588e2f6c0104894a1d64fc04c5c2d565816c57c7ae00c09bba7762f4031523b808d5fe44d85cad58f13ff8379f1a53d41e9d275af6c0
-
Filesize
207B
MD5da37be42ec03b459fd428b769a48cc82
SHA158997d73d9fb05e2d10c401e4a961b173ae7ac6f
SHA256467b2d0b6318388108dbcd026e8ee6f7f46b49cdf68e3fa1274a4a7f25baaac6
SHA5120f867f1ad93db4803c83625a39968e9ebe17fe3a8c98009d30243dc9e2d3697bf3fb07a093593afe07dc5ced5e5d96fcf220dd418cbb21fe404c03ef45a300b2
-
Filesize
207B
MD5c14892ef1c8843a7c8dd6d15ea0b65c3
SHA1d78952a4f89e69605e0ac71b2eb6552a505e9c7f
SHA256cd1fef69695d8e1b70be877cbc6bb59eff737dab736a9592532310c43b165848
SHA512054a8d199b27ee72974334678455426583a99c49ab4436238c7e217933f4892264c9e9b60890c35152c7e59f0379e5890426a683844bc015083294fa3ec6fff0
-
Filesize
207B
MD5e1d0ead320cc3ae17a85ef42aedf483a
SHA1313524a09221fca349461c721acea2fa073d6a3a
SHA256b427157ddb422513d4eb7a18f1ac19c77eb13cc75e9e1c84abe614a76e3627ae
SHA5124c14fc68a421fee939fbabe8209e7572a19561dc23a0a585bf209e233ffe9d9946214cf38d7d2936c235fb4a64eb91f04845aabb67d48d311614b705c2cb59b5
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c