diamondfox | fe4a1fc042da484adda7fdacd0b007025a73df4a836da7411f6082357cdfc684

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Windows security bypass 2 TTPs 1 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	explorer.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\\explorer.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe

Deletes itself 1 IoCs

pid	Process
696	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe

Executes dropped EXE 6 IoCs

pid	Process
2836	chml.exe
2596	chml.exe
2416	explorer.exe
1952	chml.exe
1284	chml.exe
696	explorer.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
1872	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe
1872	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe

Windows security modification 2 TTPs 1 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\\explorer.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe
2416	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1856 set thread context of 1872	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	46
PID 2416 set thread context of 696	2416	explorer.exe	66

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\chml.exe	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setx.exe

Kills process with taskkill 1 IoCs

pid	Process
1920	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2916	schtasks.exe
2616	schtasks.exe
1312	schtasks.exe
2928	schtasks.exe
2168	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs

pid	Process
2836	chml.exe
2596	chml.exe
1952	chml.exe
1284	chml.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe
2416	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe
1872	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe
2416	explorer.exe
696	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2984	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2984	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2984	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2984	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	30
PID 1856 wrote to memory of 2168	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	32
PID 1856 wrote to memory of 2168	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	32
PID 1856 wrote to memory of 2168	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	32
PID 1856 wrote to memory of 2168	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	32
PID 1856 wrote to memory of 2916	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	34
PID 1856 wrote to memory of 2916	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	34
PID 1856 wrote to memory of 2916	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	34
PID 1856 wrote to memory of 2916	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	34
PID 1856 wrote to memory of 2696	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	37
PID 1856 wrote to memory of 2696	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	37
PID 1856 wrote to memory of 2696	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	37
PID 1856 wrote to memory of 2696	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	37
PID 2696 wrote to memory of 2932	2696	cmd.exe	39
PID 2696 wrote to memory of 2932	2696	cmd.exe	39
PID 2696 wrote to memory of 2932	2696	cmd.exe	39
PID 2696 wrote to memory of 2932	2696	cmd.exe	39
PID 2940 wrote to memory of 2852	2940	taskeng.exe	41
PID 2940 wrote to memory of 2852	2940	taskeng.exe	41
PID 2940 wrote to memory of 2852	2940	taskeng.exe	41
PID 2852 wrote to memory of 2836	2852	cmd.exe	43
PID 2852 wrote to memory of 2836	2852	cmd.exe	43
PID 2852 wrote to memory of 2836	2852	cmd.exe	43
PID 2852 wrote to memory of 2836	2852	cmd.exe	43
PID 2852 wrote to memory of 2596	2852	cmd.exe	44
PID 2852 wrote to memory of 2596	2852	cmd.exe	44
PID 2852 wrote to memory of 2596	2852	cmd.exe	44
PID 2852 wrote to memory of 2596	2852	cmd.exe	44
PID 1856 wrote to memory of 2648	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	45
PID 1856 wrote to memory of 2648	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	45
PID 1856 wrote to memory of 2648	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	45
PID 1856 wrote to memory of 2648	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	45
PID 1856 wrote to memory of 1872	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	46
PID 1856 wrote to memory of 1872	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	46
PID 1856 wrote to memory of 1872	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	46
PID 1856 wrote to memory of 1872	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	46
PID 1856 wrote to memory of 1872	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	46
PID 1856 wrote to memory of 1872	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	46
PID 1856 wrote to memory of 1872	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	46
PID 1856 wrote to memory of 1872	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	46
PID 1856 wrote to memory of 1872	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	46
PID 1856 wrote to memory of 2332	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	47
PID 1856 wrote to memory of 2332	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	47
PID 1856 wrote to memory of 2332	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	47
PID 1856 wrote to memory of 2332	1856	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	47
PID 1872 wrote to memory of 2416	1872	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	51
PID 1872 wrote to memory of 2416	1872	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	51
PID 1872 wrote to memory of 2416	1872	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	51
PID 1872 wrote to memory of 2416	1872	2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe	51
PID 2416 wrote to memory of 1032	2416	explorer.exe	52
PID 2416 wrote to memory of 1032	2416	explorer.exe	52
PID 2416 wrote to memory of 1032	2416	explorer.exe	52
PID 2416 wrote to memory of 1032	2416	explorer.exe	52
PID 2416 wrote to memory of 2616	2416	explorer.exe	54
PID 2416 wrote to memory of 2616	2416	explorer.exe	54
PID 2416 wrote to memory of 2616	2416	explorer.exe	54
PID 2416 wrote to memory of 2616	2416	explorer.exe	54
PID 2416 wrote to memory of 1312	2416	explorer.exe	55
PID 2416 wrote to memory of 1312	2416	explorer.exe	55
PID 2416 wrote to memory of 1312	2416	explorer.exe	55
PID 2416 wrote to memory of 1312	2416	explorer.exe	55

System policy modification 1 TTPs 2 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

C:\Users\Admin\AppData\Local\Temp\2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\reg.exe
  reg add "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED" /v EnableBalloonTips /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2984
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /TN tmp7445 /TR "'C:\Users\Admin\AppData\Roaming\{TKPT-J8CU-U77L-YU2M-UMTD-9JWL}\tmp7445.exe' /Installed" /sc ONLOGON /RL HIGHEST /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2168
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /RU SYSTEM /TN Protect /TR "'C:\Users\Admin\AppData\Local\Temp\Protect.bat' " /sc once /ST 00:00:00 /RL HIGHEST /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c schtasks /Run /TN Protect
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /TN Protect
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2932
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /TN Protect /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\2aff6bd9dfb80c1ac34180e17ccc9c24_JaffaCakes118.exe
  /Installed
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Users\Admin\AppData\Roaming\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\explorer.exe
    C:\Users\Admin\AppData\Roaming\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\explorer.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED" /v EnableBalloonTips /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1032
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /TN tmp7445 /TR "'C:\Users\Admin\AppData\Roaming\{TKPT-J8CU-U77L-YU2M-UMTD-9JWL}\tmp7445.exe' /Installed" /sc ONLOGON /RL HIGHEST /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2616
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /RU SYSTEM /TN Protect /TR "'C:\Users\Admin\AppData\Local\Temp\Protect.bat' " /sc once /ST 00:00:00 /RL HIGHEST /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1312
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c schtasks /Run /TN Protect
      4⤵
      System Location Discovery: System Language Discovery
      PID:408
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /TN Protect
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /TN Protect /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1956
  - - C:\Users\Admin\AppData\Roaming\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\explorer.exe
      /Installed
      4⤵
      UAC bypass
      Windows security bypass
      Adds policy Run key to start application
      Deletes itself
      Drops startup file
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:696
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /IM wscript.exe /F
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc ONLOGON /tn explorer.exe /tr "C:\Users\Admin\AppData\Roaming\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\explorer.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2928
  - - C:\Windows\SysWOW64\setx.exe
      setx.exe ProgramData "C:\ProgramData"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\BD658C07.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- C:\Windows\SysWOW64\setx.exe
  setx.exe ProgramData "C:\ProgramData"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2332

C:\Windows\system32\taskeng.exe
taskeng.exe {14552175-1E57-4D1E-AAB0-11F4E112998E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Protect.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\chml.exe
    C:\Windows\chml.exe "C:\Users\Admin\AppData\Roaming\{TKPT-J8CU-U77L-YU2M-UMTD-9JWL}" -pass2 -ps:S:(ML;OICI;NRNXNW;;;SI)
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2836
- - C:\Windows\chml.exe
    C:\Windows\chml.exe "C:\Users\Admin\AppData\Roaming\{TKPT-J8CU-U77L-YU2M-UMTD-9JWL}\tmp7445.exe" -pass2 -ps:S:(ML;OICI;NW;;;SI)
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2596
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Protect.bat"
  2⤵
  PID:3020
- - C:\Windows\chml.exe
    C:\Windows\chml.exe "C:\Users\Admin\AppData\Roaming\{TKPT-J8CU-U77L-YU2M-UMTD-9JWL}" -pass2 -ps:S:(ML;OICI;NRNXNW;;;SI)
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1952
- - C:\Windows\chml.exe
    C:\Windows\chml.exe "C:\Users\Admin\AppData\Roaming\{TKPT-J8CU-U77L-YU2M-UMTD-9JWL}\tmp7445.exe" -pass2 -ps:S:(ML;OICI;NW;;;SI)
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion