quasar | 27810441ae1cf22aff376877945394e6430f4e8a0ce907f809880e173a851d35

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	178ea6b2fe4a5d53f40b4c4ef74f7448_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	178ea6b2fe4a5d53f40b4c4ef74f7448_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	178ea6b2fe4a5d53f40b4c4ef74f7448_JaffaCakes118.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	178ea6b2fe4a5d53f40b4c4ef74f7448_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 15 IoCs

pid	Process
3172	chrome.exe
2148	S^X.exe
1272	chrome.exe
4588	chrome.exe
956	chrome.exe
2292	chrome.exe
932	chrome.exe
1496	chrome.exe
3820	chrome.exe
636	chrome.exe
3452	chrome.exe
3808	chrome.exe
644	chrome.exe
2436	chrome.exe
5112	chrome.exe

Loads dropped DLL 1 IoCs

pid	Process
3528	178ea6b2fe4a5d53f40b4c4ef74f7448_JaffaCakes118.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000800000002333a-8.dat	themida
behavioral2/memory/3528-10-0x0000000072D90000-0x0000000073398000-memory.dmp	themida
behavioral2/memory/3528-12-0x0000000072D90000-0x0000000073398000-memory.dmp	themida
behavioral2/memory/3528-13-0x0000000072D90000-0x0000000073398000-memory.dmp	themida
behavioral2/memory/3528-38-0x0000000072D90000-0x0000000073398000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	178ea6b2fe4a5d53f40b4c4ef74f7448_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3528	178ea6b2fe4a5d53f40b4c4ef74f7448_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4728	schtasks.exe
2584	schtasks.exe
4588	schtasks.exe
4820	schtasks.exe
1544	schtasks.exe
644	schtasks.exe
2040	schtasks.exe
3200	schtasks.exe
3248	schtasks.exe
4192	schtasks.exe
3368	schtasks.exe
2956	schtasks.exe
2452	schtasks.exe
4272	schtasks.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
4208	PING.EXE
3364	PING.EXE
4484	PING.EXE
3420	PING.EXE
1552	PING.EXE
4600	PING.EXE
980	PING.EXE
3328	PING.EXE
1172	PING.EXE
4892	PING.EXE
4944	PING.EXE
4532	PING.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	chrome.exe
Token: SeDebugPrivilege	1272	chrome.exe
Token: SeDebugPrivilege	2148	S^X.exe
Token: SeDebugPrivilege	4588	chrome.exe
Token: SeDebugPrivilege	956	chrome.exe
Token: SeDebugPrivilege	2292	chrome.exe
Token: SeDebugPrivilege	932	chrome.exe
Token: SeDebugPrivilege	1496	chrome.exe
Token: SeDebugPrivilege	3820	chrome.exe
Token: SeDebugPrivilege	636	chrome.exe
Token: SeDebugPrivilege	3452	chrome.exe
Token: SeDebugPrivilege	3808	chrome.exe
Token: SeDebugPrivilege	644	chrome.exe
Token: SeDebugPrivilege	2436	chrome.exe
Token: SeDebugPrivilege	5112	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 3172	3528	178ea6b2fe4a5d53f40b4c4ef74f7448_JaffaCakes118.exe	95
PID 3528 wrote to memory of 3172	3528	178ea6b2fe4a5d53f40b4c4ef74f7448_JaffaCakes118.exe	95
PID 3528 wrote to memory of 2148	3528	178ea6b2fe4a5d53f40b4c4ef74f7448_JaffaCakes118.exe	96
PID 3528 wrote to memory of 2148	3528	178ea6b2fe4a5d53f40b4c4ef74f7448_JaffaCakes118.exe	96
PID 3528 wrote to memory of 2148	3528	178ea6b2fe4a5d53f40b4c4ef74f7448_JaffaCakes118.exe	96
PID 3172 wrote to memory of 4192	3172	chrome.exe	97
PID 3172 wrote to memory of 4192	3172	chrome.exe	97
PID 3172 wrote to memory of 1272	3172	chrome.exe	99
PID 3172 wrote to memory of 1272	3172	chrome.exe	99
PID 1272 wrote to memory of 3368	1272	chrome.exe	100
PID 1272 wrote to memory of 3368	1272	chrome.exe	100
PID 1272 wrote to memory of 2036	1272	chrome.exe	104
PID 1272 wrote to memory of 2036	1272	chrome.exe	104
PID 2036 wrote to memory of 2860	2036	cmd.exe	106
PID 2036 wrote to memory of 2860	2036	cmd.exe	106
PID 2036 wrote to memory of 4600	2036	cmd.exe	107
PID 2036 wrote to memory of 4600	2036	cmd.exe	107
PID 2036 wrote to memory of 4588	2036	cmd.exe	113
PID 2036 wrote to memory of 4588	2036	cmd.exe	113
PID 4588 wrote to memory of 4728	4588	chrome.exe	114
PID 4588 wrote to memory of 4728	4588	chrome.exe	114
PID 4588 wrote to memory of 3104	4588	chrome.exe	116
PID 4588 wrote to memory of 3104	4588	chrome.exe	116
PID 3104 wrote to memory of 1780	3104	cmd.exe	118
PID 3104 wrote to memory of 1780	3104	cmd.exe	118
PID 3104 wrote to memory of 980	3104	cmd.exe	119
PID 3104 wrote to memory of 980	3104	cmd.exe	119
PID 3104 wrote to memory of 956	3104	cmd.exe	121
PID 3104 wrote to memory of 956	3104	cmd.exe	121
PID 956 wrote to memory of 1544	956	chrome.exe	122
PID 956 wrote to memory of 1544	956	chrome.exe	122
PID 956 wrote to memory of 4048	956	chrome.exe	124
PID 956 wrote to memory of 4048	956	chrome.exe	124
PID 4048 wrote to memory of 4620	4048	cmd.exe	126
PID 4048 wrote to memory of 4620	4048	cmd.exe	126
PID 4048 wrote to memory of 3328	4048	cmd.exe	127
PID 4048 wrote to memory of 3328	4048	cmd.exe	127
PID 4048 wrote to memory of 2292	4048	cmd.exe	128
PID 4048 wrote to memory of 2292	4048	cmd.exe	128
PID 2292 wrote to memory of 2584	2292	chrome.exe	129
PID 2292 wrote to memory of 2584	2292	chrome.exe	129
PID 2292 wrote to memory of 2272	2292	chrome.exe	131
PID 2292 wrote to memory of 2272	2292	chrome.exe	131
PID 2272 wrote to memory of 4660	2272	cmd.exe	133
PID 2272 wrote to memory of 4660	2272	cmd.exe	133
PID 2272 wrote to memory of 1172	2272	cmd.exe	134
PID 2272 wrote to memory of 1172	2272	cmd.exe	134
PID 2272 wrote to memory of 932	2272	cmd.exe	136
PID 2272 wrote to memory of 932	2272	cmd.exe	136
PID 932 wrote to memory of 2956	932	chrome.exe	137
PID 932 wrote to memory of 2956	932	chrome.exe	137
PID 932 wrote to memory of 1820	932	chrome.exe	139
PID 932 wrote to memory of 1820	932	chrome.exe	139
PID 1820 wrote to memory of 2188	1820	cmd.exe	141
PID 1820 wrote to memory of 2188	1820	cmd.exe	141
PID 1820 wrote to memory of 4892	1820	cmd.exe	142
PID 1820 wrote to memory of 4892	1820	cmd.exe	142
PID 1820 wrote to memory of 1496	1820	cmd.exe	143
PID 1820 wrote to memory of 1496	1820	cmd.exe	143
PID 1496 wrote to memory of 2452	1496	chrome.exe	144
PID 1496 wrote to memory of 2452	1496	chrome.exe	144
PID 1496 wrote to memory of 5060	1496	chrome.exe	146
PID 1496 wrote to memory of 5060	1496	chrome.exe	146
PID 5060 wrote to memory of 768	5060	cmd.exe	148

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\178ea6b2fe4a5d53f40b4c4ef74f7448_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\178ea6b2fe4a5d53f40b4c4ef74f7448_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Users\Admin\AppData\Roaming\chrome.exe
  "C:\Users\Admin\AppData\Roaming\chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4192
- - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LryzvACoKuxo.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2860
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:4600
    - - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4588
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:4728
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ro1hhQn3N4Dj.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:980
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:1544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heTGXzIeQEZC.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:3328
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        10⤵
        Creates scheduled task(s)
        
        PID:2584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WXIiVLsNfLeI.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:1172
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        12⤵
        Creates scheduled task(s)
        
        PID:2956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dz1XlVIdFPYi.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2188
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:4892
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        14⤵
        Creates scheduled task(s)
        
        PID:2452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hZjGhC51Hfu2.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:4208
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        16⤵
        Creates scheduled task(s)
        
        PID:644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6ByQeWqs2jZ6.bat" "
        16⤵
        
        PID:3312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:4944
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        18⤵
        Creates scheduled task(s)
        
        PID:4588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FvhIXMig6X7n.bat" "
        18⤵
        
        PID:3252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2188
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:3364
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        20⤵
        Creates scheduled task(s)
        
        PID:2040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D8fRIKY5EkLi.bat" "
        20⤵
        
        PID:4920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:4484
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3808
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        22⤵
        Creates scheduled task(s)
        
        PID:4272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qHOkWYGyVqOA.bat" "
        22⤵
        
        PID:4840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2296
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:3420
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:644
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        24⤵
        Creates scheduled task(s)
        
        PID:4820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WfYPOf7Hj1rc.bat" "
        24⤵
        
        PID:3840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:4532
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        26⤵
        Creates scheduled task(s)
        
        PID:3200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yBJC6lr5zTil.bat" "
        26⤵
        
        PID:748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:1552
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        28⤵
        Creates scheduled task(s)
        
        PID:3248
- C:\Users\Admin\AppData\Local\Temp\S^X.exe
  "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:8
1⤵
PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery