quasar | 27810441ae1cf22aff376877945394e6430f4e8a0ce907f809880e173a851d35

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 17 IoCs

pid	Process
2256	chrome.exe
1188	S^X.exe
2476	chrome.exe
3128	chrome.exe
2404	chrome.exe
1004	chrome.exe
2876	chrome.exe
876	chrome.exe
316	chrome.exe
4120	chrome.exe
1452	chrome.exe
836	chrome.exe
404	chrome.exe
1476	chrome.exe
3632	chrome.exe
4280	chrome.exe
1424	chrome.exe

Loads dropped DLL 1 IoCs

pid	Process
4700	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000a000000023b64-8.dat	themida
behavioral2/memory/4700-10-0x0000000072900000-0x0000000072F08000-memory.dmp	themida
behavioral2/memory/4700-12-0x0000000072900000-0x0000000072F08000-memory.dmp	themida
behavioral2/memory/4700-13-0x0000000072900000-0x0000000072F08000-memory.dmp	themida
behavioral2/memory/4700-40-0x0000000072900000-0x0000000072F08000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4700	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3360	PING.EXE
5060	PING.EXE
5044	PING.EXE
3092	PING.EXE
2688	PING.EXE
4968	PING.EXE
4296	PING.EXE
4912	PING.EXE
676	PING.EXE
4060	PING.EXE
3108	PING.EXE
1424	PING.EXE
2536	PING.EXE
2920	PING.EXE
1004	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2536	PING.EXE
2688	PING.EXE
4968	PING.EXE
4912	PING.EXE
676	PING.EXE
3360	PING.EXE
1424	PING.EXE
2920	PING.EXE
4060	PING.EXE
5044	PING.EXE
5060	PING.EXE
4296	PING.EXE
3092	PING.EXE
3108	PING.EXE
1004	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2272	schtasks.exe
4960	schtasks.exe
4784	schtasks.exe
3796	schtasks.exe
3776	schtasks.exe
1108	schtasks.exe
3288	schtasks.exe
3508	schtasks.exe
4120	schtasks.exe
5084	schtasks.exe
3980	schtasks.exe
4008	schtasks.exe
2808	schtasks.exe
3480	schtasks.exe
1976	schtasks.exe
3800	schtasks.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	chrome.exe
Token: SeDebugPrivilege	2476	chrome.exe
Token: SeDebugPrivilege	1188	S^X.exe
Token: SeDebugPrivilege	3128	chrome.exe
Token: SeDebugPrivilege	2404	chrome.exe
Token: SeDebugPrivilege	1004	chrome.exe
Token: SeDebugPrivilege	2876	chrome.exe
Token: SeDebugPrivilege	876	chrome.exe
Token: SeDebugPrivilege	316	chrome.exe
Token: SeDebugPrivilege	4120	chrome.exe
Token: SeDebugPrivilege	1452	chrome.exe
Token: SeDebugPrivilege	836	chrome.exe
Token: SeDebugPrivilege	404	chrome.exe
Token: SeDebugPrivilege	1476	chrome.exe
Token: SeDebugPrivilege	3632	chrome.exe
Token: SeDebugPrivilege	4280	chrome.exe
Token: SeDebugPrivilege	1424	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 2256	4700	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe	83
PID 4700 wrote to memory of 2256	4700	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe	83
PID 4700 wrote to memory of 1188	4700	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe	84
PID 4700 wrote to memory of 1188	4700	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe	84
PID 4700 wrote to memory of 1188	4700	JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe	84
PID 2256 wrote to memory of 3508	2256	chrome.exe	85
PID 2256 wrote to memory of 3508	2256	chrome.exe	85
PID 2256 wrote to memory of 2476	2256	chrome.exe	87
PID 2256 wrote to memory of 2476	2256	chrome.exe	87
PID 2476 wrote to memory of 4120	2476	chrome.exe	88
PID 2476 wrote to memory of 4120	2476	chrome.exe	88
PID 2476 wrote to memory of 2668	2476	chrome.exe	90
PID 2476 wrote to memory of 2668	2476	chrome.exe	90
PID 2668 wrote to memory of 868	2668	cmd.exe	92
PID 2668 wrote to memory of 868	2668	cmd.exe	92
PID 2668 wrote to memory of 676	2668	cmd.exe	93
PID 2668 wrote to memory of 676	2668	cmd.exe	93
PID 2668 wrote to memory of 3128	2668	cmd.exe	96
PID 2668 wrote to memory of 3128	2668	cmd.exe	96
PID 3128 wrote to memory of 3480	3128	chrome.exe	97
PID 3128 wrote to memory of 3480	3128	chrome.exe	97
PID 3128 wrote to memory of 1280	3128	chrome.exe	100
PID 3128 wrote to memory of 1280	3128	chrome.exe	100
PID 1280 wrote to memory of 2324	1280	cmd.exe	102
PID 1280 wrote to memory of 2324	1280	cmd.exe	102
PID 1280 wrote to memory of 4060	1280	cmd.exe	103
PID 1280 wrote to memory of 4060	1280	cmd.exe	103
PID 1280 wrote to memory of 2404	1280	cmd.exe	113
PID 1280 wrote to memory of 2404	1280	cmd.exe	113
PID 2404 wrote to memory of 4960	2404	chrome.exe	114
PID 2404 wrote to memory of 4960	2404	chrome.exe	114
PID 2404 wrote to memory of 1508	2404	chrome.exe	117
PID 2404 wrote to memory of 1508	2404	chrome.exe	117
PID 1508 wrote to memory of 4052	1508	cmd.exe	119
PID 1508 wrote to memory of 4052	1508	cmd.exe	119
PID 1508 wrote to memory of 3360	1508	cmd.exe	120
PID 1508 wrote to memory of 3360	1508	cmd.exe	120
PID 1508 wrote to memory of 1004	1508	cmd.exe	129
PID 1508 wrote to memory of 1004	1508	cmd.exe	129
PID 1004 wrote to memory of 3776	1004	chrome.exe	130
PID 1004 wrote to memory of 3776	1004	chrome.exe	130
PID 1004 wrote to memory of 2724	1004	chrome.exe	133
PID 1004 wrote to memory of 2724	1004	chrome.exe	133
PID 2724 wrote to memory of 2588	2724	cmd.exe	135
PID 2724 wrote to memory of 2588	2724	cmd.exe	135
PID 2724 wrote to memory of 3092	2724	cmd.exe	136
PID 2724 wrote to memory of 3092	2724	cmd.exe	136
PID 2724 wrote to memory of 2876	2724	cmd.exe	138
PID 2724 wrote to memory of 2876	2724	cmd.exe	138
PID 2876 wrote to memory of 1108	2876	chrome.exe	139
PID 2876 wrote to memory of 1108	2876	chrome.exe	139
PID 2876 wrote to memory of 3464	2876	chrome.exe	142
PID 2876 wrote to memory of 3464	2876	chrome.exe	142
PID 3464 wrote to memory of 4032	3464	cmd.exe	144
PID 3464 wrote to memory of 4032	3464	cmd.exe	144
PID 3464 wrote to memory of 2536	3464	cmd.exe	145
PID 3464 wrote to memory of 2536	3464	cmd.exe	145
PID 3464 wrote to memory of 876	3464	cmd.exe	147
PID 3464 wrote to memory of 876	3464	cmd.exe	147
PID 876 wrote to memory of 1976	876	chrome.exe	148
PID 876 wrote to memory of 1976	876	chrome.exe	148
PID 876 wrote to memory of 996	876	chrome.exe	151
PID 876 wrote to memory of 996	876	chrome.exe	151
PID 996 wrote to memory of 2680	996	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_178ea6b2fe4a5d53f40b4c4ef74f7448.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Users\Admin\AppData\Roaming\chrome.exe
  "C:\Users\Admin\AppData\Roaming\chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3508
- - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kOU1HGnUKHAC.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:868
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:676
    - - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3128
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3480
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JalL1Rjbvymw.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2324
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4060
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DnCcqCMDNAWy.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3360
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1yFm9ydhw0il.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2588
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3092
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x8LwyAXYYUw0.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4032
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2536
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4D8yBHCvQwdK.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3108
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ox01UrlbVNFZ.bat" "
        16⤵
        
        PID:3488
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5060
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKdhxK3WX72H.bat" "
        18⤵
        
        PID:624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5044
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zjCF0V7zMMPL.bat" "
        20⤵
        
        PID:4300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1424
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3796
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qnEUkWOxqgkh.bat" "
        22⤵
        
        PID:4788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcoSYStZd9fg.bat" "
        24⤵
        
        PID:4740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4968
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VBc961ArAvJc.bat" "
        26⤵
        
        PID:4576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9f0P1EXpkfGK.bat" "
        28⤵
        
        PID:5016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:3372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\y332AYIqE2Xo.bat" "
        30⤵
        
        PID:4312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:5112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4912
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgiKgnV2PILy.bat" "
        32⤵
        
        PID:1372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:2944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4296
- C:\Users\Admin\AppData\Local\Temp\S^X.exe
  "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery