Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2024, 11:18
Behavioral task
behavioral1
Sample
JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe
Resource
win7-20241023-en
General
-
Target
JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe
-
Size
6.7MB
-
MD5
178ea6b2fe4a5d53f40b4c4ef74f7448
-
SHA1
27581d9ec136e2cc3de4b5f6ed91cbee3ee86108
-
SHA256
27810441ae1cf22aff376877945394e6430f4e8a0ce907f809880e173a851d35
-
SHA512
cfce210fb940b4fb4f58946925d81a14d905644a80113194cb75eed087109f9ebb21da3edfaffeee5ecc56105dfd6eef38bbb3dfb897ecbde85624a29ec4e4ed
-
SSDEEP
196608:sHtgOOkds8GSt6cg53HRVu7vHDpS1IqBRU7kCs2q:sNa8GSQv53xVu7vHhqBa4Cs
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/files/0x000a000000023b65-19.dat family_quasar behavioral2/memory/2256-39-0x0000000000670000-0x0000000000700000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation chrome.exe -
Executes dropped EXE 17 IoCs
pid Process 2256 chrome.exe 1188 S^X.exe 2476 chrome.exe 3128 chrome.exe 2404 chrome.exe 1004 chrome.exe 2876 chrome.exe 876 chrome.exe 316 chrome.exe 4120 chrome.exe 1452 chrome.exe 836 chrome.exe 404 chrome.exe 1476 chrome.exe 3632 chrome.exe 4280 chrome.exe 1424 chrome.exe -
Loads dropped DLL 1 IoCs
pid Process 4700 JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe -
resource yara_rule behavioral2/files/0x000a000000023b64-8.dat themida behavioral2/memory/4700-10-0x0000000072900000-0x0000000072F08000-memory.dmp themida behavioral2/memory/4700-12-0x0000000072900000-0x0000000072F08000-memory.dmp themida behavioral2/memory/4700-13-0x0000000072900000-0x0000000072F08000-memory.dmp themida behavioral2/memory/4700-40-0x0000000072900000-0x0000000072F08000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4700 JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S^X.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3360 PING.EXE 5060 PING.EXE 5044 PING.EXE 3092 PING.EXE 2688 PING.EXE 4968 PING.EXE 4296 PING.EXE 4912 PING.EXE 676 PING.EXE 4060 PING.EXE 3108 PING.EXE 1424 PING.EXE 2536 PING.EXE 2920 PING.EXE 1004 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2536 PING.EXE 2688 PING.EXE 4968 PING.EXE 4912 PING.EXE 676 PING.EXE 3360 PING.EXE 1424 PING.EXE 2920 PING.EXE 4060 PING.EXE 5044 PING.EXE 5060 PING.EXE 4296 PING.EXE 3092 PING.EXE 3108 PING.EXE 1004 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2272 schtasks.exe 4960 schtasks.exe 4784 schtasks.exe 3796 schtasks.exe 3776 schtasks.exe 1108 schtasks.exe 3288 schtasks.exe 3508 schtasks.exe 4120 schtasks.exe 5084 schtasks.exe 3980 schtasks.exe 4008 schtasks.exe 2808 schtasks.exe 3480 schtasks.exe 1976 schtasks.exe 3800 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2256 chrome.exe Token: SeDebugPrivilege 2476 chrome.exe Token: SeDebugPrivilege 1188 S^X.exe Token: SeDebugPrivilege 3128 chrome.exe Token: SeDebugPrivilege 2404 chrome.exe Token: SeDebugPrivilege 1004 chrome.exe Token: SeDebugPrivilege 2876 chrome.exe Token: SeDebugPrivilege 876 chrome.exe Token: SeDebugPrivilege 316 chrome.exe Token: SeDebugPrivilege 4120 chrome.exe Token: SeDebugPrivilege 1452 chrome.exe Token: SeDebugPrivilege 836 chrome.exe Token: SeDebugPrivilege 404 chrome.exe Token: SeDebugPrivilege 1476 chrome.exe Token: SeDebugPrivilege 3632 chrome.exe Token: SeDebugPrivilege 4280 chrome.exe Token: SeDebugPrivilege 1424 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4700 wrote to memory of 2256 4700 JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe 83 PID 4700 wrote to memory of 2256 4700 JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe 83 PID 4700 wrote to memory of 1188 4700 JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe 84 PID 4700 wrote to memory of 1188 4700 JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe 84 PID 4700 wrote to memory of 1188 4700 JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe 84 PID 2256 wrote to memory of 3508 2256 chrome.exe 85 PID 2256 wrote to memory of 3508 2256 chrome.exe 85 PID 2256 wrote to memory of 2476 2256 chrome.exe 87 PID 2256 wrote to memory of 2476 2256 chrome.exe 87 PID 2476 wrote to memory of 4120 2476 chrome.exe 88 PID 2476 wrote to memory of 4120 2476 chrome.exe 88 PID 2476 wrote to memory of 2668 2476 chrome.exe 90 PID 2476 wrote to memory of 2668 2476 chrome.exe 90 PID 2668 wrote to memory of 868 2668 cmd.exe 92 PID 2668 wrote to memory of 868 2668 cmd.exe 92 PID 2668 wrote to memory of 676 2668 cmd.exe 93 PID 2668 wrote to memory of 676 2668 cmd.exe 93 PID 2668 wrote to memory of 3128 2668 cmd.exe 96 PID 2668 wrote to memory of 3128 2668 cmd.exe 96 PID 3128 wrote to memory of 3480 3128 chrome.exe 97 PID 3128 wrote to memory of 3480 3128 chrome.exe 97 PID 3128 wrote to memory of 1280 3128 chrome.exe 100 PID 3128 wrote to memory of 1280 3128 chrome.exe 100 PID 1280 wrote to memory of 2324 1280 cmd.exe 102 PID 1280 wrote to memory of 2324 1280 cmd.exe 102 PID 1280 wrote to memory of 4060 1280 cmd.exe 103 PID 1280 wrote to memory of 4060 1280 cmd.exe 103 PID 1280 wrote to memory of 2404 1280 cmd.exe 113 PID 1280 wrote to memory of 2404 1280 cmd.exe 113 PID 2404 wrote to memory of 4960 2404 chrome.exe 114 PID 2404 wrote to memory of 4960 2404 chrome.exe 114 PID 2404 wrote to memory of 1508 2404 chrome.exe 117 PID 2404 wrote to memory of 1508 2404 chrome.exe 117 PID 1508 wrote to memory of 4052 1508 cmd.exe 119 PID 1508 wrote to memory of 4052 1508 cmd.exe 119 PID 1508 wrote to memory of 3360 1508 cmd.exe 120 PID 1508 wrote to memory of 3360 1508 cmd.exe 120 PID 1508 wrote to memory of 1004 1508 cmd.exe 129 PID 1508 wrote to memory of 1004 1508 cmd.exe 129 PID 1004 wrote to memory of 3776 1004 chrome.exe 130 PID 1004 wrote to memory of 3776 1004 chrome.exe 130 PID 1004 wrote to memory of 2724 1004 chrome.exe 133 PID 1004 wrote to memory of 2724 1004 chrome.exe 133 PID 2724 wrote to memory of 2588 2724 cmd.exe 135 PID 2724 wrote to memory of 2588 2724 cmd.exe 135 PID 2724 wrote to memory of 3092 2724 cmd.exe 136 PID 2724 wrote to memory of 3092 2724 cmd.exe 136 PID 2724 wrote to memory of 2876 2724 cmd.exe 138 PID 2724 wrote to memory of 2876 2724 cmd.exe 138 PID 2876 wrote to memory of 1108 2876 chrome.exe 139 PID 2876 wrote to memory of 1108 2876 chrome.exe 139 PID 2876 wrote to memory of 3464 2876 chrome.exe 142 PID 2876 wrote to memory of 3464 2876 chrome.exe 142 PID 3464 wrote to memory of 4032 3464 cmd.exe 144 PID 3464 wrote to memory of 4032 3464 cmd.exe 144 PID 3464 wrote to memory of 2536 3464 cmd.exe 145 PID 3464 wrote to memory of 2536 3464 cmd.exe 145 PID 3464 wrote to memory of 876 3464 cmd.exe 147 PID 3464 wrote to memory of 876 3464 cmd.exe 147 PID 876 wrote to memory of 1976 876 chrome.exe 148 PID 876 wrote to memory of 1976 876 chrome.exe 148 PID 876 wrote to memory of 996 876 chrome.exe 151 PID 876 wrote to memory of 996 876 chrome.exe 151 PID 996 wrote to memory of 2680 996 cmd.exe 153 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:3508
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:4120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOU1HGnUKHAC.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:868
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:676
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:3480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JalL1Rjbvymw.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:2324
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4060
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:4960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DnCcqCMDNAWy.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:4052
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3360
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:3776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1yFm9ydhw0il.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:2588
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3092
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:1108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x8LwyAXYYUw0.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:4032
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2536
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:1976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4D8yBHCvQwdK.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\system32\chcp.comchcp 6500115⤵PID:2680
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3108
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:316 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:3800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ox01UrlbVNFZ.bat" "16⤵PID:3488
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:2384
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5060
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4120 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKdhxK3WX72H.bat" "18⤵PID:624
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:2052
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5044
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:3288
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zjCF0V7zMMPL.bat" "20⤵PID:4300
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:3788
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1424
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:836 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:3796
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qnEUkWOxqgkh.bat" "22⤵PID:4788
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:4184
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2688
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:404 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:5084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcoSYStZd9fg.bat" "24⤵PID:4740
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:1900
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4968
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:3980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VBc961ArAvJc.bat" "26⤵PID:4576
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:3536
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2920
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
PID:4008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9f0P1EXpkfGK.bat" "28⤵PID:5016
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:3372
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1004
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f30⤵
- Scheduled Task/Job: Scheduled Task
PID:2808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y332AYIqE2Xo.bat" "30⤵PID:4312
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:5112
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4912
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1424 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f32⤵
- Scheduled Task/Job: Scheduled Task
PID:2272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgiKgnV2PILy.bat" "32⤵PID:1372
-
C:\Windows\system32\chcp.comchcp 6500133⤵PID:2944
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4296
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
207B
MD578a4b47526f333324af466ea1d523de2
SHA1d2b6fc7c901f28f82f4dafbc7249afdd932e256e
SHA2565db013b7b9007749358b0df61aed15d9b976de65d678379e2ced1c72371e8f83
SHA5124ae5ccad558f1bf1b1d67cbd4138765005f2adb42b33dc0c92e35edc8d53790ea705129224d59dccce575fccf1d0ad7cbd222a9ad2d17924de941c044dbffbe5
-
Filesize
207B
MD518e9830fc76254e3b40059012ac5171d
SHA13a298df372714ee88aff88963440520ede60514d
SHA2564e2c91b3ef5a6c489157f8b1463b0153f319b829578328e2cffbb477d80f4836
SHA5120bb4bedc1f0b0bc88a5621e769c8ef29e3efe0490fda6f2bf57140f39afadd2947b3d419b9fe8d9f5ff3305deed6856986e7e6d10aeb4818d7f66cc93ad77d07
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
207B
MD57ef0956348af45ca53c2a95981954786
SHA1a6e23e9e44db90b6c8145db0d0c01c0701cb9797
SHA256a8e65fe9ca5447419bfe59c9faacf69efdfe8cadca099a53c771fcf41085227e
SHA512895a4ce4f0c516766644aedfdb08e1b7520003414d1982fff6bc7457cf20c5f9a1f853441c34671c4f057e1e1bbb03bb3567fac34383cf634a0bf931fccb6319
-
Filesize
207B
MD5dffb76141ad48aa3e8d975e6af2d33bd
SHA169e2aec3c5a8701b1f6bc009b64ebd42f914c90f
SHA2566dd7cdce1de165f4c7df9c3c0e814d752da195dfa13119fd716eeb973bc4c67b
SHA512911fa44f13b3b1d2dd620a4cb9d15497342600549e323dbe03e55fcb5ba6591af2f11bf64800bb221bfbcf8d6702d21b7d58edda87f5f3b667a504140c7504cc
-
Filesize
207B
MD5af0f9afce8e7d28edaa276822e0343a7
SHA1c3c251318246a676824f4df7bbc4be48a3d385a3
SHA2562176647c7516c9ecaac3e3e928266feae7a3cb931da7d1a3090ec80b6429d163
SHA5127433202bdd849fba616ba41f662909ad11fae8a9e5e6d88699019fd39a06d66d621d400701e6bbee3f67dd5a268f13299247ab3842632bbc28dd516b5b8ff359
-
Filesize
207B
MD53a058d19c497e863e5301afc8cf2a589
SHA149290e82df23eb2bb34b1a6ca7a224721f5bbca3
SHA256ce50367243b572065d7559c7c140a341c434a38c865cbfa28ffae24534bb54b7
SHA512aab269a0ef8de89e2b2550412acec1a6505ba2ed8d59e04d3f10dbab41847991cb14a419a5f9f891b949ea5157896c27e9cf94ff46804bd6560ce09eb970bdad
-
Filesize
207B
MD5d18fd57d6bac8dfb501efd78fb933f7f
SHA1099143b221a5b95a623754f4b2b39e6c359fa2e3
SHA256e858af8f119f5d502769e06cfa4830cdcb329e3c766af7a18a287837cabe9b8f
SHA512ed2edaef1541d1562e4ce2669bb9390242d7046988e18ff00ebe9a602071fb1817ff3bf0eb35858bd40b390222324e6058296d98b4dc2077ca90995099d7ba53
-
Filesize
207B
MD51955ed1791625f1ee48866706d7929e5
SHA15080e708e063ceeceb574101010d5eda64d3f5a8
SHA25697a4456100014dbfbbf19a81a581c323db1cfb4d1c8f10c43fbb22f96dc266d0
SHA51279b19d72e02089c031b280847a6b80a12492bc46fb03385a1c16234d1e3762c7305ff195996366500303208093d1c9c6e8cbbb8dbd1d94678ac22167386b8280
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
207B
MD50ad0c9b474b14052cafe30ffd13e0092
SHA189e93b6b4a11afefbaa2bdf6d936c0ee361c86d8
SHA2564aa6684c80c1b3068a0c8d08f6958de6425868368a045e1533db70b4a1b43ad4
SHA512c8a57c7c98e8f9ae03207af416b9cdd8e73c0e94db62693c815291afc7f06f1e4ea32e7d4d6e58f5e97b82fbdfff53d8b0803146d73204398a9c3d3968372071
-
Filesize
207B
MD52673ace75d89c9233b9b5c1b39c50f6b
SHA19eeca7499caed79c4642f18ddc8a825059a766f2
SHA2561be32fff074a55bd1aee5f12dff67c49ed6282072a3bb90465d0cc2331326037
SHA5125eef1003ca7dd90f824000a1aaf6a4c3f415d554dee87c9fb51bacbb1d544e81647e117f9a933ef21121d405920c26e1c7b67b3ae7a2b609bc54497054169eeb
-
Filesize
207B
MD5690bac95102f38b43b55991dffc9e7a6
SHA10fc44928c7ce0ac6e7cfd4c0f9dc00e358bebcc6
SHA256b5d496243bf12a50035099639dc0bf72141e8c1c576282d041bce7133afcfe59
SHA51270738266676bdfa8294d10e82745d8065b51d6c0299811c0dd99255a501fc56ab0a2ddef1edfc422a3c30b6e3d9e05193e947eb4efaa9fa9d37de42f629e99a3
-
Filesize
207B
MD571a098f49423044491d4ef4cf0b1c6b0
SHA140b612c67ba0e2c39bac3c9db1e1335c2c347f47
SHA256155253ad75660b9c43225a4e007cb5b001e892d78a8a720052eb6d53d7b4b272
SHA512fdb784d2180c9281b27cfd696fc9328d1f4472c05b233ed5a3eef602efc00e26ea96be65ba58c0c8bf08415f20be9df409ec513f4ca900c8d021a7cc04462676
-
Filesize
207B
MD515f988d1f67f860aedc6019f5c0f4a1c
SHA1dd12a1fe3ef39f9ae9fa684884aebb79518832eb
SHA256d2888f3be666f2579614c90733e0fe398b2c4bb05cc352cac4fffde47420c35f
SHA51208436f3adc9316584513b3c1ad6ee2bea41db094ac32d8702f431afd8bc0305ad2db2139f827db26723257cf329be36249c68ffbed1e88d11be316de8b91da8d
-
Filesize
207B
MD509f8a49298854dc9513228a24849d81d
SHA18034a5298aaf2c48ad971960eb76a4524c872b13
SHA256353367a9da2e56d6fcc22638c824b3b56f6e918219d24738146b85fa8b566e45
SHA5121277dac20c48e054c2c7de831f8b495de9b9bd4f4a8c019af9cd704b28405a9b9853b5d9f9b7e46f5a733f2150dd12fa87ab7b3fcc8579f574643db8a4f3d3e2
-
Filesize
207B
MD541df9cb13ce3cc2d95474b93697a5588
SHA1de899754f7b7171fe8fef06955fd0db720fe5479
SHA256b9d1aaf08b90e39699cea2f2b892aeb0d3c4d3425323d5fed0cf9854748fed2c
SHA512b60dba3eec048ce653b5447838c61a4cfc5564241246de6739796fa8b1c5f410d8d4fa1ac2bd0a984d57cc8125c4173312ffdc0315d588d07a125502bbae07ac
-
Filesize
554KB
MD52589204aeb19a1d261d5823ca05dd542
SHA1292de66a43c8ddfab44cd16020434a7349e546a4
SHA256db92bc93c4836e5db7564cb101233e0c169d3fd5aa6b231538080061ec385be8
SHA512cafad1246160eb9843ebeb0de5f9cf17a89341d8c91940644d3fe294dd04ad29d579382f1b97bf7ad29b4be053e11febfc189dd7e12dd22dd27f892cb945572c