Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01/01/2025, 12:24
Behavioral task
behavioral1
Sample
JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe
Resource
win7-20241010-en
General
-
Target
JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe
-
Size
6.6MB
-
MD5
54fd1c1af0f12d1ff54ab8901e9ce266
-
SHA1
f50e95582506de109115a2d46c9d2fae6caa238d
-
SHA256
c563c2586cc408faf2c05f25fcddb9049e8432d76f6fea16556f75d6ad380ce3
-
SHA512
21c45d652b2433a9ecc042bec756708e94dd7b648187d24efd178e0eae639e7a541cfe83cca443204cd1dd95e3e6b0b1cd7d62b495efa02cf073b9a4a2628c26
-
SSDEEP
196608:m+AJG9mLg53HRVu7vHDpS1IqBRU7kCs2q:m3Q9j53xVu7vHhqBa4Cs
Malware Config
Extracted
quasar
1.4.0
Chrome
live.nodenet.ml:8863
754ce6d6-f75b-4c6f-964c-3996e749369e
-
encryption_key
8F8DE0B9E0A9CA156684061043456EC2CF7D0A6D
-
install_name
chrome.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
System
-
subdirectory
chrome
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023c9b-19.dat family_quasar behavioral2/memory/4448-39-0x0000000000320000-0x00000000003A4000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe -
Checks computer location settings 2 TTPs 16 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation chrome.exe -
Executes dropped EXE 17 IoCs
pid Process 4448 chrome.exe 4720 S^X.exe 1996 chrome.exe 4032 chrome.exe 1936 chrome.exe 4500 chrome.exe 4744 chrome.exe 972 chrome.exe 1168 chrome.exe 4424 chrome.exe 1560 chrome.exe 4032 chrome.exe 692 chrome.exe 3644 chrome.exe 384 chrome.exe 440 chrome.exe 3424 chrome.exe -
Loads dropped DLL 1 IoCs
pid Process 1460 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe -
resource yara_rule behavioral2/files/0x000c000000023c92-6.dat themida behavioral2/memory/1460-10-0x0000000072FE0000-0x00000000735E8000-memory.dmp themida behavioral2/memory/1460-11-0x0000000072FE0000-0x00000000735E8000-memory.dmp themida behavioral2/memory/1460-12-0x0000000072FE0000-0x00000000735E8000-memory.dmp themida behavioral2/memory/1460-40-0x0000000072FE0000-0x00000000735E8000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1460 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S^X.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1240 PING.EXE 5072 PING.EXE 3944 PING.EXE 4732 PING.EXE 748 PING.EXE 4864 PING.EXE 4104 PING.EXE 2392 PING.EXE 5072 PING.EXE 2400 PING.EXE 4836 PING.EXE 2076 PING.EXE 1400 PING.EXE 2664 PING.EXE 1980 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1400 PING.EXE 4836 PING.EXE 2392 PING.EXE 5072 PING.EXE 1980 PING.EXE 748 PING.EXE 3944 PING.EXE 5072 PING.EXE 4864 PING.EXE 2076 PING.EXE 4104 PING.EXE 2400 PING.EXE 2664 PING.EXE 4732 PING.EXE 1240 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1168 schtasks.exe 4992 schtasks.exe 2708 schtasks.exe 1604 schtasks.exe 4296 schtasks.exe 4468 schtasks.exe 924 schtasks.exe 3028 schtasks.exe 2276 schtasks.exe 2304 schtasks.exe 4500 schtasks.exe 4992 schtasks.exe 2236 schtasks.exe 4936 schtasks.exe 440 schtasks.exe 4008 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 4448 chrome.exe Token: SeDebugPrivilege 1996 chrome.exe Token: SeDebugPrivilege 4720 S^X.exe Token: SeDebugPrivilege 4032 chrome.exe Token: SeDebugPrivilege 1936 chrome.exe Token: SeDebugPrivilege 4500 chrome.exe Token: SeDebugPrivilege 4744 chrome.exe Token: SeDebugPrivilege 972 chrome.exe Token: SeDebugPrivilege 1168 chrome.exe Token: SeDebugPrivilege 4424 chrome.exe Token: SeDebugPrivilege 1560 chrome.exe Token: SeDebugPrivilege 4032 chrome.exe Token: SeDebugPrivilege 692 chrome.exe Token: SeDebugPrivilege 3644 chrome.exe Token: SeDebugPrivilege 384 chrome.exe Token: SeDebugPrivilege 440 chrome.exe Token: SeDebugPrivilege 3424 chrome.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1996 chrome.exe 1936 chrome.exe 4500 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1460 wrote to memory of 4448 1460 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe 83 PID 1460 wrote to memory of 4448 1460 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe 83 PID 1460 wrote to memory of 4720 1460 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe 84 PID 1460 wrote to memory of 4720 1460 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe 84 PID 1460 wrote to memory of 4720 1460 JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe 84 PID 4448 wrote to memory of 2304 4448 chrome.exe 85 PID 4448 wrote to memory of 2304 4448 chrome.exe 85 PID 4448 wrote to memory of 1996 4448 chrome.exe 87 PID 4448 wrote to memory of 1996 4448 chrome.exe 87 PID 1996 wrote to memory of 4500 1996 chrome.exe 88 PID 1996 wrote to memory of 4500 1996 chrome.exe 88 PID 1996 wrote to memory of 4752 1996 chrome.exe 90 PID 1996 wrote to memory of 4752 1996 chrome.exe 90 PID 4752 wrote to memory of 2932 4752 cmd.exe 92 PID 4752 wrote to memory of 2932 4752 cmd.exe 92 PID 4752 wrote to memory of 1240 4752 cmd.exe 93 PID 4752 wrote to memory of 1240 4752 cmd.exe 93 PID 4752 wrote to memory of 4032 4752 cmd.exe 100 PID 4752 wrote to memory of 4032 4752 cmd.exe 100 PID 4032 wrote to memory of 4468 4032 chrome.exe 102 PID 4032 wrote to memory of 4468 4032 chrome.exe 102 PID 4032 wrote to memory of 2044 4032 chrome.exe 105 PID 4032 wrote to memory of 2044 4032 chrome.exe 105 PID 2044 wrote to memory of 2916 2044 cmd.exe 107 PID 2044 wrote to memory of 2916 2044 cmd.exe 107 PID 2044 wrote to memory of 2076 2044 cmd.exe 108 PID 2044 wrote to memory of 2076 2044 cmd.exe 108 PID 2044 wrote to memory of 1936 2044 cmd.exe 116 PID 2044 wrote to memory of 1936 2044 cmd.exe 116 PID 1936 wrote to memory of 1168 1936 chrome.exe 117 PID 1936 wrote to memory of 1168 1936 chrome.exe 117 PID 1936 wrote to memory of 1316 1936 chrome.exe 120 PID 1936 wrote to memory of 1316 1936 chrome.exe 120 PID 1316 wrote to memory of 3028 1316 cmd.exe 122 PID 1316 wrote to memory of 3028 1316 cmd.exe 122 PID 1316 wrote to memory of 5072 1316 cmd.exe 123 PID 1316 wrote to memory of 5072 1316 cmd.exe 123 PID 1316 wrote to memory of 4500 1316 cmd.exe 128 PID 1316 wrote to memory of 4500 1316 cmd.exe 128 PID 4500 wrote to memory of 4992 4500 chrome.exe 129 PID 4500 wrote to memory of 4992 4500 chrome.exe 129 PID 4500 wrote to memory of 3992 4500 chrome.exe 132 PID 4500 wrote to memory of 3992 4500 chrome.exe 132 PID 3992 wrote to memory of 712 3992 cmd.exe 134 PID 3992 wrote to memory of 712 3992 cmd.exe 134 PID 3992 wrote to memory of 4864 3992 cmd.exe 135 PID 3992 wrote to memory of 4864 3992 cmd.exe 135 PID 3992 wrote to memory of 4744 3992 cmd.exe 137 PID 3992 wrote to memory of 4744 3992 cmd.exe 137 PID 4744 wrote to memory of 2236 4744 chrome.exe 138 PID 4744 wrote to memory of 2236 4744 chrome.exe 138 PID 4744 wrote to memory of 2944 4744 chrome.exe 141 PID 4744 wrote to memory of 2944 4744 chrome.exe 141 PID 2944 wrote to memory of 1904 2944 cmd.exe 143 PID 2944 wrote to memory of 1904 2944 cmd.exe 143 PID 2944 wrote to memory of 4104 2944 cmd.exe 144 PID 2944 wrote to memory of 4104 2944 cmd.exe 144 PID 2944 wrote to memory of 972 2944 cmd.exe 146 PID 2944 wrote to memory of 972 2944 cmd.exe 146 PID 972 wrote to memory of 4936 972 chrome.exe 147 PID 972 wrote to memory of 4936 972 chrome.exe 147 PID 972 wrote to memory of 3108 972 chrome.exe 150 PID 972 wrote to memory of 3108 972 chrome.exe 150 PID 3108 wrote to memory of 4516 3108 cmd.exe 152 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_54fd1c1af0f12d1ff54ab8901e9ce266.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Roaming\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2304
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:4500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PJqPHYpWMD9i.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\system32\chcp.comchcp 650015⤵PID:2932
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1240
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f6⤵
- Scheduled Task/Job: Scheduled Task
PID:4468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqbnLGJlW6qD.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\chcp.comchcp 650017⤵PID:2916
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2076
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
PID:1168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAaU5XSIAbAE.bat" "8⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\system32\chcp.comchcp 650019⤵PID:3028
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5072
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f10⤵
- Scheduled Task/Job: Scheduled Task
PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DNu4AsRhRJcu.bat" "10⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\system32\chcp.comchcp 6500111⤵PID:712
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4864
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f12⤵
- Scheduled Task/Job: Scheduled Task
PID:2236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hDx0C0GSNkAR.bat" "12⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\chcp.comchcp 6500113⤵PID:1904
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4104
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f14⤵
- Scheduled Task/Job: Scheduled Task
PID:4936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\czYZG1OXnEct.bat" "14⤵
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\system32\chcp.comchcp 6500115⤵PID:4516
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3944
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1168 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f16⤵
- Scheduled Task/Job: Scheduled Task
PID:924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWhxanybTbsX.bat" "16⤵PID:1340
-
C:\Windows\system32\chcp.comchcp 6500117⤵PID:3248
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2400
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4424 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f18⤵
- Scheduled Task/Job: Scheduled Task
PID:2708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Yx5ltnSLDy7H.bat" "18⤵PID:4904
-
C:\Windows\system32\chcp.comchcp 6500119⤵PID:372
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1400
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f20⤵
- Scheduled Task/Job: Scheduled Task
PID:440
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o2Vbfr5mU9bp.bat" "20⤵PID:3992
-
C:\Windows\system32\chcp.comchcp 6500121⤵PID:3620
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4836
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4032 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f22⤵
- Scheduled Task/Job: Scheduled Task
PID:1604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M76qESA8DMmn.bat" "22⤵PID:4104
-
C:\Windows\system32\chcp.comchcp 6500123⤵PID:3536
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2664
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:692 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f24⤵
- Scheduled Task/Job: Scheduled Task
PID:4296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k1YPUinVC8rc.bat" "24⤵PID:1656
-
C:\Windows\system32\chcp.comchcp 6500125⤵PID:3672
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2392
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"25⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3644 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f26⤵
- Scheduled Task/Job: Scheduled Task
PID:3028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QS1DF2Bd7cpH.bat" "26⤵PID:640
-
C:\Windows\system32\chcp.comchcp 6500127⤵PID:4444
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost27⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5072
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:384 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f28⤵
- Scheduled Task/Job: Scheduled Task
PID:4992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4jD8QnWCYgOK.bat" "28⤵PID:3948
-
C:\Windows\system32\chcp.comchcp 6500129⤵PID:4704
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost29⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4732
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:440 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f30⤵
- Scheduled Task/Job: Scheduled Task
PID:4008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qowxT4IFhKhZ.bat" "30⤵PID:4884
-
C:\Windows\system32\chcp.comchcp 6500131⤵PID:2636
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost31⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1980
-
-
C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3424 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f32⤵
- Scheduled Task/Job: Scheduled Task
PID:2276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AeuO1TnLo203.bat" "32⤵PID:4600
-
C:\Windows\system32\chcp.comchcp 6500133⤵PID:4964
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S^X.exe"C:\Users\Admin\AppData\Local\Temp\S^X.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2.2MB
MD52d86c4ad18524003d56c1cb27c549ba8
SHA1123007f9337364e044b87deacf6793c2027c8f47
SHA256091ab8a1acdab40c544bd1e5c91a96881acc318cac4df5235e1b5673f5489280
SHA5120dd5204733b3c20932aeea2cebf0ca1eeca70e4b3b3b8932d78d952a8f762f0b96ebdbdaf217e95889c02ec6a39b8f9919fd4c0cba56bb629256e71fa61faa3c
-
Filesize
207B
MD58aa469cca99437491acf7549d386dede
SHA17925a6c5f6524d5eb2b2f9dce7ac38b9f7e1f050
SHA256d76099c3a4a1f278651e7d89f5d1ac041474f292865f1011bef8ec68c32c6155
SHA512c1d22aaeaef7e4431123f99a1712b6394eab88eea8398b8729a3cdbeab75261da6de395ad47d883fd2cd340673d6b8c14fdb007cabbf2a98e79d5ac982e73daa
-
Filesize
207B
MD553548909d31448eef04d5af95d0b9510
SHA164f1fd3a17f303b71b17674fe425b6b040cf7063
SHA25688f8a84fdf80d96b954ad561afb1238d12b2f94b1314afa5aafaa6d537ac38db
SHA5128d58968b376e378ae1fa79c604b81c304cdf3bc1414a8341cacd8db0cf27a10715a7cc3e891f5ae93b52b8b1038bf6b9a479bdeb099b450c7cdf3b91c909c92f
-
Filesize
207B
MD51aff765fed6bfc05504938fa4a3e625f
SHA1cdab96e5b50a1e739c31e360cb497adaff5c778c
SHA25648b98833fd6485c05a7f879bced5b0eb50ad24c76df2016e85c7b02bfb9cdd5d
SHA5120942e1c31ca8b1c916983788b8632ff1ce6f70ecb8996b098869d9cdc391c0c7829b5d83746d988ca74e1273941da97387af7fd8f03760b9a1886a56ec2df504
-
Filesize
207B
MD555d6cae0bafdfa830eb9880d33fcb982
SHA10b03db1797992d015f92356299aea0b3d9e2216a
SHA256042ba3257b3f9d6ea93c01fbee0d9d5a2e09e083f67850fa4361f6f4e9a0e8da
SHA51268e0fd619a33ecddaffdf47f71836e8e0785882a235320035ffa940bcca3fc4b25a3c69847b62e57e4ba24ec8d0321ac9b30e6354ee1a7b3d2e9915ac5f19ba1
-
Filesize
207B
MD572b382404302d11a8625e6f4bd317bfc
SHA1bc8a050ae10c174f913da89be19b47eb1dda236f
SHA256b3919ef3af78183fef2758f2e4255779a9cd50575f8de80f5ce34f889b7831fb
SHA512cb581fd1ef1b6aa26d4e625e66c19ccf2e8699759e893f9d8bafdf4de069247b3cc58e4c2b5192a89265354862fd8f9104c50f175a414cd579c9979c2aeb4533
-
Filesize
207B
MD591fab4142b036de31531f58a22bc68ab
SHA1a9efcefebbb556b2bf5a5d46bcef1e08afad31b9
SHA2564312a755bb80987bdcf3d37ab6303e3fb35c29e3f2637dfe77fe3a11a39d9213
SHA512b679f0ee9e2473f3f7bac49438608ddec1a446dda4cfa37529a85e9db2744c28c6c61c3aff062ad48ed8b9b122f511573f7d2f071e10ff51355534caeaf47049
-
Filesize
789KB
MD5e2437ac017506bbde9a81fb1f618457b
SHA1adef2615312b31e041ccf700b3982dd50b686c7f
SHA25694594fa46d0bd28c02365f0a32ec3a662b25df95f3f3e8e2a952c18a23895b12
SHA5129169f8be39b8fede38f7fce5a2e64d42630857e0ebd37f921c68ccf0bf0a8816f1682ba4659d22ad43413d99de62a59b2494494701404b44aa41c4d6bdc1e019
-
Filesize
207B
MD567571ae2b2b1287de9220745d87d08e8
SHA126d68a26d8d0e7443b350fcd977d85d0893ed42c
SHA2562df2920af0aeb4bc6883969e498db6f25b35bc829d579bf3a156615bf4afc894
SHA512ef8bf81422105780780575ae3865092d6101ce604873ed453bd52a9c74847ef32b94d12c0bbc5d65241a48f2b32ab138814b2a3a3f5a4f0175d9a57eaca9f66a
-
Filesize
207B
MD5b251899f6b047bf8dc8547d8caad0032
SHA1a0845231d0b9ee42386c6c9119d400ef794659c7
SHA256429400c3c493477ceb9b035b9272779a118cd3469d72b2c89a8cb633def7f50a
SHA51244776510b9b53dfadf0de6eb207e9d7e4d63f54e724fe06fcb3a07b780b9cb4a33a996e182284cdfc6d9f8c9c4ae2c66045afd7e3dac0b390189f4c545235879
-
Filesize
207B
MD541c3357abc7c5c43e7df6418b357e5f9
SHA1479430c4ba83905df6a450f6ed9a8353978b5d22
SHA256d560211bb05bd6a0680ec7786fe0c4885376dfb975e8f535d8bd0d1a180c93c9
SHA512452086fe07158d90ce8c5702344b290748c26408669621bd87f9679bb1036fc1cd205b0ff391f16d4c469835bef44a3c542170a28691ae1266c9d1865232e7f8
-
Filesize
207B
MD59f5b745a9f55e83b7999e8c73a480ed1
SHA1f3509c17ff55ea1b0631e7b74b1f66c206637aec
SHA2564612bff1df6423099c63e0f8ad80c4275350f0d5c01093e0d5f054fd766d370a
SHA5126c00c3f0d604e5e3da9d2c5585b2a87ccc2ccc105a8983ef22e75e65de81720e6b05c62c5e0afe8aa8b5b1aba3f03da41ada29b9945b4d782ea259abe48ad9c6
-
Filesize
207B
MD560a79927408e59dc39e6c097f8b2c42b
SHA15aa751500c05ba68656df401fba44c790d9ac89c
SHA256b0b88d646b258614e38113e85b724997abf90de71fcec1a24d2936bc1ec51021
SHA5124576ed0f3f417894da814ca0ec7269494d029762d5f26f2f78cd351547fe81a016ce46f16e4de2141840fe5a7fd35243bf1902a54786f4390a14cd17436b46e0
-
Filesize
207B
MD5931545488d4432cb97df57130b8b7b4d
SHA14e8a18286167d92cf85fba1636f08fa61eb3f43e
SHA2569178b8b020f55e957e8e138a14e1369a2335ba23b12e95bca1b0d8cf00ab6e3e
SHA512eff1fe8562e32d6bca499c2e0a4e655039a233bf51f926a930516e79c36a2ffe80fef471818ff2e1f98272d88de3f64fa6a59c75477b3d0a2aa5a0f70b97d3c6
-
Filesize
207B
MD5bbade4d7bdc7522a8481578dd88b6eea
SHA16591dc2a7ae89c33cac6a3fb604572ce06105987
SHA256791df150847304a2079ef5beb1e9339788d8cfad0be66094e3fca9dddbe67a21
SHA512b19f0662bf590b85b481594e8a6aaa1291167f501e9800227af0fe02ba2eef97c0c3ca0fd7fa4c7c97c3014b35d51e0620e9f2d729e6c67225ddf589eadcf184
-
Filesize
207B
MD5493c69c72481f24b2d6c481917193a5b
SHA1a5f0cf97a6f06a9fd90ac9d2420c929ffd6ba6da
SHA256943f931e1c26b7c08d72eb1d664443263a0db33f995ea7af1574ed4f37dc743b
SHA5124747a1bd993b50af034865f1550f1d2f9a5cff2ad0a96a5a62172dd449b5d2ee172579e6d7017e0326f0405ed5d08ec54ffc6d78485ba63727c62942869be7fd
-
Filesize
207B
MD5ae943e832971a0f3eb04446b208689ed
SHA1b581798e7e64d61315ab2e67b8d027994d0dfdfe
SHA256d5edfb8151a85a80618780727f21f51238b7ba7462ed7c7903b30bd2e80c6323
SHA512e2cf119f52b14ddb8ba2c5e16681cec7ff5a161a17a43e500fbe02854e3ddbfcb66015cf493fca8f39fada795ec7b43955b2f357e0c519821f5564c61ad569dd
-
Filesize
502KB
MD592479f1615fd4fa1dd3ac7f2e6a1b329
SHA10a6063d27c9f991be2053b113fcef25e071c57fd
SHA2560c4917cc756e769e94ab97d626bef49713dab833525ba2e5d75fc9aea4c72569
SHA5129f117c74c04749e6d0142e1cf952a8c59428f649413750921fc7aea35a3ccb62d9975ef954e61ce323d6234e0e9c7b8816f2ca9270552b726f9233219750847c