quasar | b4becc32cef140dcc804424b9c4e030a1ce245b13e7f1baeca854b8897f2df5f

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AVB.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AVB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AVB.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	AVB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	chrome.exe

Executes dropped EXE 18 IoCs

pid	Process
5108	AVB.exe
3344	chrome.exe
556	S^X.exe
4444	chrome.exe
2188	chrome.exe
1336	chrome.exe
1992	chrome.exe
2688	chrome.exe
4588	chrome.exe
936	chrome.exe
4924	chrome.exe
1800	chrome.exe
4860	chrome.exe
4512	chrome.exe
2400	chrome.exe
2276	chrome.exe
1264	chrome.exe
2472	chrome.exe

Loads dropped DLL 3 IoCs

pid	Process
4164	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe
5108	AVB.exe
5108	AVB.exe

Obfuscated with Agile.Net obfuscator 8 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/files/0x000b000000023b5c-19.dat	agile_net
behavioral2/memory/5108-30-0x0000000000D20000-0x0000000001870000-memory.dmp	agile_net
behavioral2/memory/5108-44-0x00000000065E0000-0x0000000006BF2000-memory.dmp	agile_net
behavioral2/memory/5108-63-0x00000000065E0000-0x0000000006BEC000-memory.dmp	agile_net
behavioral2/memory/5108-69-0x00000000065E0000-0x0000000006BEC000-memory.dmp	agile_net
behavioral2/memory/5108-65-0x00000000065E0000-0x0000000006BEC000-memory.dmp	agile_net
behavioral2/memory/5108-67-0x00000000065E0000-0x0000000006BEC000-memory.dmp	agile_net
behavioral2/memory/5108-62-0x00000000065E0000-0x0000000006BEC000-memory.dmp	agile_net

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000a000000023b5f-6.dat	themida
behavioral2/memory/4164-10-0x0000000072570000-0x0000000072B78000-memory.dmp	themida
behavioral2/memory/4164-12-0x0000000072570000-0x0000000072B78000-memory.dmp	themida
behavioral2/memory/4164-13-0x0000000072570000-0x0000000072B78000-memory.dmp	themida
behavioral2/memory/4164-27-0x0000000072570000-0x0000000072B78000-memory.dmp	themida
behavioral2/memory/5108-39-0x0000000073AD0000-0x00000000740D8000-memory.dmp	themida
behavioral2/memory/5108-41-0x0000000073AD0000-0x00000000740D8000-memory.dmp	themida
behavioral2/memory/5108-42-0x0000000073AD0000-0x00000000740D8000-memory.dmp	themida
behavioral2/memory/5108-52-0x0000000073470000-0x0000000073A78000-memory.dmp	themida
behavioral2/memory/5108-53-0x0000000073470000-0x0000000073A78000-memory.dmp	themida
behavioral2/memory/5108-55-0x0000000073470000-0x0000000073A78000-memory.dmp	themida
behavioral2/memory/5108-94-0x0000000073AD0000-0x00000000740D8000-memory.dmp	themida
behavioral2/memory/5108-97-0x0000000073470000-0x0000000073A78000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AVB.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4164	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe
5108	AVB.exe
5108	AVB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AVB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2912	PING.EXE
2512	PING.EXE
2648	PING.EXE
4528	PING.EXE
3932	PING.EXE
3252	PING.EXE
5040	PING.EXE
880	PING.EXE
812	PING.EXE
3460	PING.EXE
2444	PING.EXE
4736	PING.EXE
1136	PING.EXE
2292	PING.EXE
1576	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2512	PING.EXE
5040	PING.EXE
1136	PING.EXE
812	PING.EXE
3252	PING.EXE
4736	PING.EXE
4528	PING.EXE
2912	PING.EXE
3932	PING.EXE
1576	PING.EXE
2444	PING.EXE
880	PING.EXE
2648	PING.EXE
2292	PING.EXE
3460	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4556	schtasks.exe
2080	schtasks.exe
2980	schtasks.exe
1384	schtasks.exe
2288	schtasks.exe
2156	schtasks.exe
3160	schtasks.exe
4388	schtasks.exe
4600	schtasks.exe
5088	schtasks.exe
4544	schtasks.exe
2008	schtasks.exe
2652	schtasks.exe
1204	schtasks.exe
2324	schtasks.exe
3548	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3344	chrome.exe
Token: SeDebugPrivilege	4444	chrome.exe
Token: SeDebugPrivilege	556	S^X.exe
Token: SeDebugPrivilege	2188	chrome.exe
Token: SeDebugPrivilege	1336	chrome.exe
Token: SeDebugPrivilege	1992	chrome.exe
Token: SeDebugPrivilege	2688	chrome.exe
Token: SeDebugPrivilege	4588	chrome.exe
Token: SeDebugPrivilege	936	chrome.exe
Token: SeDebugPrivilege	4924	chrome.exe
Token: SeDebugPrivilege	4860	chrome.exe
Token: SeDebugPrivilege	4512	chrome.exe
Token: SeDebugPrivilege	2400	chrome.exe
Token: SeDebugPrivilege	2276	chrome.exe
Token: SeDebugPrivilege	1264	chrome.exe
Token: SeDebugPrivilege	2472	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 5108	4164	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe	82
PID 4164 wrote to memory of 5108	4164	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe	82
PID 4164 wrote to memory of 5108	4164	JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe	82
PID 5108 wrote to memory of 3344	5108	AVB.exe	83
PID 5108 wrote to memory of 3344	5108	AVB.exe	83
PID 5108 wrote to memory of 556	5108	AVB.exe	84
PID 5108 wrote to memory of 556	5108	AVB.exe	84
PID 5108 wrote to memory of 556	5108	AVB.exe	84
PID 3344 wrote to memory of 5088	3344	chrome.exe	85
PID 3344 wrote to memory of 5088	3344	chrome.exe	85
PID 3344 wrote to memory of 4444	3344	chrome.exe	87
PID 3344 wrote to memory of 4444	3344	chrome.exe	87
PID 4444 wrote to memory of 4544	4444	chrome.exe	88
PID 4444 wrote to memory of 4544	4444	chrome.exe	88
PID 4444 wrote to memory of 4508	4444	chrome.exe	90
PID 4444 wrote to memory of 4508	4444	chrome.exe	90
PID 4508 wrote to memory of 4076	4508	cmd.exe	92
PID 4508 wrote to memory of 4076	4508	cmd.exe	92
PID 4508 wrote to memory of 2512	4508	cmd.exe	93
PID 4508 wrote to memory of 2512	4508	cmd.exe	93
PID 4508 wrote to memory of 2188	4508	cmd.exe	94
PID 4508 wrote to memory of 2188	4508	cmd.exe	94
PID 2188 wrote to memory of 4556	2188	chrome.exe	95
PID 2188 wrote to memory of 4556	2188	chrome.exe	95
PID 2188 wrote to memory of 2604	2188	chrome.exe	97
PID 2188 wrote to memory of 2604	2188	chrome.exe	97
PID 2604 wrote to memory of 1968	2604	cmd.exe	99
PID 2604 wrote to memory of 1968	2604	cmd.exe	99
PID 2604 wrote to memory of 5040	2604	cmd.exe	100
PID 2604 wrote to memory of 5040	2604	cmd.exe	100
PID 2604 wrote to memory of 1336	2604	cmd.exe	108
PID 2604 wrote to memory of 1336	2604	cmd.exe	108
PID 1336 wrote to memory of 2156	1336	chrome.exe	109
PID 1336 wrote to memory of 2156	1336	chrome.exe	109
PID 1336 wrote to memory of 1744	1336	chrome.exe	111
PID 1336 wrote to memory of 1744	1336	chrome.exe	111
PID 1744 wrote to memory of 3648	1744	cmd.exe	113
PID 1744 wrote to memory of 3648	1744	cmd.exe	113
PID 1744 wrote to memory of 2444	1744	cmd.exe	114
PID 1744 wrote to memory of 2444	1744	cmd.exe	114
PID 1744 wrote to memory of 1992	1744	cmd.exe	117
PID 1744 wrote to memory of 1992	1744	cmd.exe	117
PID 1992 wrote to memory of 2080	1992	chrome.exe	118
PID 1992 wrote to memory of 2080	1992	chrome.exe	118
PID 1992 wrote to memory of 3208	1992	chrome.exe	120
PID 1992 wrote to memory of 3208	1992	chrome.exe	120
PID 3208 wrote to memory of 2248	3208	cmd.exe	122
PID 3208 wrote to memory of 2248	3208	cmd.exe	122
PID 3208 wrote to memory of 880	3208	cmd.exe	123
PID 3208 wrote to memory of 880	3208	cmd.exe	123
PID 3208 wrote to memory of 2688	3208	cmd.exe	124
PID 3208 wrote to memory of 2688	3208	cmd.exe	124
PID 2688 wrote to memory of 2008	2688	chrome.exe	125
PID 2688 wrote to memory of 2008	2688	chrome.exe	125
PID 2688 wrote to memory of 5020	2688	chrome.exe	127
PID 2688 wrote to memory of 5020	2688	chrome.exe	127
PID 5020 wrote to memory of 5092	5020	cmd.exe	129
PID 5020 wrote to memory of 5092	5020	cmd.exe	129
PID 5020 wrote to memory of 4736	5020	cmd.exe	130
PID 5020 wrote to memory of 4736	5020	cmd.exe	130
PID 5020 wrote to memory of 4588	5020	cmd.exe	131
PID 5020 wrote to memory of 4588	5020	cmd.exe	131
PID 4588 wrote to memory of 2652	4588	chrome.exe	132
PID 4588 wrote to memory of 2652	4588	chrome.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfa43d929d93cd09310d9dbdb6ad082d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Roaming\AVB.exe
  "C:\Users\Admin\AppData\Roaming\AVB.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Users\Admin\AppData\Roaming\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3344
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5088
  - - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
      "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4544
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\89lH4HfJcop8.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4508
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4076
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2512
      - C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3nlPMvODwQgF.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1968
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5040
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WjnYNtc83Wyq.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PbxdosbVTTd5.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:880
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pUei9dZdyY0x.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:5092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4736
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VtaYE2G5BTPu.bat" "
        15⤵
        
        PID:4020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1136
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x8Hq4xC0QjuC.bat" "
        17⤵
        
        PID:4892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:4496
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKzKHneDNaut.bat" "
        19⤵
        
        PID:3620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2292
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lZw6luEFnHIo.bat" "
        21⤵
        
        PID:788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:812
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7S2LM7NMTtvn.bat" "
        23⤵
        
        PID:2468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4528
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vxp29kr1Irl8.bat" "
        25⤵
        
        PID:2688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3460
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9klJTrW2uNXv.bat" "
        27⤵
        
        PID:1692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9VC1pHiAzusp.bat" "
        29⤵
        
        PID:112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3932
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awegb9dcZ8mw.bat" "
        31⤵
        
        PID:1004
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1160
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3252
        
        C:\Users\Admin\AppData\Roaming\chrome\chrome.exe
        
        "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\chrome\chrome.exe" /rl HIGHEST /f
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mbQ1tXkDQId9.bat" "
        33⤵
        
        PID:1652
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:3692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1576
- - C:\Users\Admin\AppData\Local\Temp\S^X.exe
    "C:\Users\Admin\AppData\Local\Temp\S^X.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery