quasar | 06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AVB.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AVB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AVB.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	AVB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 15 IoCs

pid	Process
1152	AVB.exe
1564	chrome.exe
3560	S^X.exe
1460	chrome.exe
2696	chrome.exe
3348	chrome.exe
1872	chrome.exe
3488	chrome.exe
4488	chrome.exe
2260	chrome.exe
1760	chrome.exe
3024	chrome.exe
4184	chrome.exe
1800	chrome.exe
2696	chrome.exe

Loads dropped DLL 3 IoCs

pid	Process
432	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
1152	AVB.exe
1152	AVB.exe

Obfuscated with Agile.Net obfuscator 8 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/files/0x0008000000023c83-19.dat	agile_net
behavioral2/memory/1152-30-0x00000000005D0000-0x0000000001120000-memory.dmp	agile_net
behavioral2/memory/1152-44-0x0000000005EE0000-0x00000000064F2000-memory.dmp	agile_net
behavioral2/memory/1152-65-0x0000000005EE0000-0x00000000064EC000-memory.dmp	agile_net
behavioral2/memory/1152-67-0x0000000005EE0000-0x00000000064EC000-memory.dmp	agile_net
behavioral2/memory/1152-63-0x0000000005EE0000-0x00000000064EC000-memory.dmp	agile_net
behavioral2/memory/1152-62-0x0000000005EE0000-0x00000000064EC000-memory.dmp	agile_net
behavioral2/memory/1152-69-0x0000000005EE0000-0x00000000064EC000-memory.dmp	agile_net

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0007000000023c86-6.dat	themida
behavioral2/memory/432-11-0x00000000732B0000-0x00000000738B8000-memory.dmp	themida
behavioral2/memory/432-12-0x00000000732B0000-0x00000000738B8000-memory.dmp	themida
behavioral2/memory/432-10-0x00000000732B0000-0x00000000738B8000-memory.dmp	themida
behavioral2/memory/432-27-0x00000000732B0000-0x00000000738B8000-memory.dmp	themida
behavioral2/memory/1152-39-0x0000000074810000-0x0000000074E18000-memory.dmp	themida
behavioral2/memory/1152-41-0x0000000074810000-0x0000000074E18000-memory.dmp	themida
behavioral2/memory/1152-42-0x0000000074810000-0x0000000074E18000-memory.dmp	themida
behavioral2/memory/1152-52-0x00000000741B0000-0x00000000747B8000-memory.dmp	themida
behavioral2/memory/1152-55-0x00000000741B0000-0x00000000747B8000-memory.dmp	themida
behavioral2/memory/1152-53-0x00000000741B0000-0x00000000747B8000-memory.dmp	themida
behavioral2/memory/1152-93-0x0000000074810000-0x0000000074E18000-memory.dmp	themida
behavioral2/memory/1152-94-0x00000000741B0000-0x00000000747B8000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AVB.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
432	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
1152	AVB.exe
1152	AVB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AVB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5048	PING.EXE
5052	PING.EXE
4624	PING.EXE
1748	PING.EXE
1292	PING.EXE
2828	PING.EXE
3036	PING.EXE
2760	PING.EXE
4672	PING.EXE
1456	PING.EXE
4624	PING.EXE
1732	PING.EXE

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2760	PING.EXE
5052	PING.EXE
2828	PING.EXE
3036	PING.EXE
4624	PING.EXE
1732	PING.EXE
5048	PING.EXE
4672	PING.EXE
4624	PING.EXE
1748	PING.EXE
1292	PING.EXE
1456	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3288	schtasks.exe
848	schtasks.exe
4916	schtasks.exe
2736	schtasks.exe
2012	schtasks.exe
4400	schtasks.exe
816	schtasks.exe
4324	schtasks.exe
2572	schtasks.exe
3432	schtasks.exe
2744	schtasks.exe
4296	schtasks.exe
1768	schtasks.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1564	chrome.exe
Token: SeDebugPrivilege	1460	chrome.exe
Token: SeDebugPrivilege	3560	S^X.exe
Token: SeDebugPrivilege	2696	chrome.exe
Token: SeDebugPrivilege	3348	chrome.exe
Token: SeDebugPrivilege	1872	chrome.exe
Token: SeDebugPrivilege	3488	chrome.exe
Token: SeDebugPrivilege	4488	chrome.exe
Token: SeDebugPrivilege	2260	chrome.exe
Token: SeDebugPrivilege	1760	chrome.exe
Token: SeDebugPrivilege	3024	chrome.exe
Token: SeDebugPrivilege	4184	chrome.exe
Token: SeDebugPrivilege	1800	chrome.exe
Token: SeDebugPrivilege	2696	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 1152	432	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe	83
PID 432 wrote to memory of 1152	432	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe	83
PID 432 wrote to memory of 1152	432	06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe	83
PID 1152 wrote to memory of 1564	1152	AVB.exe	84
PID 1152 wrote to memory of 1564	1152	AVB.exe	84
PID 1152 wrote to memory of 3560	1152	AVB.exe	85
PID 1152 wrote to memory of 3560	1152	AVB.exe	85
PID 1152 wrote to memory of 3560	1152	AVB.exe	85
PID 1564 wrote to memory of 848	1564	chrome.exe	86
PID 1564 wrote to memory of 848	1564	chrome.exe	86
PID 1564 wrote to memory of 1460	1564	chrome.exe	88
PID 1564 wrote to memory of 1460	1564	chrome.exe	88
PID 1460 wrote to memory of 2572	1460	chrome.exe	91
PID 1460 wrote to memory of 2572	1460	chrome.exe	91
PID 1460 wrote to memory of 4488	1460	chrome.exe	95
PID 1460 wrote to memory of 4488	1460	chrome.exe	95
PID 4488 wrote to memory of 1736	4488	cmd.exe	97
PID 4488 wrote to memory of 1736	4488	cmd.exe	97
PID 4488 wrote to memory of 2760	4488	cmd.exe	98
PID 4488 wrote to memory of 2760	4488	cmd.exe	98
PID 4488 wrote to memory of 2696	4488	cmd.exe	107
PID 4488 wrote to memory of 2696	4488	cmd.exe	107
PID 2696 wrote to memory of 3432	2696	chrome.exe	108
PID 2696 wrote to memory of 3432	2696	chrome.exe	108
PID 2696 wrote to memory of 1068	2696	chrome.exe	111
PID 2696 wrote to memory of 1068	2696	chrome.exe	111
PID 1068 wrote to memory of 2884	1068	cmd.exe	113
PID 1068 wrote to memory of 2884	1068	cmd.exe	113
PID 1068 wrote to memory of 4672	1068	cmd.exe	114
PID 1068 wrote to memory of 4672	1068	cmd.exe	114
PID 1068 wrote to memory of 3348	1068	cmd.exe	116
PID 1068 wrote to memory of 3348	1068	cmd.exe	116
PID 3348 wrote to memory of 2744	3348	chrome.exe	117
PID 3348 wrote to memory of 2744	3348	chrome.exe	117
PID 3348 wrote to memory of 1424	3348	chrome.exe	120
PID 3348 wrote to memory of 1424	3348	chrome.exe	120
PID 1424 wrote to memory of 4720	1424	cmd.exe	122
PID 1424 wrote to memory of 4720	1424	cmd.exe	122
PID 1424 wrote to memory of 5052	1424	cmd.exe	123
PID 1424 wrote to memory of 5052	1424	cmd.exe	123
PID 1424 wrote to memory of 1872	1424	cmd.exe	128
PID 1424 wrote to memory of 1872	1424	cmd.exe	128
PID 1872 wrote to memory of 4916	1872	chrome.exe	129
PID 1872 wrote to memory of 4916	1872	chrome.exe	129
PID 1872 wrote to memory of 3052	1872	chrome.exe	132
PID 1872 wrote to memory of 3052	1872	chrome.exe	132
PID 3052 wrote to memory of 1040	3052	cmd.exe	134
PID 3052 wrote to memory of 1040	3052	cmd.exe	134
PID 3052 wrote to memory of 4624	3052	cmd.exe	135
PID 3052 wrote to memory of 4624	3052	cmd.exe	135
PID 3052 wrote to memory of 3488	3052	cmd.exe	137
PID 3052 wrote to memory of 3488	3052	cmd.exe	137
PID 3488 wrote to memory of 4296	3488	chrome.exe	138
PID 3488 wrote to memory of 4296	3488	chrome.exe	138
PID 3488 wrote to memory of 4028	3488	chrome.exe	141
PID 3488 wrote to memory of 4028	3488	chrome.exe	141
PID 4028 wrote to memory of 4368	4028	cmd.exe	143
PID 4028 wrote to memory of 4368	4028	cmd.exe	143
PID 4028 wrote to memory of 1748	4028	cmd.exe	144
PID 4028 wrote to memory of 1748	4028	cmd.exe	144
PID 4028 wrote to memory of 4488	4028	cmd.exe	146
PID 4028 wrote to memory of 4488	4028	cmd.exe	146
PID 4488 wrote to memory of 2736	4488	chrome.exe	147
PID 4488 wrote to memory of 2736	4488	chrome.exe	147

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe
"C:\Users\Admin\AppData\Local\Temp\06d191cb11b5332ca315fde549e38123a59b462a1712563c81129aaf70de8e8c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Roaming\AVB.exe
  "C:\Users\Admin\AppData\Roaming\AVB.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Users\Admin\AppData\Roaming\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:848
  - - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
      "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2572
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6TtGaafO1umz.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4488
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1736
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2760
      - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ofAIgHEtcu5d.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4672
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rTOKWdItm0HO.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5052
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgmJxC2mZgyd.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4624
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGPS8FepNnvI.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5RmJeiWl57Tf.bat" "
        15⤵
        
        PID:4436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1292
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XnO5UVEqyjTV.bat" "
        17⤵
        
        PID:976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FEb6ALB171aL.bat" "
        19⤵
        
        PID:4628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3036
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ThHUYGi6BUNK.bat" "
        21⤵
        
        PID:4824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3616
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4624
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Xxor5NctWBOx.bat" "
        23⤵
        
        PID:2448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y1lI6iFuGUZw.bat" "
        25⤵
        
        PID:3116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5048
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\43L7I59UpYtY.bat" "
        27⤵
        
        PID:4040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1456
- - C:\Users\Admin\AppData\Local\Temp\S^X.exe
    "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery