Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-04-2024 05:18
Behavioral task
behavioral1
Sample
dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe
-
Size
6.0MB
-
MD5
dc341a4899e1a077f128b79dbe296954
-
SHA1
e1f1e167595b85784a78f2c3902a4e57082daff9
-
SHA256
c846b98acb1e0423fa8b07228f06e3816cd0d5c8c076ff8c847622731aec5562
-
SHA512
978acecbb0cc55a3e8ede7ef78572e3c09ae42553a01de3e82ac8a5f085a937a43f90f0acabf2cfa80e05b1a570c05c41191cc5f76b03492cdfc9c6a2445f949
-
SSDEEP
196608:HS35uBog53HRVu7vHDpS1IqBRU7kCs2q:HS3YBr53xVu7vHhqBa4Cs
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\chrome.exe family_quasar behavioral2/memory/2088-39-0x0000000000DB0000-0x0000000000E34000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedc341a4899e1a077f128b79dbe296954_JaffaCakes118.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation chrome.exe -
Executes dropped EXE 17 IoCs
Processes:
chrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 2088 chrome.exe 1596 S^X.exe 1156 chrome.exe 516 chrome.exe 4732 chrome.exe 3900 chrome.exe 1156 chrome.exe 1516 chrome.exe 2480 chrome.exe 1096 chrome.exe 3500 chrome.exe 2300 chrome.exe 2092 chrome.exe 1232 chrome.exe 1448 chrome.exe 4196 chrome.exe 4792 chrome.exe -
Loads dropped DLL 1 IoCs
Processes:
dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exepid process 4084 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\f5e62d65-5f6c-40b2-b1cb-74dc607f952a\AgileDotNetRT.dll themida behavioral2/memory/4084-11-0x00000000726B0000-0x0000000072CB8000-memory.dmp themida behavioral2/memory/4084-10-0x00000000726B0000-0x0000000072CB8000-memory.dmp themida behavioral2/memory/4084-13-0x00000000726B0000-0x0000000072CB8000-memory.dmp themida behavioral2/memory/4084-38-0x00000000726B0000-0x0000000072CB8000-memory.dmp themida -
Processes:
dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exepid process 4084 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3740 schtasks.exe 1044 schtasks.exe 1144 schtasks.exe 3008 schtasks.exe 3648 schtasks.exe 2360 schtasks.exe 4580 schtasks.exe 3436 schtasks.exe 4084 schtasks.exe 5088 schtasks.exe 748 schtasks.exe 4616 schtasks.exe 2152 schtasks.exe 2348 schtasks.exe 5088 schtasks.exe 3212 schtasks.exe -
Runs ping.exe 1 TTPs 15 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2972 PING.EXE 2976 PING.EXE 4060 PING.EXE 2904 PING.EXE 1184 PING.EXE 1252 PING.EXE 2472 PING.EXE 1312 PING.EXE 4448 PING.EXE 1336 PING.EXE 4532 PING.EXE 4660 PING.EXE 3116 PING.EXE 796 PING.EXE 4388 PING.EXE -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
chrome.exechrome.exeS^X.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription pid process Token: SeDebugPrivilege 2088 chrome.exe Token: SeDebugPrivilege 1156 chrome.exe Token: SeDebugPrivilege 1596 S^X.exe Token: SeDebugPrivilege 516 chrome.exe Token: SeDebugPrivilege 4732 chrome.exe Token: SeDebugPrivilege 3900 chrome.exe Token: SeDebugPrivilege 1156 chrome.exe Token: SeDebugPrivilege 1516 chrome.exe Token: SeDebugPrivilege 2480 chrome.exe Token: SeDebugPrivilege 1096 chrome.exe Token: SeDebugPrivilege 3500 chrome.exe Token: SeDebugPrivilege 2300 chrome.exe Token: SeDebugPrivilege 2092 chrome.exe Token: SeDebugPrivilege 1232 chrome.exe Token: SeDebugPrivilege 1448 chrome.exe Token: SeDebugPrivilege 4196 chrome.exe Token: SeDebugPrivilege 4792 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
chrome.exepid process 1232 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exechrome.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exechrome.execmd.exedescription pid process target process PID 4084 wrote to memory of 2088 4084 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe chrome.exe PID 4084 wrote to memory of 2088 4084 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe chrome.exe PID 4084 wrote to memory of 1596 4084 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe S^X.exe PID 4084 wrote to memory of 1596 4084 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe S^X.exe PID 4084 wrote to memory of 1596 4084 dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe S^X.exe PID 2088 wrote to memory of 5088 2088 chrome.exe schtasks.exe PID 2088 wrote to memory of 5088 2088 chrome.exe schtasks.exe PID 2088 wrote to memory of 1156 2088 chrome.exe chrome.exe PID 2088 wrote to memory of 1156 2088 chrome.exe chrome.exe PID 1156 wrote to memory of 1144 1156 chrome.exe schtasks.exe PID 1156 wrote to memory of 1144 1156 chrome.exe schtasks.exe PID 1156 wrote to memory of 1292 1156 chrome.exe cmd.exe PID 1156 wrote to memory of 1292 1156 chrome.exe cmd.exe PID 1292 wrote to memory of 1912 1292 cmd.exe chcp.com PID 1292 wrote to memory of 1912 1292 cmd.exe chcp.com PID 1292 wrote to memory of 4660 1292 cmd.exe PING.EXE PID 1292 wrote to memory of 4660 1292 cmd.exe PING.EXE PID 1292 wrote to memory of 516 1292 cmd.exe chrome.exe PID 1292 wrote to memory of 516 1292 cmd.exe chrome.exe PID 516 wrote to memory of 2348 516 chrome.exe schtasks.exe PID 516 wrote to memory of 2348 516 chrome.exe schtasks.exe PID 516 wrote to memory of 2324 516 chrome.exe cmd.exe PID 516 wrote to memory of 2324 516 chrome.exe cmd.exe PID 2324 wrote to memory of 4288 2324 cmd.exe chcp.com PID 2324 wrote to memory of 4288 2324 cmd.exe chcp.com PID 2324 wrote to memory of 1252 2324 cmd.exe PING.EXE PID 2324 wrote to memory of 1252 2324 cmd.exe PING.EXE PID 2324 wrote to memory of 4732 2324 cmd.exe chrome.exe PID 2324 wrote to memory of 4732 2324 cmd.exe chrome.exe PID 4732 wrote to memory of 3008 4732 chrome.exe schtasks.exe PID 4732 wrote to memory of 3008 4732 chrome.exe schtasks.exe PID 4732 wrote to memory of 4580 4732 chrome.exe cmd.exe PID 4732 wrote to memory of 4580 4732 chrome.exe cmd.exe PID 4580 wrote to memory of 3548 4580 cmd.exe chcp.com PID 4580 wrote to memory of 3548 4580 cmd.exe chcp.com PID 4580 wrote to memory of 2972 4580 cmd.exe PING.EXE PID 4580 wrote to memory of 2972 4580 cmd.exe PING.EXE PID 4580 wrote to memory of 3900 4580 cmd.exe chrome.exe PID 4580 wrote to memory of 3900 4580 cmd.exe chrome.exe PID 3900 wrote to memory of 5088 3900 chrome.exe schtasks.exe PID 3900 wrote to memory of 5088 3900 chrome.exe schtasks.exe PID 3900 wrote to memory of 5064 3900 chrome.exe cmd.exe PID 3900 wrote to memory of 5064 3900 chrome.exe cmd.exe PID 5064 wrote to memory of 4404 5064 cmd.exe chcp.com PID 5064 wrote to memory of 4404 5064 cmd.exe chcp.com PID 5064 wrote to memory of 3116 5064 cmd.exe PING.EXE PID 5064 wrote to memory of 3116 5064 cmd.exe PING.EXE PID 5064 wrote to memory of 1156 5064 cmd.exe chrome.exe PID 5064 wrote to memory of 1156 5064 cmd.exe chrome.exe PID 1156 wrote to memory of 2360 1156 chrome.exe schtasks.exe PID 1156 wrote to memory of 2360 1156 chrome.exe schtasks.exe PID 1156 wrote to memory of 2912 1156 chrome.exe cmd.exe PID 1156 wrote to memory of 2912 1156 chrome.exe cmd.exe PID 2912 wrote to memory of 1348 2912 cmd.exe chcp.com PID 2912 wrote to memory of 1348 2912 cmd.exe chcp.com PID 2912 wrote to memory of 2976 2912 cmd.exe PING.EXE PID 2912 wrote to memory of 2976 2912 cmd.exe PING.EXE PID 2912 wrote to memory of 1516 2912 cmd.exe chrome.exe PID 2912 wrote to memory of 1516 2912 cmd.exe chrome.exe PID 1516 wrote to memory of 748 1516 chrome.exe schtasks.exe PID 1516 wrote to memory of 748 1516 chrome.exe schtasks.exe PID 1516 wrote to memory of 2444 1516 chrome.exe cmd.exe PID 1516 wrote to memory of 2444 1516 chrome.exe cmd.exe PID 2444 wrote to memory of 1232 2444 cmd.exe chcp.com -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\dc341a4899e1a077f128b79dbe296954_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:5088
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:1144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1bcwDI9ZzdbU.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:1912
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:4660
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
PID:2348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P3XYE0RMFpwq.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:4288
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:1252
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
PID:3008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcXVvJuX29w2.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:3548
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- Runs ping.exe
PID:2972
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Creates scheduled task(s)
PID:5088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KFHHv4tFihO4.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:4404
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:3116
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Creates scheduled task(s)
PID:2360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IwIgadkqClWn.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:1348
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- Runs ping.exe
PID:2976
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Creates scheduled task(s)
PID:748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuafNpHtG3hM.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\system32\chcp.comchcp 6500115⤵PID:1232
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- Runs ping.exe
PID:4060
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2480 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Creates scheduled task(s)
PID:4616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WkqzKyrqvuBW.bat" "16⤵PID:2412
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:5068
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- Runs ping.exe
PID:2472
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1096 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Creates scheduled task(s)
PID:3648
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ChydoFuXeWzN.bat" "18⤵PID:4772
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:2932
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- Runs ping.exe
PID:796
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3500 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Creates scheduled task(s)
PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JUBG2vx63FaN.bat" "20⤵PID:400
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:5032
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- Runs ping.exe
PID:4388
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Creates scheduled task(s)
PID:3436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m6CgtusJuu8X.bat" "22⤵PID:2504
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:3204
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- Runs ping.exe
PID:1312
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2092 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f24⤵
- Creates scheduled task(s)
PID:3212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuNiUC0L5bJz.bat" "24⤵PID:2912
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:628
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- Runs ping.exe
PID:4532
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1232 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f26⤵
- Creates scheduled task(s)
PID:2152
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6r8TIeKIzgpw.bat" "26⤵PID:3340
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:4332
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- Runs ping.exe
PID:1336
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1448 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f28⤵
- Creates scheduled task(s)
PID:3740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQJ0JIJfh5pl.bat" "28⤵PID:384
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:1584
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- Runs ping.exe
PID:4448
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4196 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f30⤵
- Creates scheduled task(s)
PID:4084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IlWr6TIJnEw0.bat" "30⤵PID:4764
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:3544
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- Runs ping.exe
PID:2904
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4792 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f32⤵
- Creates scheduled task(s)
PID:1044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9WE5wigB7ji3.bat" "32⤵PID:4952
-
C:\Windows\system32\chcp.comchcp 6500133⤵PID:2176
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost33⤵
- Runs ping.exe
PID:1184
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
207B
MD592fec5188f6e67afce12291087eaa289
SHA18627f55f4e7aba9df1228c3bc41475981cb46aa7
SHA2567c761f36b98cfdfcbd48a18204698214125bcd339fe14fc897bdf6d0301bfecd
SHA512e2937145b393f751a9fac90d2c1d7f7532d3a23cd8504ce6a4cbe7f41b03e3d4d1cbbd339b0508df6b84d412d09a5d9ebbb0039aea4b8d185e472c1fd34d660d
-
Filesize
207B
MD51a2a8a665116ad9185d423129e59760c
SHA1e92708350f21b1dd661593b2a15f7e363d925f4e
SHA256e977de57f39a585a22303b405c7d63b90308a6b1dc093d6067c7facdcee5fd50
SHA51299f9ecd469732d730a4109df33c94e50f94aec07e83807fc698316ec1b7ef56a31b30c319d8c14157881881361fe24f39f5b217f19f4e3b492bbec175d845167
-
Filesize
207B
MD5770f3b27a95145b0c561bd6472277315
SHA13ff334094e77ea7449fef9feeb0f51c546e7c133
SHA2561daace35a740495077761f54f0d2853957a2f0000c041e1c5ee37a1822d7c66d
SHA5129389483d7723caf0331f15ae0c6da4f898f12c462f6d3938c43011155518de86b83baecbedfd26acd81a3ceb0fd6b08602f91d7f31da66e3db75b82acb6352af
-
Filesize
207B
MD591b69137e6f4fc243d5dbca34f6ee100
SHA1ee8a9cd7891387daee7a8c795f4240d403abb502
SHA25682ca9e90ee799f1a7f0417e625d0a9b8f99a786d3dd944a67cee76d9e5459b3f
SHA512dad82a2203e7736c57c5bb1e7e6581fcecda09f2f2657674afd1adbd34edfbe767107a72a6766355425041c476ab50e5f02c9280748173121cc5dfd5d092218b
-
Filesize
207B
MD51447c776d72760585242dd58b89d3cca
SHA133cf6f9876c7884e907c29713466743f306238d9
SHA256c0902a17887ff4893b01129ef07353d51de282400a6a88fb1cd84b73779987e2
SHA51252ef932df7bd30adc88f5e99bde0ef62b8415bfe8198d875bced3f1b8d4a4f46761ab3e7ce0e403746aed0a774ef46c13ae26a912696c446c517e6884ee528bf
-
Filesize
207B
MD52bc77f935c8ee6edb041d77a5ef3fa63
SHA1891fea378e481ac7d6189bd4e3d4b224a5a163e0
SHA2564738fe0868c8e32910a1a86cd6c8497f0d9a9c7f366370f57b9156a72b54181c
SHA51242271c0db6e229e12f4e505548932082f40dc05d936bc76658db93882d038fba7d0559fc68990dbb849e06c1b5f3cae2015f33537e05921904a3daff43043062
-
Filesize
207B
MD51913d9f0457f07587bc4244b51e0837b
SHA120583f0d319db9ef96f5bd524c83891789a790e5
SHA2565c443dea8a3a2af544ae70d26d32ceb4066de95559fde11598efcbef1d537545
SHA51245dfd9f90631955cd6d989ba38943eb8578e31eb5812a691d5d1f0334f19474469456ebf4f865a9567dc10c37411c3a3f006bb97790aa4f90c2e32025e892f04
-
Filesize
207B
MD58b4ab5f8755f9e90199346cb179e9dce
SHA15b84cbdc15f1b33309166900adeeaf30ca4835b2
SHA256c2504610a745bffe16033ae851f559135bdf6d8a336229d11e8b4f3c280a7f35
SHA5126d29fb43000ff53c5d77867cf0805983b2cd5ff9743cff8a93991175c0ecefc832c345d6c8bcc53dac7939f970b3d2b8440097c1cdfc2c9f63945d63e349f2a0
-
Filesize
207B
MD56a0420a096a0ba23554cfc81bb376f6b
SHA194e26c6c58c843c089a01f228dcce6415157bbfd
SHA2569b852e79d099f0bf3de1dd714efdd7771e60026b7e8fa9e68b8429db903a6455
SHA51245d05f148c45cc4e91ec454b88d3cb361f618bdf6783c930a690fbe20478e9af61749deb2fc179f79922b81f4caf24c2448d400f948ca485932c5cf58e05f49e
-
Filesize
207B
MD50d4c4af3e82b6bd405815cd8a0ab302b
SHA11b1a4677142f31f6b8465a46bb31265eb8fb2d42
SHA25685173ba129cd7158bbfe0f70ba4734c6b1aa9e053db1ada5f98d68ccfb867048
SHA512cebc5638d5f94775fd978cc4c2bc5ebeb80fd9d45b75e35f755b9a2a4670144fc49c51ef778487b37111a5f2cb1387e72afce189a3b8a784c2273fe1a856fb80
-
Filesize
207B
MD5ea1ae957c155be6ad17b5540c33cf9b9
SHA19876ad36fec3e9fb1b60ea950a5661e04624ee82
SHA256d74c876b38f453b0095728f806ffe6dadd2d440debac119be9e595f5baf8879e
SHA51245fff98b6c21fe803fce8793935dc94495983c928aef11b19cbc0ab774e6d9b8eba0736c0b66dc0927fe3d7430f00873ca830e7900cc36607865c6931be832d8
-
Filesize
207B
MD59873d097b4deb8d8cb5066beea826b24
SHA133cb8cae1c2de070d19373dfa757798cc541023f
SHA25655d4dfe5f55861ec6ad919563480e6792b6abdd1a3e5731c4f99d986ce036003
SHA51235f8d54ed6135299229500095a668f677abb92087f12c39146b299d447ddb1bcaf670db83e9566946622166c45aa4b6494ba6cae64bdf9501fd61cee22567d48
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
207B
MD525894067ad5713fcd689c1176cd8de1b
SHA1c1d949a2dc6aa75b3c8e1b14d88ae3f2e9cc8e51
SHA256eda0e213809ad0bec49e2f0f28331213ac97dd53e16efb08f868af8c03aa3574
SHA5122317bdf78ddc41f6392f49440c1689c71cfe443e9c439cbf778cb9adc16bbbca136e97dfd1684e73c4b794f034ab35e6f86f48b73152ed6da1b7fce595aaa244
-
Filesize
207B
MD5842d9c8f1ee4d03e00acc4f6748d83d5
SHA16cf86d0ed8ca5dd1d58d15e88e3d47dbdd8ebac1
SHA2565fc394f777919c55601145ef21803cd96d732265e05cd88f8833a551fcbe2378
SHA5120de9cf42b9c0816f1e99c36222046044699fbf123c2a00df42c519c24d3ea1ea4bc4cdd165f30f2a192ae0edf2adc02b83703c51555c30709a8d1abf1222180f
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
207B
MD5ba967b24e5079d8b2ff705ae2a80ee0d
SHA1087ef2b06c520a0401f5c3e749e65dc58f3f4d86
SHA256ffc97d8ace996a3224b611f7de3a8682485b76d91ff1a33e099f14bc2c5b03c5
SHA512c8e1ab7c628c82b350c97cc901ecf3a6166ae4376084c3cf2c0dd02e9a33a0bcfa68c74681a177bbef6dd2d6fd677cfc76e9385dc98ba7ca29ea4c353e2a2133
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c