Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-04-2024 05:18
Behavioral task
behavioral1
Sample
dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe
-
Size
6.0MB
-
MD5
dc341a4899e1a077f128b79dbe296954
-
SHA1
e1f1e167595b85784a78f2c3902a4e57082daff9
-
SHA256
c846b98acb1e0423fa8b07228f06e3816cd0d5c8c076ff8c847622731aec5562
-
SHA512
978acecbb0cc55a3e8ede7ef78572e3c09ae42553a01de3e82ac8a5f085a937a43f90f0acabf2cfa80e05b1a570c05c41191cc5f76b03492cdfc9c6a2445f949
-
SSDEEP
196608:HS35uBog53HRVu7vHDpS1IqBRU7kCs2q:HS3YBr53xVu7vHhqBa4Cs
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar payload 19 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\chrome.exe family_quasar behavioral1/memory/2132-30-0x0000000000E60000-0x0000000000EE4000-memory.dmp family_quasar behavioral1/memory/2484-38-0x0000000000C10000-0x0000000000C94000-memory.dmp family_quasar behavioral1/memory/2624-56-0x00000000005F0000-0x0000000000670000-memory.dmp family_quasar behavioral1/memory/2204-68-0x0000000000C80000-0x0000000000D04000-memory.dmp family_quasar behavioral1/memory/2204-70-0x000000001B240000-0x000000001B2C0000-memory.dmp family_quasar behavioral1/memory/1860-82-0x00000000001A0000-0x0000000000224000-memory.dmp family_quasar behavioral1/memory/1860-84-0x000000001AF20000-0x000000001AFA0000-memory.dmp family_quasar behavioral1/memory/2180-96-0x00000000001C0000-0x0000000000244000-memory.dmp family_quasar behavioral1/memory/2180-98-0x000000001AE80000-0x000000001AF00000-memory.dmp family_quasar behavioral1/memory/2572-110-0x0000000000360000-0x00000000003E4000-memory.dmp family_quasar behavioral1/memory/2572-112-0x000000001B1D0000-0x000000001B250000-memory.dmp family_quasar behavioral1/memory/2852-124-0x0000000000270000-0x00000000002F4000-memory.dmp family_quasar behavioral1/memory/2852-126-0x0000000002070000-0x00000000020F0000-memory.dmp family_quasar behavioral1/memory/2644-138-0x0000000001350000-0x00000000013D4000-memory.dmp family_quasar behavioral1/memory/2644-140-0x000000001AD60000-0x000000001ADE0000-memory.dmp family_quasar behavioral1/memory/1552-177-0x000000001B0E0000-0x000000001B160000-memory.dmp family_quasar behavioral1/memory/1700-189-0x00000000013A0000-0x0000000001424000-memory.dmp family_quasar behavioral1/memory/1700-191-0x000000001B250000-0x000000001B2D0000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe -
Executes dropped EXE 14 IoCs
Processes:
chrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 2132 chrome.exe 2644 S^X.exe 2484 chrome.exe 2624 chrome.exe 2204 chrome.exe 1860 chrome.exe 2180 chrome.exe 2572 chrome.exe 2852 chrome.exe 2644 chrome.exe 1292 chrome.exe 544 chrome.exe 1552 chrome.exe 1700 chrome.exe -
Loads dropped DLL 3 IoCs
Processes:
dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exepid process 756 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe 756 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe 756 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral1/memory/756-9-0x0000000072B00000-0x0000000073108000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\f5e62d65-5f6c-40b2-b1cb-74dc607f952a\AgileDotNetRT.dll themida behavioral1/memory/756-12-0x0000000072B00000-0x0000000073108000-memory.dmp themida behavioral1/memory/756-10-0x0000000072B00000-0x0000000073108000-memory.dmp themida behavioral1/memory/756-27-0x0000000072B00000-0x0000000073108000-memory.dmp themida -
Processes:
dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exepid process 756 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3056 schtasks.exe 588 schtasks.exe 2844 schtasks.exe 2388 schtasks.exe 2148 schtasks.exe 2196 schtasks.exe 2896 schtasks.exe 1948 schtasks.exe 2704 schtasks.exe 2012 schtasks.exe 1628 schtasks.exe 1756 schtasks.exe 1856 schtasks.exe -
Runs ping.exe 1 TTPs 12 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 1312 PING.EXE 1496 PING.EXE 2412 PING.EXE 2076 PING.EXE 2284 PING.EXE 2028 PING.EXE 1268 PING.EXE 2364 PING.EXE 2812 PING.EXE 1380 PING.EXE 2024 PING.EXE 2664 PING.EXE -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
chrome.exechrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription pid process Token: SeDebugPrivilege 2132 chrome.exe Token: SeDebugPrivilege 2484 chrome.exe Token: SeDebugPrivilege 2644 S^X.exe Token: SeDebugPrivilege 2624 chrome.exe Token: SeDebugPrivilege 2204 chrome.exe Token: SeDebugPrivilege 1860 chrome.exe Token: SeDebugPrivilege 2180 chrome.exe Token: SeDebugPrivilege 2572 chrome.exe Token: SeDebugPrivilege 2852 chrome.exe Token: SeDebugPrivilege 2644 chrome.exe Token: SeDebugPrivilege 1292 chrome.exe Token: SeDebugPrivilege 544 chrome.exe Token: SeDebugPrivilege 1552 chrome.exe Token: SeDebugPrivilege 1700 chrome.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 2484 chrome.exe 2624 chrome.exe 2204 chrome.exe 1860 chrome.exe 2180 chrome.exe 2572 chrome.exe 2852 chrome.exe 2644 chrome.exe 1292 chrome.exe 544 chrome.exe 1552 chrome.exe 1700 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exechrome.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.exedescription pid process target process PID 756 wrote to memory of 2132 756 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe chrome.exe PID 756 wrote to memory of 2132 756 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe chrome.exe PID 756 wrote to memory of 2132 756 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe chrome.exe PID 756 wrote to memory of 2132 756 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe chrome.exe PID 756 wrote to memory of 2644 756 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe S^X.exe PID 756 wrote to memory of 2644 756 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe S^X.exe PID 756 wrote to memory of 2644 756 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe S^X.exe PID 756 wrote to memory of 2644 756 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe S^X.exe PID 2132 wrote to memory of 3056 2132 chrome.exe schtasks.exe PID 2132 wrote to memory of 3056 2132 chrome.exe schtasks.exe PID 2132 wrote to memory of 3056 2132 chrome.exe schtasks.exe PID 2132 wrote to memory of 2484 2132 chrome.exe chrome.exe PID 2132 wrote to memory of 2484 2132 chrome.exe chrome.exe PID 2132 wrote to memory of 2484 2132 chrome.exe chrome.exe PID 2484 wrote to memory of 1948 2484 chrome.exe schtasks.exe PID 2484 wrote to memory of 1948 2484 chrome.exe schtasks.exe PID 2484 wrote to memory of 1948 2484 chrome.exe schtasks.exe PID 2484 wrote to memory of 1712 2484 chrome.exe cmd.exe PID 2484 wrote to memory of 1712 2484 chrome.exe cmd.exe PID 2484 wrote to memory of 1712 2484 chrome.exe cmd.exe PID 1712 wrote to memory of 1976 1712 cmd.exe chcp.com PID 1712 wrote to memory of 1976 1712 cmd.exe chcp.com PID 1712 wrote to memory of 1976 1712 cmd.exe chcp.com PID 1712 wrote to memory of 2028 1712 cmd.exe PING.EXE PID 1712 wrote to memory of 2028 1712 cmd.exe PING.EXE PID 1712 wrote to memory of 2028 1712 cmd.exe PING.EXE PID 1712 wrote to memory of 2624 1712 cmd.exe chrome.exe PID 1712 wrote to memory of 2624 1712 cmd.exe chrome.exe PID 1712 wrote to memory of 2624 1712 cmd.exe chrome.exe PID 2624 wrote to memory of 2704 2624 chrome.exe schtasks.exe PID 2624 wrote to memory of 2704 2624 chrome.exe schtasks.exe PID 2624 wrote to memory of 2704 2624 chrome.exe schtasks.exe PID 2624 wrote to memory of 2856 2624 chrome.exe cmd.exe PID 2624 wrote to memory of 2856 2624 chrome.exe cmd.exe PID 2624 wrote to memory of 2856 2624 chrome.exe cmd.exe PID 2856 wrote to memory of 1296 2856 cmd.exe chcp.com PID 2856 wrote to memory of 1296 2856 cmd.exe chcp.com PID 2856 wrote to memory of 1296 2856 cmd.exe chcp.com PID 2856 wrote to memory of 1312 2856 cmd.exe PING.EXE PID 2856 wrote to memory of 1312 2856 cmd.exe PING.EXE PID 2856 wrote to memory of 1312 2856 cmd.exe PING.EXE PID 2856 wrote to memory of 2204 2856 cmd.exe chrome.exe PID 2856 wrote to memory of 2204 2856 cmd.exe chrome.exe PID 2856 wrote to memory of 2204 2856 cmd.exe chrome.exe PID 2204 wrote to memory of 2896 2204 chrome.exe schtasks.exe PID 2204 wrote to memory of 2896 2204 chrome.exe schtasks.exe PID 2204 wrote to memory of 2896 2204 chrome.exe schtasks.exe PID 2204 wrote to memory of 336 2204 chrome.exe cmd.exe PID 2204 wrote to memory of 336 2204 chrome.exe cmd.exe PID 2204 wrote to memory of 336 2204 chrome.exe cmd.exe PID 336 wrote to memory of 1192 336 cmd.exe chcp.com PID 336 wrote to memory of 1192 336 cmd.exe chcp.com PID 336 wrote to memory of 1192 336 cmd.exe chcp.com PID 336 wrote to memory of 1496 336 cmd.exe PING.EXE PID 336 wrote to memory of 1496 336 cmd.exe PING.EXE PID 336 wrote to memory of 1496 336 cmd.exe PING.EXE PID 336 wrote to memory of 1860 336 cmd.exe chrome.exe PID 336 wrote to memory of 1860 336 cmd.exe chrome.exe PID 336 wrote to memory of 1860 336 cmd.exe chrome.exe PID 1860 wrote to memory of 1756 1860 chrome.exe schtasks.exe PID 1860 wrote to memory of 1756 1860 chrome.exe schtasks.exe PID 1860 wrote to memory of 1756 1860 chrome.exe schtasks.exe PID 1860 wrote to memory of 1036 1860 chrome.exe cmd.exe PID 1860 wrote to memory of 1036 1860 chrome.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:3056
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:1948
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\epiiK4DmS1uX.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:1976
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:2028
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
PID:2704
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dPWqKvEPozu1.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:1296
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:1312
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
PID:2896
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\rUc6FxExhV9L.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:1192
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
PID:1496
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Creates scheduled task(s)
PID:1756
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\9nDKVVRs8pxU.bat" "10⤵PID:1036
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:2900
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:1268
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2180 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Creates scheduled task(s)
PID:2148
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\eteN9VcyOt7S.bat" "12⤵PID:2020
-
C:\Windows\system32\chcp.comchcp 6500113⤵PID:1596
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- Runs ping.exe
PID:2364
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2572 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Creates scheduled task(s)
PID:2196
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uaY08meXAlfp.bat" "14⤵PID:2608
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:3056
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- Runs ping.exe
PID:2412
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2852 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Creates scheduled task(s)
PID:1856
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\MZdxjiqEXlxr.bat" "16⤵PID:2964
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:2520
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- Runs ping.exe
PID:2812
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2644 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Creates scheduled task(s)
PID:2844
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1RGYrPNTw2F8.bat" "18⤵PID:2932
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:2260
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- Runs ping.exe
PID:1380
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1292 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Creates scheduled task(s)
PID:2012
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\BVoNILt52t5E.bat" "20⤵PID:540
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:720
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- Runs ping.exe
PID:2076
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:544 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Creates scheduled task(s)
PID:588
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uOhOlQIUlFpL.bat" "22⤵PID:1612
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:1256
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- Runs ping.exe
PID:2284
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1552 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f24⤵
- Creates scheduled task(s)
PID:2388
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\l2GeFzntWpPd.bat" "24⤵PID:1680
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:888
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- Runs ping.exe
PID:2024
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1700 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f26⤵
- Creates scheduled task(s)
PID:1628
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\soZntBZL0vRg.bat" "26⤵PID:1600
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:2888
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- Runs ping.exe
PID:2664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD524a4c6a3c98b6bbd12f0b62b77ed2eac
SHA1caa6f4a952ef6879b7b8c107596b3c950f23a9c1
SHA256b972c96927196e099edbf220a9b8ace13578f1cacf6b6af40ad34bdff04a40c8
SHA512d66c11d37464cfbb2bc0f9f6c60a1de4ea27ac2587439c78f46adaf5279c671f8763b2fc4586a983f6eb2b6fc3a6bfbeb2e4c370e619a2de86f0f589919c16e8
-
Filesize
207B
MD549dec89c1cd5361e4cd59a52d540ce26
SHA1268feeed015ebe0877478af77d20775036f37d6a
SHA256d08ed8101b4491e6083a62603b2be5313c49017787c8b41ba402d22ad7e0f225
SHA51245deb2affaa1729def9de523973438722033964ab3b9d811cbc16b08e1655ab9be0356199ca6372eff21995d808a9dac50358cb59394a523373e114154c28468
-
Filesize
207B
MD5a7612c5846249d33640989628bb18b26
SHA14033e6dbe12898b472922feab3250a791ee38be8
SHA2560c507445575ddf5a5f08b80e2df51827d5909f0e4be8847b13fac4af9d5a8ee0
SHA512569868764f73364428e388c1ba6b05bb52d8059f62c469b8dc7cf082f70dbb4464e691f33fd9a965ac602370e21d1d4dcdafcfe1084b415973bf3d96c1eb0339
-
Filesize
207B
MD5218be4464c6b1279cc8e59207bb739c8
SHA11fbdfd2ced62ad7ce2243dabb8684d66f234a1cc
SHA2561fc0f194d425f3a88374e29eeb0ae7ecafaccb9766929523ec4ad0d898c6c81d
SHA512dd2924e8a91ca369317d0113fb06b30dfacbe6d8ce7fab2bfbc45e0c19f547c720f7dcccb9504550395c09d3ee9b7c38448528d1d5c15a464f65c38e8e34dc26
-
Filesize
207B
MD5c2f927abc4f8433831217c1aa252216c
SHA1bcebc4b4b1cbf59948dd0f418dbed6262c8293a1
SHA2569ad556dd7fae605fc4f32afb62c4cf75dd77dbdf4fd69cdacbc522f7ee6b0e82
SHA5121feca5f9e70bf60fd91b02b18a828d8be16d83423659b5b0e4a3aca3165be329bc9a2c99d427db5cef0d7460e3b250cb628a796b9df2d367bbccecfd7051127c
-
Filesize
207B
MD5aecf95f2467ca67c980bf88294a830fe
SHA1aa81e43b6e33e1b438329ad9c92841d351729f65
SHA256b38966951c33bd0874da50ad35a5bfe094b4ecf28e9687278f6534150172f418
SHA51224537d4ae8df52a93ff32a32b06dbd850d4183afd0703caf7ea53af866bf6828b41e57c6473b78f449a4b1dbafeb88bfb59486532bb39356b3cb09ea5aaacd3c
-
Filesize
207B
MD5e65cadcf4464205bae64b52da827f170
SHA1e22b9340993f972a16d74ba3966e06843ae35898
SHA256b0deb962f48f25a81cec93e7c25d2d0d27357c904ab9bd1560029285ff24d7da
SHA5122d8b1cb01186345e083bf32273192a86bf38333615adda51d33f55be8e5a6e958ca95669bc06880b4f731ee24a6e43f44a7f4cf17580ef7b6db3dfee66d6013a
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
207B
MD5471b604f9186d1d592fa9d461a451a02
SHA1119b3df8ebf6c6f3f54a3083ed50a681eb464026
SHA256e48c09380a745484152168cc79fe67177c332d813904913a7fc4bb76e355e95b
SHA5124dc61190ae22789b5eb5a931c9ef3cb11ef292e08f3e7d4033870331b0fd7b818903ad4d803eef87a49b2d719b8843e6d1383482ae0dd923f14333e9e30e697b
-
Filesize
207B
MD5c740d5064f000a5976ca47a390ca7b72
SHA1045078d9a4a967c20d539fcc51787af4d0beadc1
SHA2565eb90627a5a4403287afd170b02f24a2605c8cf334c3025ff6cb7b887e21f7e9
SHA512cb13b34bfad58a80ea69c5a6dce9131055db8e0fe897fb4bdd95900c00e7e11be6344686c140ed0baccfc255736a96ed8a5eb3f57f6f2cc01fa809a0ff4e4b30
-
Filesize
207B
MD5875554688f30810ca3bc538d67bb1a07
SHA12788c3cfd384acee4383eed4ae0cac12eb67b7b3
SHA25615935066ab8e44e496280090c39f4f7afee9cdf3a76c57a0040f199ee9e35a44
SHA5128abaf3d1fccc240d4c301419b633451428176d9122b527a8419c70d8a262d1d6585ab4bd9f3752baa9bfc97f5abf4f42f7c154dac068e92017346bb80f283ba5
-
Filesize
207B
MD579433b974f9edf89764d359c209d4cf3
SHA1930dae2645535e15bb387195f909ac6a70b91615
SHA25680b0f895b01eaefc8e4fd5408c96a8c7fc66673652a2c1adf3b8c615742c3c3e
SHA512bd35ae8ac6dbbb300951780fd229c072e716898333cb91a1494a106b02e8a22c63b8728d3bd02921b607367dea48017abaff4590b6433efe5db602e1abdaa0f6
-
Filesize
207B
MD5d12358bc7eeea6eeef15d6c99bd8aed6
SHA1cebf5e2e474da208d00788d0841557318b4751fb
SHA25649179ca03657b0d2c08eeab8d3cf474f33f1ae9e8a0ab693b6d2d2e32a815aeb
SHA51261399d843c57f7bb4df2a382ad303d61fde7e2ce2815e0d9a50a36d4c6ab1cc452c0165e2454f78601494364c606496af71fd333174e3d442bdd4a95adc08786
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c