quasar | 95246179cf7c6c8d3629dd30eb1b76bfff221c82915eed1b77c05daa8c5a0afc

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 17 IoCs

pid	Process
5100	chrome.exe
1908	S^X.exe
1760	chrome.exe
1328	chrome.exe
3288	chrome.exe
4332	chrome.exe
1428	chrome.exe
3960	chrome.exe
2692	chrome.exe
4044	chrome.exe
3760	chrome.exe
872	chrome.exe
4760	chrome.exe
3952	chrome.exe
336	chrome.exe
1436	chrome.exe
876	chrome.exe

Loads dropped DLL 1 IoCs

pid	Process
5048	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe

Obfuscated with Agile.Net obfuscator 7 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/5048-1-0x0000000000090000-0x00000000006A4000-memory.dmp	agile_net
behavioral2/memory/5048-2-0x0000000005090000-0x00000000056A2000-memory.dmp	agile_net
behavioral2/memory/5048-16-0x0000000005090000-0x000000000569C000-memory.dmp	agile_net
behavioral2/memory/5048-19-0x0000000005090000-0x000000000569C000-memory.dmp	agile_net
behavioral2/memory/5048-17-0x0000000005090000-0x000000000569C000-memory.dmp	agile_net
behavioral2/memory/5048-23-0x0000000005090000-0x000000000569C000-memory.dmp	agile_net
behavioral2/memory/5048-21-0x0000000005090000-0x000000000569C000-memory.dmp	agile_net

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000a000000023b9c-7.dat	themida
behavioral2/memory/5048-11-0x0000000071AE0000-0x00000000720E8000-memory.dmp	themida
behavioral2/memory/5048-12-0x0000000071AE0000-0x00000000720E8000-memory.dmp	themida
behavioral2/memory/5048-14-0x0000000071AE0000-0x00000000720E8000-memory.dmp	themida
behavioral2/memory/5048-52-0x0000000071AE0000-0x00000000720E8000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5048	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4456	PING.EXE
2008	PING.EXE
612	PING.EXE
4528	PING.EXE
2304	PING.EXE
1772	PING.EXE
1932	PING.EXE
4100	PING.EXE
5080	PING.EXE
2444	PING.EXE
4796	PING.EXE
2236	PING.EXE
4512	PING.EXE
3156	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
4100	PING.EXE
2008	PING.EXE
4796	PING.EXE
4456	PING.EXE
4512	PING.EXE
4528	PING.EXE
5080	PING.EXE
1772	PING.EXE
2444	PING.EXE
2236	PING.EXE
2304	PING.EXE
3156	PING.EXE
1932	PING.EXE
612	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3904	schtasks.exe
1460	schtasks.exe
4980	schtasks.exe
4772	schtasks.exe
4424	schtasks.exe
3884	schtasks.exe
1196	schtasks.exe
760	schtasks.exe
2012	schtasks.exe
3740	schtasks.exe
3656	schtasks.exe
2024	schtasks.exe
2072	schtasks.exe
1336	schtasks.exe
3816	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	5100	chrome.exe
Token: SeDebugPrivilege	1760	chrome.exe
Token: SeDebugPrivilege	1908	S^X.exe
Token: SeDebugPrivilege	1328	chrome.exe
Token: SeDebugPrivilege	3288	chrome.exe
Token: SeDebugPrivilege	4332	chrome.exe
Token: SeDebugPrivilege	1428	chrome.exe
Token: SeDebugPrivilege	3960	chrome.exe
Token: SeDebugPrivilege	2692	chrome.exe
Token: SeDebugPrivilege	4044	chrome.exe
Token: SeDebugPrivilege	3760	chrome.exe
Token: SeDebugPrivilege	872	chrome.exe
Token: SeDebugPrivilege	3952	chrome.exe
Token: SeDebugPrivilege	336	chrome.exe
Token: SeDebugPrivilege	1436	chrome.exe
Token: SeDebugPrivilege	876	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 5100	5048	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe	83
PID 5048 wrote to memory of 5100	5048	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe	83
PID 5048 wrote to memory of 1908	5048	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe	84
PID 5048 wrote to memory of 1908	5048	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe	84
PID 5048 wrote to memory of 1908	5048	JaffaCakes118_03778d811f241e83ccad830372313b3c.exe	84
PID 5100 wrote to memory of 3816	5100	chrome.exe	85
PID 5100 wrote to memory of 3816	5100	chrome.exe	85
PID 5100 wrote to memory of 1760	5100	chrome.exe	87
PID 5100 wrote to memory of 1760	5100	chrome.exe	87
PID 1760 wrote to memory of 3656	1760	chrome.exe	88
PID 1760 wrote to memory of 3656	1760	chrome.exe	88
PID 1760 wrote to memory of 1188	1760	chrome.exe	90
PID 1760 wrote to memory of 1188	1760	chrome.exe	90
PID 1188 wrote to memory of 1196	1188	cmd.exe	92
PID 1188 wrote to memory of 1196	1188	cmd.exe	92
PID 1188 wrote to memory of 1932	1188	cmd.exe	93
PID 1188 wrote to memory of 1932	1188	cmd.exe	93
PID 1188 wrote to memory of 1328	1188	cmd.exe	101
PID 1188 wrote to memory of 1328	1188	cmd.exe	101
PID 1328 wrote to memory of 3884	1328	chrome.exe	102
PID 1328 wrote to memory of 3884	1328	chrome.exe	102
PID 1328 wrote to memory of 4764	1328	chrome.exe	105
PID 1328 wrote to memory of 4764	1328	chrome.exe	105
PID 4764 wrote to memory of 3452	4764	cmd.exe	107
PID 4764 wrote to memory of 3452	4764	cmd.exe	107
PID 4764 wrote to memory of 2444	4764	cmd.exe	108
PID 4764 wrote to memory of 2444	4764	cmd.exe	108
PID 4764 wrote to memory of 3288	4764	cmd.exe	116
PID 4764 wrote to memory of 3288	4764	cmd.exe	116
PID 3288 wrote to memory of 3740	3288	chrome.exe	117
PID 3288 wrote to memory of 3740	3288	chrome.exe	117
PID 3288 wrote to memory of 2500	3288	chrome.exe	120
PID 3288 wrote to memory of 2500	3288	chrome.exe	120
PID 2500 wrote to memory of 512	2500	cmd.exe	122
PID 2500 wrote to memory of 512	2500	cmd.exe	122
PID 2500 wrote to memory of 4796	2500	cmd.exe	123
PID 2500 wrote to memory of 4796	2500	cmd.exe	123
PID 2500 wrote to memory of 4332	2500	cmd.exe	128
PID 2500 wrote to memory of 4332	2500	cmd.exe	128
PID 4332 wrote to memory of 3904	4332	chrome.exe	129
PID 4332 wrote to memory of 3904	4332	chrome.exe	129
PID 4332 wrote to memory of 4636	4332	chrome.exe	132
PID 4332 wrote to memory of 4636	4332	chrome.exe	132
PID 4636 wrote to memory of 4588	4636	cmd.exe	134
PID 4636 wrote to memory of 4588	4636	cmd.exe	134
PID 4636 wrote to memory of 2236	4636	cmd.exe	135
PID 4636 wrote to memory of 2236	4636	cmd.exe	135
PID 4636 wrote to memory of 1428	4636	cmd.exe	137
PID 4636 wrote to memory of 1428	4636	cmd.exe	137
PID 1428 wrote to memory of 760	1428	chrome.exe	138
PID 1428 wrote to memory of 760	1428	chrome.exe	138
PID 1428 wrote to memory of 2776	1428	chrome.exe	141
PID 1428 wrote to memory of 2776	1428	chrome.exe	141
PID 2776 wrote to memory of 3324	2776	cmd.exe	143
PID 2776 wrote to memory of 3324	2776	cmd.exe	143
PID 2776 wrote to memory of 4512	2776	cmd.exe	144
PID 2776 wrote to memory of 4512	2776	cmd.exe	144
PID 2776 wrote to memory of 3960	2776	cmd.exe	146
PID 2776 wrote to memory of 3960	2776	cmd.exe	146
PID 3960 wrote to memory of 1460	3960	chrome.exe	147
PID 3960 wrote to memory of 1460	3960	chrome.exe	147
PID 3960 wrote to memory of 4576	3960	chrome.exe	150
PID 3960 wrote to memory of 4576	3960	chrome.exe	150
PID 4576 wrote to memory of 4440	4576	cmd.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_03778d811f241e83ccad830372313b3c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_03778d811f241e83ccad830372313b3c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Roaming\chrome.exe
  "C:\Users\Admin\AppData\Roaming\chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3816
- - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KLZ0EPgISUjQ.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1188
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1196
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1932
    - - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1328
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3884
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psLn8So90Or0.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3452
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G4W7i2exks4O.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4796
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zI55rynk0EjX.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hdVCDuiRBAPj.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6lOa4KSi9kQi.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4456
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\crwmT8BYfqoY.bat" "
        16⤵
        
        PID:404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4100
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuuvY8eipH6A.bat" "
        18⤵
        
        PID:1436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2008
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3760
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PRZcvr9raq5k.bat" "
        20⤵
        
        PID:2960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:612
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgLy71FfZrvB.bat" "
        22⤵
        
        PID:1864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4028
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3156
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4760
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2qB6VxBTUHFW.bat" "
        24⤵
        
        PID:4024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2876
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4528
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KejyVIqdhw7f.bat" "
        26⤵
        
        PID:2228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZSaTWzufzUL8.bat" "
        28⤵
        
        PID:4036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5080
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\82MSmJ7IopSW.bat" "
        30⤵
        
        PID:4032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
- C:\Users\Admin\AppData\Local\Temp\S^X.exe
  "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery