Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
01/01/2025, 12:24
Behavioral task
behavioral1
Sample
JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe
-
Size
6.6MB
-
MD5
54fd1c1af0f12d1ff54ab8901e9ce266
-
SHA1
f50e95582506de109115a2d46c9d2fae6caa238d
-
SHA256
c563c2586cc408faf2c05f25fcddb9049e8432d76f6fea16556f75d6ad380ce3
-
SHA512
21c45d652b2433a9ecc042bec756708e94dd7b648187d24efd178e0eae639e7a541cfe83cca443204cd1dd95e3e6b0b1cd7d62b495efa02cf073b9a4a2628c26
-
SSDEEP
196608:m+AJG9mLg53HRVu7vHDpS1IqBRU7kCs2q:m3Q9j53xVu7vHhqBa4Cs
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar family
-
Quasar payload 7 IoCs
resource yara_rule behavioral1/files/0x000900000001756b-16.dat family_quasar behavioral1/memory/2860-30-0x00000000013E0000-0x0000000001464000-memory.dmp family_quasar behavioral1/memory/2940-36-0x00000000012E0000-0x0000000001364000-memory.dmp family_quasar behavioral1/memory/2280-77-0x00000000001E0000-0x0000000000264000-memory.dmp family_quasar behavioral1/memory/2884-89-0x0000000000020000-0x00000000000A4000-memory.dmp family_quasar behavioral1/memory/2684-100-0x0000000001060000-0x00000000010E4000-memory.dmp family_quasar behavioral1/memory/2992-132-0x00000000012D0000-0x0000000001354000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe -
Executes dropped EXE 13 IoCs
pid Process 2860 chrome.exe 2380 S^X.exe 2940 chrome.exe 2796 chrome.exe 2164 chrome.exe 2168 chrome.exe 2280 chrome.exe 2884 chrome.exe 2684 chrome.exe 1708 chrome.exe 1572 chrome.exe 2992 chrome.exe 1528 chrome.exe -
Loads dropped DLL 3 IoCs
pid Process 2092 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe 2092 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe 2092 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe -
resource yara_rule behavioral1/files/0x000d000000016fc9-6.dat themida behavioral1/memory/2092-9-0x0000000074090000-0x0000000074698000-memory.dmp themida behavioral1/memory/2092-10-0x0000000074090000-0x0000000074698000-memory.dmp themida behavioral1/memory/2092-12-0x0000000074090000-0x0000000074698000-memory.dmp themida behavioral1/memory/2092-29-0x0000000074090000-0x0000000074698000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2092 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S^X.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2096 PING.EXE 1676 PING.EXE 2680 PING.EXE 2384 PING.EXE 2720 PING.EXE 1252 PING.EXE 2168 PING.EXE 1724 PING.EXE 876 PING.EXE 1864 PING.EXE 2212 PING.EXE -
Runs ping.exe 1 TTPs 11 IoCs
pid Process 2212 PING.EXE 2384 PING.EXE 2720 PING.EXE 2096 PING.EXE 1676 PING.EXE 2168 PING.EXE 1724 PING.EXE 2680 PING.EXE 876 PING.EXE 1864 PING.EXE 1252 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2324 schtasks.exe 1800 schtasks.exe 664 schtasks.exe 2128 schtasks.exe 1020 schtasks.exe 2916 schtasks.exe 2380 schtasks.exe 2364 schtasks.exe 768 schtasks.exe 2536 schtasks.exe 1652 schtasks.exe 2928 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2860 chrome.exe Token: SeDebugPrivilege 2380 S^X.exe Token: SeDebugPrivilege 2940 chrome.exe Token: SeDebugPrivilege 2796 chrome.exe Token: SeDebugPrivilege 2164 chrome.exe Token: SeDebugPrivilege 2168 chrome.exe Token: SeDebugPrivilege 2280 chrome.exe Token: SeDebugPrivilege 2884 chrome.exe Token: SeDebugPrivilege 2684 chrome.exe Token: SeDebugPrivilege 1708 chrome.exe Token: SeDebugPrivilege 1572 chrome.exe Token: SeDebugPrivilege 2992 chrome.exe Token: SeDebugPrivilege 1528 chrome.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 2940 chrome.exe 2796 chrome.exe 2164 chrome.exe 2168 chrome.exe 2280 chrome.exe 2884 chrome.exe 2684 chrome.exe 1708 chrome.exe 1572 chrome.exe 2992 chrome.exe 1528 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2860 2092 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe 30 PID 2092 wrote to memory of 2860 2092 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe 30 PID 2092 wrote to memory of 2860 2092 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe 30 PID 2092 wrote to memory of 2860 2092 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe 30 PID 2092 wrote to memory of 2380 2092 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe 31 PID 2092 wrote to memory of 2380 2092 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe 31 PID 2092 wrote to memory of 2380 2092 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe 31 PID 2092 wrote to memory of 2380 2092 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe 31 PID 2860 wrote to memory of 2324 2860 chrome.exe 32 PID 2860 wrote to memory of 2324 2860 chrome.exe 32 PID 2860 wrote to memory of 2324 2860 chrome.exe 32 PID 2860 wrote to memory of 2940 2860 chrome.exe 34 PID 2860 wrote to memory of 2940 2860 chrome.exe 34 PID 2860 wrote to memory of 2940 2860 chrome.exe 34 PID 2940 wrote to memory of 1800 2940 chrome.exe 35 PID 2940 wrote to memory of 1800 2940 chrome.exe 35 PID 2940 wrote to memory of 1800 2940 chrome.exe 35 PID 2940 wrote to memory of 2608 2940 chrome.exe 37 PID 2940 wrote to memory of 2608 2940 chrome.exe 37 PID 2940 wrote to memory of 2608 2940 chrome.exe 37 PID 2608 wrote to memory of 520 2608 cmd.exe 39 PID 2608 wrote to memory of 520 2608 cmd.exe 39 PID 2608 wrote to memory of 520 2608 cmd.exe 39 PID 2608 wrote to memory of 2680 2608 cmd.exe 40 PID 2608 wrote to memory of 2680 2608 cmd.exe 40 PID 2608 wrote to memory of 2680 2608 cmd.exe 40 PID 2608 wrote to memory of 2796 2608 cmd.exe 41 PID 2608 wrote to memory of 2796 2608 cmd.exe 41 PID 2608 wrote to memory of 2796 2608 cmd.exe 41 PID 2796 wrote to memory of 664 2796 chrome.exe 42 PID 2796 wrote to memory of 664 2796 chrome.exe 42 PID 2796 wrote to memory of 664 2796 chrome.exe 42 PID 2796 wrote to memory of 1600 2796 chrome.exe 44 PID 2796 wrote to memory of 1600 2796 chrome.exe 44 PID 2796 wrote to memory of 1600 2796 chrome.exe 44 PID 1600 wrote to memory of 1488 1600 cmd.exe 46 PID 1600 wrote to memory of 1488 1600 cmd.exe 46 PID 1600 wrote to memory of 1488 1600 cmd.exe 46 PID 1600 wrote to memory of 876 1600 cmd.exe 47 PID 1600 wrote to memory of 876 1600 cmd.exe 47 PID 1600 wrote to memory of 876 1600 cmd.exe 47 PID 1600 wrote to memory of 2164 1600 cmd.exe 48 PID 1600 wrote to memory of 2164 1600 cmd.exe 48 PID 1600 wrote to memory of 2164 1600 cmd.exe 48 PID 2164 wrote to memory of 2128 2164 chrome.exe 49 PID 2164 wrote to memory of 2128 2164 chrome.exe 49 PID 2164 wrote to memory of 2128 2164 chrome.exe 49 PID 2164 wrote to memory of 768 2164 chrome.exe 51 PID 2164 wrote to memory of 768 2164 chrome.exe 51 PID 2164 wrote to memory of 768 2164 chrome.exe 51 PID 768 wrote to memory of 1676 768 cmd.exe 53 PID 768 wrote to memory of 1676 768 cmd.exe 53 PID 768 wrote to memory of 1676 768 cmd.exe 53 PID 768 wrote to memory of 1864 768 cmd.exe 54 PID 768 wrote to memory of 1864 768 cmd.exe 54 PID 768 wrote to memory of 1864 768 cmd.exe 54 PID 768 wrote to memory of 2168 768 cmd.exe 55 PID 768 wrote to memory of 2168 768 cmd.exe 55 PID 768 wrote to memory of 2168 768 cmd.exe 55 PID 2168 wrote to memory of 1652 2168 chrome.exe 56 PID 2168 wrote to memory of 1652 2168 chrome.exe 56 PID 2168 wrote to memory of 1652 2168 chrome.exe 56 PID 2168 wrote to memory of 2028 2168 chrome.exe 58 PID 2168 wrote to memory of 2028 2168 chrome.exe 58 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2324
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:1800
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YqKxdQQrZ1ag.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:520
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2680
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:664
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\wfEyAFTu24DT.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:1488
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:876
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:2128
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0JDIeF5gUWEo.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:1676
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1864
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:1652
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\TqLewx3FvPtS.bat" "10⤵PID:2028
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:1992
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2212
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2280 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:1020
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8NaDGV3Wqdrb.bat" "12⤵PID:1732
-
C:\Windows\system32\chcp.comchcp 6500113⤵PID:2252
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2384
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2884 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:2916
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\uknGZSjsrI1M.bat" "14⤵PID:1648
-
C:\Windows\system32\chcp.comchcp 6500115⤵PID:1916
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1252
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2684 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:2380
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2qyyJQHKzsDl.bat" "16⤵PID:1104
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:3060
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2720
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1708 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:2928
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\WL9mqhpJcdlw.bat" "18⤵PID:2100
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:1488
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2096
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1572 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:2364
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\mFc1lLRsgzGX.bat" "20⤵PID:2112
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:1580
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1676
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2992 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:768
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2V0mitmJ4IrQ.bat" "22⤵PID:1728
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:1756
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2168
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1528 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:2536
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\NtTUfJ8OiOWA.bat" "24⤵PID:2376
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:1044
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD5c425b1cdf73f99a5074406bb3e253ffb
SHA17d46b4153cba287afd465cfd9e6a1840b6a27e08
SHA2561cd24e6ba9027fa30493ac914ec3dbf87e3dfda5c7fff95aa57167531cd6728e
SHA5126ce5d72a87b794fa22826da8a94fd2d74aef6be37a81c95c231c61d2aea46734ffb2102250583062648e560f5024f98d073b928899b7c1e483cafbde71209371
-
Filesize
207B
MD5b356e9b2891f4439bfd8d1436d5d4d25
SHA1b9477ad20b40c3cd03060fa9505f26704962aa53
SHA256c7a461134f187686144339a4ece7dead12aea7fcd724773fd2bc1da6fb631c9e
SHA5123ee3f416f08e5704eea0eff196b06b8b66c5f5957e5b751922beed28ee31b1fbaa05c7309fc98b434a39513ae83a12cd71a3e0dbbbcf5c5fc67bdcf4f80af8f9
-
Filesize
207B
MD54f9961d6405c7e0bfd0f2d7edf14fb76
SHA1963aba719d010ac58bb04d05a52e02e5183208ba
SHA256a8b0b21c6949335440ef42a3fbdfe972332102c9c4b946120e0e76f02814d9c5
SHA5121357e8a5bea61e5ec6c0b61623e5f418a8fe656047a86e6adaa1ab5649886d960ffa5dff654deeacc85982b65fce61b0ac0af5dbbc43b5d0d20e02dc1fc7a47a
-
Filesize
207B
MD532e5d29a21f8d0e7b13750aa643f9713
SHA11343b113988ec0b121e6830930cca8fb54fa1e82
SHA256ed151706bc8265717d11d8b6fd322b01e1495f9993a2a2222d1a3f8599276e82
SHA5121ed85243ace4bec7624a97c2c99b75140cdf7ba14306887c21835f12495e1848dfe87b39279823c2c030fa1602cf7f8df7107bdcad8e772aec5577a00123e588
-
Filesize
207B
MD5fc89fd66856a60b4c53090fc7d871ca3
SHA18c512e0ed1b391c3f35837e3e24b6294ac70b32d
SHA256d943f7210a2e693f38e1a55e86cad73104e50bb78908a16241d6e9bb54c0ceda
SHA512c466dd9d3fb9b0a912d14a861c2cdea904adb701f224398dccb7a7f10e0b995792a51ce31b7364f0940278ffb268e6558c29ff2a72c09d08305a81e61cf90a08
-
Filesize
207B
MD547b1856f475d5ba676a0afcb3f3dc351
SHA1beec4704d83a84ffa6ef3ee298ffa6121e7cd4b3
SHA2560ce473f7dab92f3740f1d40e26833251084170e2828276632f1a53735efd3ecd
SHA5123aca32e63b28343117db9cf84e84f02c54c9b65c5c8b3533f81ffb8f3be4815bf717b31538849685976718e699bbed31d43524d8227b8b27370388c7d4275336
-
Filesize
207B
MD58fa61f81aa79b3b25d7466f2f05ac582
SHA1e7a770995a0f27f5d6a30d911d8c98262747ec65
SHA2563968a38c2ae995d385e0a86ccd6b5058fadfa1d18eab687992825ed25ff464a0
SHA5125331e815f72d9cc0bc3c318c5dff02d0457be8d2daed7f6cdebb578a7de041ea9f69e16fa2ae91b6b5062940d84fb4b77ca28cd9be60ed4a139c8c35acc94bfe
-
Filesize
207B
MD56958d4bc08f005e118500c1a64090cec
SHA1303e3734ceca20272c8c77955f0c83a6d9bdd9c4
SHA2565d1a76fc1adae07df12f17f92d979dcb61380147109f3ed24adcc52d1433bceb
SHA5124df12fb1a1596b9f88d0f6b32793e5019c7df497d3a3a68d3e10082e9b312472de6fa1c7b641cdf4ba09689c7d4d920a8bff2dba96f54088219d833f62ba8ad2
-
Filesize
207B
MD5ae4a3d54b942f68dd5edf605fa7b6b51
SHA1fd2d972179ce69e129aadfcb8b471c3edc69f021
SHA25611520a0265edd4d5f8f96a1034186bbeb21979afcced95522b66fd902f397446
SHA5122efe0704ba8c94ffb6ca884b32d87ad764000d8d393bef211b9051a775decfc5ecac412c5ffd024066c25706d87f1cc0822db4346d4a44859cbea1da7be7bdfb
-
Filesize
207B
MD597445d2e3b18138232ffc0bce9b0efbc
SHA1cf95ad08e09e413a30a0b7f2fd2d9a7986a515d5
SHA2569f30fc4f944191a2c0e1a2077281b65f57c27818e645bd1ee38bde987093a7de
SHA512a64e9ee51eaa4074d7e44263df6f9d57e63321c712212bce2e5636a75e08f8830b8e35caf29fabcfa54bc5b252b784688b579b88d6972e04509b5f3a710cd2dd
-
Filesize
207B
MD52f393d1a1ba3fb60bb4322d98f3a2a26
SHA130e41e2b1ec246317a249c507f00af7e89cfa5cf
SHA256ffa04d08e60edec28858316fd5e6c602cef3f0404747c325be6d9d6ce7214450
SHA512adbb8adc663082f534a825d649e15a6d9cf2fc2caa9685a08bd4c05c9d7e101a74716662d767477990072bdbf8b93f1129d2450a41b3ff96708d20e93d3583ac
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c