quasar | c846b98acb1e0423fa8b07228f06e3816cd0d5c8c076ff8c847622731aec5562

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 17 IoCs

pid	Process
780	chrome.exe
1052	S^X.exe
4836	chrome.exe
4196	chrome.exe
3016	chrome.exe
2124	chrome.exe
4400	chrome.exe
1148	chrome.exe
4436	chrome.exe
1556	chrome.exe
1224	chrome.exe
4872	chrome.exe
1304	chrome.exe
1524	chrome.exe
1960	chrome.exe
1432	chrome.exe
780	chrome.exe

Loads dropped DLL 1 IoCs

pid	Process
4596	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0007000000023c59-6.dat	themida
behavioral2/memory/4596-10-0x0000000073140000-0x0000000073748000-memory.dmp	themida
behavioral2/memory/4596-11-0x0000000073140000-0x0000000073748000-memory.dmp	themida
behavioral2/memory/4596-13-0x0000000073140000-0x0000000073748000-memory.dmp	themida
behavioral2/memory/4596-39-0x0000000073140000-0x0000000073748000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4596	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4688	PING.EXE
1724	PING.EXE
3908	PING.EXE
2708	PING.EXE
2072	PING.EXE
3212	PING.EXE
4372	PING.EXE
3196	PING.EXE
4780	PING.EXE
2120	PING.EXE
3984	PING.EXE
4636	PING.EXE
5080	PING.EXE
3984	PING.EXE
4996	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
4372	PING.EXE
2120	PING.EXE
3984	PING.EXE
5080	PING.EXE
4996	PING.EXE
2072	PING.EXE
3212	PING.EXE
4780	PING.EXE
3196	PING.EXE
4636	PING.EXE
1724	PING.EXE
2708	PING.EXE
4688	PING.EXE
3984	PING.EXE
3908	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3344	schtasks.exe
3196	schtasks.exe
4688	schtasks.exe
468	schtasks.exe
3104	schtasks.exe
1288	schtasks.exe
4696	schtasks.exe
1684	schtasks.exe
3160	schtasks.exe
3064	schtasks.exe
3160	schtasks.exe
3492	schtasks.exe
2692	schtasks.exe
4556	schtasks.exe
4592	schtasks.exe
1520	schtasks.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	780	chrome.exe
Token: SeDebugPrivilege	4836	chrome.exe
Token: SeDebugPrivilege	1052	S^X.exe
Token: SeDebugPrivilege	4196	chrome.exe
Token: SeDebugPrivilege	3016	chrome.exe
Token: SeDebugPrivilege	2124	chrome.exe
Token: SeDebugPrivilege	4400	chrome.exe
Token: SeDebugPrivilege	1148	chrome.exe
Token: SeDebugPrivilege	4436	chrome.exe
Token: SeDebugPrivilege	1556	chrome.exe
Token: SeDebugPrivilege	1224	chrome.exe
Token: SeDebugPrivilege	4872	chrome.exe
Token: SeDebugPrivilege	1304	chrome.exe
Token: SeDebugPrivilege	1524	chrome.exe
Token: SeDebugPrivilege	1960	chrome.exe
Token: SeDebugPrivilege	1432	chrome.exe
Token: SeDebugPrivilege	780	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 780	4596	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe	83
PID 4596 wrote to memory of 780	4596	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe	83
PID 4596 wrote to memory of 1052	4596	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe	84
PID 4596 wrote to memory of 1052	4596	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe	84
PID 4596 wrote to memory of 1052	4596	JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe	84
PID 780 wrote to memory of 2692	780	chrome.exe	85
PID 780 wrote to memory of 2692	780	chrome.exe	85
PID 780 wrote to memory of 4836	780	chrome.exe	87
PID 780 wrote to memory of 4836	780	chrome.exe	87
PID 4836 wrote to memory of 3160	4836	chrome.exe	88
PID 4836 wrote to memory of 3160	4836	chrome.exe	88
PID 4836 wrote to memory of 2112	4836	chrome.exe	90
PID 4836 wrote to memory of 2112	4836	chrome.exe	90
PID 2112 wrote to memory of 3320	2112	cmd.exe	92
PID 2112 wrote to memory of 3320	2112	cmd.exe	92
PID 2112 wrote to memory of 3196	2112	cmd.exe	93
PID 2112 wrote to memory of 3196	2112	cmd.exe	93
PID 2112 wrote to memory of 4196	2112	cmd.exe	104
PID 2112 wrote to memory of 4196	2112	cmd.exe	104
PID 4196 wrote to memory of 468	4196	chrome.exe	105
PID 4196 wrote to memory of 468	4196	chrome.exe	105
PID 4196 wrote to memory of 4904	4196	chrome.exe	108
PID 4196 wrote to memory of 4904	4196	chrome.exe	108
PID 4904 wrote to memory of 3052	4904	cmd.exe	110
PID 4904 wrote to memory of 3052	4904	cmd.exe	110
PID 4904 wrote to memory of 2708	4904	cmd.exe	111
PID 4904 wrote to memory of 2708	4904	cmd.exe	111
PID 4904 wrote to memory of 3016	4904	cmd.exe	117
PID 4904 wrote to memory of 3016	4904	cmd.exe	117
PID 3016 wrote to memory of 3064	3016	chrome.exe	118
PID 3016 wrote to memory of 3064	3016	chrome.exe	118
PID 3016 wrote to memory of 2484	3016	chrome.exe	121
PID 3016 wrote to memory of 2484	3016	chrome.exe	121
PID 2484 wrote to memory of 3408	2484	cmd.exe	123
PID 2484 wrote to memory of 3408	2484	cmd.exe	123
PID 2484 wrote to memory of 4636	2484	cmd.exe	124
PID 2484 wrote to memory of 4636	2484	cmd.exe	124
PID 2484 wrote to memory of 2124	2484	cmd.exe	129
PID 2484 wrote to memory of 2124	2484	cmd.exe	129
PID 2124 wrote to memory of 3160	2124	chrome.exe	130
PID 2124 wrote to memory of 3160	2124	chrome.exe	130
PID 2124 wrote to memory of 4644	2124	chrome.exe	133
PID 2124 wrote to memory of 4644	2124	chrome.exe	133
PID 4644 wrote to memory of 1816	4644	cmd.exe	135
PID 4644 wrote to memory of 1816	4644	cmd.exe	135
PID 4644 wrote to memory of 5080	4644	cmd.exe	136
PID 4644 wrote to memory of 5080	4644	cmd.exe	136
PID 4644 wrote to memory of 4400	4644	cmd.exe	138
PID 4644 wrote to memory of 4400	4644	cmd.exe	138
PID 4400 wrote to memory of 3104	4400	chrome.exe	139
PID 4400 wrote to memory of 3104	4400	chrome.exe	139
PID 4400 wrote to memory of 1120	4400	chrome.exe	141
PID 4400 wrote to memory of 1120	4400	chrome.exe	141
PID 1120 wrote to memory of 4512	1120	cmd.exe	144
PID 1120 wrote to memory of 4512	1120	cmd.exe	144
PID 1120 wrote to memory of 3984	1120	cmd.exe	145
PID 1120 wrote to memory of 3984	1120	cmd.exe	145
PID 1120 wrote to memory of 1148	1120	cmd.exe	147
PID 1120 wrote to memory of 1148	1120	cmd.exe	147
PID 1148 wrote to memory of 3344	1148	chrome.exe	148
PID 1148 wrote to memory of 3344	1148	chrome.exe	148
PID 1148 wrote to memory of 4356	1148	chrome.exe	151
PID 1148 wrote to memory of 4356	1148	chrome.exe	151
PID 4356 wrote to memory of 3432	4356	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc341a4899e1a077f128b79dbe296954.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Roaming\chrome.exe
  "C:\Users\Admin\AppData\Roaming\chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2692
- - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MQR4WBHyc0XH.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3320
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3196
    - - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4196
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:468
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0yWgT4NDF3QS.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tN0KUOSeOwmt.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4636
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i40aDUH66iKL.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5080
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J0b3s9Z7HI9I.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3984
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HLfFJv4jJcA6.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3432
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jk1Wx3e5G4dX.bat" "
        16⤵
        
        PID:4260
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4996
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S6Bq3E2aMcBs.bat" "
        18⤵
        
        PID:1620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3212
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mVLoAA55Emnr.bat" "
        20⤵
        
        PID:2252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:5080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4688
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiI925zhJI4t.bat" "
        22⤵
        
        PID:3468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I1cIot23c9Pk.bat" "
        24⤵
        
        PID:1824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4372
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9i9qiLQcLGND.bat" "
        26⤵
        
        PID:1280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4780
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D1vQWTQfUg8x.bat" "
        28⤵
        
        PID:1312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmCoTm7DEJGj.bat" "
        30⤵
        
        PID:2628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:2524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3908
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LX4L7NUYnKys.bat" "
        32⤵
        
        PID:1264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3984
- C:\Users\Admin\AppData\Local\Temp\S^X.exe
  "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery