quasar | ccd4b2ba4cea6ac4ea648e58cbe9ca9cd48f512a1df7414cad6c9ff602c6c688

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 17 IoCs

pid	Process
2676	chrome.exe
1656	S^X.exe
1496	chrome.exe
4136	chrome.exe
3796	chrome.exe
4192	chrome.exe
3136	chrome.exe
2980	chrome.exe
2556	chrome.exe
4916	chrome.exe
3064	chrome.exe
392	chrome.exe
4148	chrome.exe
1636	chrome.exe
3944	chrome.exe
3520	chrome.exe
640	chrome.exe

Loads dropped DLL 1 IoCs

pid	Process
4420	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000e000000023bae-8.dat	themida
behavioral2/memory/4420-10-0x0000000072B90000-0x0000000073198000-memory.dmp	themida
behavioral2/memory/4420-11-0x0000000072B90000-0x0000000073198000-memory.dmp	themida
behavioral2/memory/4420-12-0x0000000072B90000-0x0000000073198000-memory.dmp	themida
behavioral2/memory/4420-40-0x0000000072B90000-0x0000000073198000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4420	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2092	PING.EXE
4384	PING.EXE
2128	PING.EXE
4076	PING.EXE
5056	PING.EXE
4980	PING.EXE
3736	PING.EXE
3196	PING.EXE
3940	PING.EXE
1988	PING.EXE
3784	PING.EXE
3972	PING.EXE
3524	PING.EXE
924	PING.EXE
3408	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
3940	PING.EXE
3408	PING.EXE
4076	PING.EXE
3196	PING.EXE
2128	PING.EXE
5056	PING.EXE
1988	PING.EXE
4384	PING.EXE
3524	PING.EXE
3784	PING.EXE
3972	PING.EXE
924	PING.EXE
2092	PING.EXE
4980	PING.EXE
3736	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3000	schtasks.exe
5024	schtasks.exe
4900	schtasks.exe
4272	schtasks.exe
876	schtasks.exe
1304	schtasks.exe
1228	schtasks.exe
4368	schtasks.exe
4316	schtasks.exe
4288	schtasks.exe
4048	schtasks.exe
1800	schtasks.exe
3404	schtasks.exe
1304	schtasks.exe
3540	schtasks.exe
2032	schtasks.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	chrome.exe
Token: SeDebugPrivilege	1496	chrome.exe
Token: SeDebugPrivilege	1656	S^X.exe
Token: SeDebugPrivilege	4136	chrome.exe
Token: SeDebugPrivilege	3796	chrome.exe
Token: SeDebugPrivilege	4192	chrome.exe
Token: SeDebugPrivilege	3136	chrome.exe
Token: SeDebugPrivilege	2980	chrome.exe
Token: SeDebugPrivilege	2556	chrome.exe
Token: SeDebugPrivilege	4916	chrome.exe
Token: SeDebugPrivilege	3064	chrome.exe
Token: SeDebugPrivilege	392	chrome.exe
Token: SeDebugPrivilege	4148	chrome.exe
Token: SeDebugPrivilege	1636	chrome.exe
Token: SeDebugPrivilege	3944	chrome.exe
Token: SeDebugPrivilege	3520	chrome.exe
Token: SeDebugPrivilege	640	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 2676	4420	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe	82
PID 4420 wrote to memory of 2676	4420	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe	82
PID 4420 wrote to memory of 1656	4420	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe	83
PID 4420 wrote to memory of 1656	4420	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe	83
PID 4420 wrote to memory of 1656	4420	JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe	83
PID 2676 wrote to memory of 3404	2676	chrome.exe	84
PID 2676 wrote to memory of 3404	2676	chrome.exe	84
PID 2676 wrote to memory of 1496	2676	chrome.exe	86
PID 2676 wrote to memory of 1496	2676	chrome.exe	86
PID 1496 wrote to memory of 3000	1496	chrome.exe	87
PID 1496 wrote to memory of 3000	1496	chrome.exe	87
PID 1496 wrote to memory of 812	1496	chrome.exe	89
PID 1496 wrote to memory of 812	1496	chrome.exe	89
PID 812 wrote to memory of 628	812	cmd.exe	91
PID 812 wrote to memory of 628	812	cmd.exe	91
PID 812 wrote to memory of 3940	812	cmd.exe	92
PID 812 wrote to memory of 3940	812	cmd.exe	92
PID 812 wrote to memory of 4136	812	cmd.exe	93
PID 812 wrote to memory of 4136	812	cmd.exe	93
PID 4136 wrote to memory of 1304	4136	chrome.exe	94
PID 4136 wrote to memory of 1304	4136	chrome.exe	94
PID 4136 wrote to memory of 4884	4136	chrome.exe	96
PID 4136 wrote to memory of 4884	4136	chrome.exe	96
PID 4884 wrote to memory of 2824	4884	cmd.exe	98
PID 4884 wrote to memory of 2824	4884	cmd.exe	98
PID 4884 wrote to memory of 3408	4884	cmd.exe	99
PID 4884 wrote to memory of 3408	4884	cmd.exe	99
PID 4884 wrote to memory of 3796	4884	cmd.exe	105
PID 4884 wrote to memory of 3796	4884	cmd.exe	105
PID 3796 wrote to memory of 5024	3796	chrome.exe	106
PID 3796 wrote to memory of 5024	3796	chrome.exe	106
PID 3796 wrote to memory of 3200	3796	chrome.exe	108
PID 3796 wrote to memory of 3200	3796	chrome.exe	108
PID 3200 wrote to memory of 820	3200	cmd.exe	110
PID 3200 wrote to memory of 820	3200	cmd.exe	110
PID 3200 wrote to memory of 2128	3200	cmd.exe	111
PID 3200 wrote to memory of 2128	3200	cmd.exe	111
PID 3200 wrote to memory of 4192	3200	cmd.exe	115
PID 3200 wrote to memory of 4192	3200	cmd.exe	115
PID 4192 wrote to memory of 4288	4192	chrome.exe	116
PID 4192 wrote to memory of 4288	4192	chrome.exe	116
PID 4192 wrote to memory of 1612	4192	chrome.exe	118
PID 4192 wrote to memory of 1612	4192	chrome.exe	118
PID 1612 wrote to memory of 2660	1612	cmd.exe	121
PID 1612 wrote to memory of 2660	1612	cmd.exe	121
PID 1612 wrote to memory of 4076	1612	cmd.exe	122
PID 1612 wrote to memory of 4076	1612	cmd.exe	122
PID 1612 wrote to memory of 3136	1612	cmd.exe	123
PID 1612 wrote to memory of 3136	1612	cmd.exe	123
PID 3136 wrote to memory of 4900	3136	chrome.exe	124
PID 3136 wrote to memory of 4900	3136	chrome.exe	124
PID 3136 wrote to memory of 4524	3136	chrome.exe	126
PID 3136 wrote to memory of 4524	3136	chrome.exe	126
PID 4524 wrote to memory of 5084	4524	cmd.exe	128
PID 4524 wrote to memory of 5084	4524	cmd.exe	128
PID 4524 wrote to memory of 4384	4524	cmd.exe	129
PID 4524 wrote to memory of 4384	4524	cmd.exe	129
PID 4524 wrote to memory of 2980	4524	cmd.exe	130
PID 4524 wrote to memory of 2980	4524	cmd.exe	130
PID 2980 wrote to memory of 3540	2980	chrome.exe	131
PID 2980 wrote to memory of 3540	2980	chrome.exe	131
PID 2980 wrote to memory of 4848	2980	chrome.exe	133
PID 2980 wrote to memory of 4848	2980	chrome.exe	133
PID 4848 wrote to memory of 1344	4848	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c843791f7a693c418b162ccd993b997.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Users\Admin\AppData\Roaming\chrome.exe
  "C:\Users\Admin\AppData\Roaming\chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3404
- - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n2Ajv2vu1HOE.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:812
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:628
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3940
    - - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4136
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kIaxSzIyza7u.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3408
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKMvtoWRYayM.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:820
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VEtdqs8hNA8D.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4076
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LPMoKOMyjflj.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:5084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4384
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fc7cTrokSUSF.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5056
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PKFzeHYPsn16.bat" "
        16⤵
        
        PID:2496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3784
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WNNGyvi6Vckf.bat" "
        18⤵
        
        PID:4216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:5024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3972
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4jNu96FUlORM.bat" "
        20⤵
        
        PID:1116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3256
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3524
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UglxqMUnq24L.bat" "
        22⤵
        
        PID:4432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:924
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4148
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qG23N4rQQO5p.bat" "
        24⤵
        
        PID:3172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2zDfdlIbw3q4.bat" "
        26⤵
        
        PID:4600
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:4424
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1988
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M8KwrclN7Ssl.bat" "
        28⤵
        
        PID:1304
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4980
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuFExigmnkx9.bat" "
        30⤵
        
        PID:3408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3736
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w6e1PgdFwUFf.bat" "
        32⤵
        
        PID:4756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:3904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3196
- C:\Users\Admin\AppData\Local\Temp\S^X.exe
  "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery