quasar | 2602948e0301d266cd808c4b9d8bbe75dee0025686b603b2c321d6e97c5f2cc5

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe

Executes dropped EXE 17 IoCs

pid	Process
4528	Word.exe
860	S^X.exe
1936	Word.exe
3748	Word.exe
4240	Word.exe
1080	Word.exe
4288	Word.exe
2644	Word.exe
2428	Word.exe
3084	Word.exe
2760	Word.exe
916	Word.exe
4024	Word.exe
860	Word.exe
3456	Word.exe
3816	Word.exe
2956	Word.exe

Loads dropped DLL 1 IoCs

pid	Process
3128	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000a000000023b66-6.dat	themida
behavioral2/memory/3128-10-0x00000000733F0000-0x00000000739F8000-memory.dmp	themida
behavioral2/memory/3128-11-0x00000000733F0000-0x00000000739F8000-memory.dmp	themida
behavioral2/memory/3128-13-0x00000000733F0000-0x00000000739F8000-memory.dmp	themida
behavioral2/memory/3128-40-0x00000000733F0000-0x00000000739F8000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3128	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4592	860	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S^X.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
764	PING.EXE
3756	PING.EXE
1016	PING.EXE
416	PING.EXE
1756	PING.EXE
2968	PING.EXE
1056	PING.EXE
1860	PING.EXE
3372	PING.EXE
920	PING.EXE
1904	PING.EXE
2580	PING.EXE
2600	PING.EXE
3692	PING.EXE
760	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2968	PING.EXE
2580	PING.EXE
1016	PING.EXE
1860	PING.EXE
1904	PING.EXE
1756	PING.EXE
3756	PING.EXE
3692	PING.EXE
1056	PING.EXE
920	PING.EXE
416	PING.EXE
764	PING.EXE
3372	PING.EXE
2600	PING.EXE
760	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1956	schtasks.exe
4896	schtasks.exe
3780	schtasks.exe
1356	schtasks.exe
3484	schtasks.exe
5024	schtasks.exe
1420	schtasks.exe
1564	schtasks.exe
2232	schtasks.exe
4620	schtasks.exe
1492	schtasks.exe
5044	schtasks.exe
3540	schtasks.exe
1552	schtasks.exe
1280	schtasks.exe
764	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	Word.exe
Token: SeDebugPrivilege	1936	Word.exe
Token: SeDebugPrivilege	3748	Word.exe
Token: SeDebugPrivilege	4240	Word.exe
Token: SeDebugPrivilege	1080	Word.exe
Token: SeDebugPrivilege	4288	Word.exe
Token: SeDebugPrivilege	2644	Word.exe
Token: SeDebugPrivilege	2428	Word.exe
Token: SeDebugPrivilege	3084	Word.exe
Token: SeDebugPrivilege	2760	Word.exe
Token: SeDebugPrivilege	916	Word.exe
Token: SeDebugPrivilege	4024	Word.exe
Token: SeDebugPrivilege	860	Word.exe
Token: SeDebugPrivilege	3456	Word.exe
Token: SeDebugPrivilege	3816	Word.exe
Token: SeDebugPrivilege	2956	Word.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 4528	3128	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe	82
PID 3128 wrote to memory of 4528	3128	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe	82
PID 3128 wrote to memory of 860	3128	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe	83
PID 3128 wrote to memory of 860	3128	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe	83
PID 3128 wrote to memory of 860	3128	JaffaCakes118_e82e07a2f06226989c2864557311d904.exe	83
PID 4528 wrote to memory of 1956	4528	Word.exe	84
PID 4528 wrote to memory of 1956	4528	Word.exe	84
PID 4528 wrote to memory of 1936	4528	Word.exe	86
PID 4528 wrote to memory of 1936	4528	Word.exe	86
PID 1936 wrote to memory of 2232	1936	Word.exe	87
PID 1936 wrote to memory of 2232	1936	Word.exe	87
PID 1936 wrote to memory of 1476	1936	Word.exe	89
PID 1936 wrote to memory of 1476	1936	Word.exe	89
PID 1476 wrote to memory of 4860	1476	cmd.exe	91
PID 1476 wrote to memory of 4860	1476	cmd.exe	91
PID 1476 wrote to memory of 1756	1476	cmd.exe	92
PID 1476 wrote to memory of 1756	1476	cmd.exe	92
PID 1476 wrote to memory of 3748	1476	cmd.exe	101
PID 1476 wrote to memory of 3748	1476	cmd.exe	101
PID 3748 wrote to memory of 4620	3748	Word.exe	102
PID 3748 wrote to memory of 4620	3748	Word.exe	102
PID 3748 wrote to memory of 3368	3748	Word.exe	104
PID 3748 wrote to memory of 3368	3748	Word.exe	104
PID 3368 wrote to memory of 1932	3368	cmd.exe	106
PID 3368 wrote to memory of 1932	3368	cmd.exe	106
PID 3368 wrote to memory of 764	3368	cmd.exe	107
PID 3368 wrote to memory of 764	3368	cmd.exe	107
PID 3368 wrote to memory of 4240	3368	cmd.exe	110
PID 3368 wrote to memory of 4240	3368	cmd.exe	110
PID 4240 wrote to memory of 4896	4240	Word.exe	111
PID 4240 wrote to memory of 4896	4240	Word.exe	111
PID 4240 wrote to memory of 1148	4240	Word.exe	113
PID 4240 wrote to memory of 1148	4240	Word.exe	113
PID 1148 wrote to memory of 3532	1148	cmd.exe	115
PID 1148 wrote to memory of 3532	1148	cmd.exe	115
PID 1148 wrote to memory of 2968	1148	cmd.exe	116
PID 1148 wrote to memory of 2968	1148	cmd.exe	116
PID 1148 wrote to memory of 1080	1148	cmd.exe	118
PID 1148 wrote to memory of 1080	1148	cmd.exe	118
PID 1080 wrote to memory of 3780	1080	Word.exe	119
PID 1080 wrote to memory of 3780	1080	Word.exe	119
PID 1080 wrote to memory of 1092	1080	Word.exe	121
PID 1080 wrote to memory of 1092	1080	Word.exe	121
PID 1092 wrote to memory of 4836	1092	cmd.exe	123
PID 1092 wrote to memory of 4836	1092	cmd.exe	123
PID 1092 wrote to memory of 3756	1092	cmd.exe	124
PID 1092 wrote to memory of 3756	1092	cmd.exe	124
PID 1092 wrote to memory of 4288	1092	cmd.exe	125
PID 1092 wrote to memory of 4288	1092	cmd.exe	125
PID 4288 wrote to memory of 1492	4288	Word.exe	126
PID 4288 wrote to memory of 1492	4288	Word.exe	126
PID 4288 wrote to memory of 1352	4288	Word.exe	128
PID 4288 wrote to memory of 1352	4288	Word.exe	128
PID 1352 wrote to memory of 2148	1352	cmd.exe	130
PID 1352 wrote to memory of 2148	1352	cmd.exe	130
PID 1352 wrote to memory of 3372	1352	cmd.exe	131
PID 1352 wrote to memory of 3372	1352	cmd.exe	131
PID 1352 wrote to memory of 2644	1352	cmd.exe	133
PID 1352 wrote to memory of 2644	1352	cmd.exe	133
PID 2644 wrote to memory of 1356	2644	Word.exe	134
PID 2644 wrote to memory of 1356	2644	Word.exe	134
PID 2644 wrote to memory of 2912	2644	Word.exe	136
PID 2644 wrote to memory of 2912	2644	Word.exe	136
PID 2912 wrote to memory of 4688	2912	cmd.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e82e07a2f06226989c2864557311d904.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e82e07a2f06226989c2864557311d904.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Roaming\Word.exe
  "C:\Users\Admin\AppData\Roaming\Word.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Word.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1956
- - C:\Users\Admin\AppData\Roaming\WordW\Word.exe
    "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fhWc7llsW0nK.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4860
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1756
    - - C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3748
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4620
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OPQH7aAtN46n.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LpqwgPdW92Bo.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2968
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\S0Ymgmukj4XW.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3756
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\X7wtWsCB7Cz0.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3372
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3xYSpafNuJxw.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2580
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMtuuiGxbq8J.bat" "
        16⤵
        
        PID:3748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:1636
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wve58d783M96.bat" "
        18⤵
        
        PID:4192
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3600
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:920
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SiWel7iYtv2W.bat" "
        20⤵
        
        PID:4032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3692
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bh8D8MPc5qy4.bat" "
        22⤵
        
        PID:1620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1016
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zTGhIMEJFQqv.bat" "
        24⤵
        
        PID:4472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:760
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F9HfI1cK4zBV.bat" "
        26⤵
        
        PID:1840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3456
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7dGoTbaaoGZM.bat" "
        28⤵
        
        PID:2788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3816
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\M8gjDWePxwaq.bat" "
        30⤵
        
        PID:4800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3996
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1904
        
        C:\Users\Admin\AppData\Roaming\WordW\Word.exe
        
        "C:\Users\Admin\AppData\Roaming\WordW\Word.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WordW\Word.exe" /rl HIGHEST /f
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6sH0dgGAE66Q.bat" "
        32⤵
        
        PID:2348
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:416
- C:\Users\Admin\AppData\Local\Temp\bin\S^X.exe
  "C:\Users\Admin\AppData\Local\Temp\bin\S^X.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 996
    3⤵
    - Program crash
    PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 860 -ip 860
1⤵
PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery