cybergate | 26a0f4ad07e5dd08bf875058b74f68a8fffec03b22ec97ed3c259ee575f9fa75

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows.exe"	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\windows.exe"	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{L082I2T8-3FYA-BAHF-2T0T-S5FYV6OJ167N}	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{L082I2T8-3FYA-BAHF-2T0T-S5FYV6OJ167N}\StubPath = "C:\\Windows\\system32\\windows.exe Restart"	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{L082I2T8-3FYA-BAHF-2T0T-S5FYV6OJ167N}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{L082I2T8-3FYA-BAHF-2T0T-S5FYV6OJ167N}\StubPath = "C:\\Windows\\system32\\windows.exe"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe

Executes dropped EXE 2 IoCs

pid	Process
624	windows.exe
4164	windows.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\windows.exe"	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\windows.exe"	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\windows.exe	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
File opened for modification	C:\Windows\SysWOW64\windows.exe	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
File opened for modification	C:\Windows\SysWOW64\	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
File created	C:\Windows\SysWOW64\windows.exe	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 3176	2768	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	83
PID 624 set thread context of 4164	624	windows.exe	88

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3176-3-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3176-5-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3176-7-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3176-8-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3176-13-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3176-74-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3176-149-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4164-497-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4164-584-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4912	4164	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
4912	WerFault.exe
4912	WerFault.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Token: SeDebugPrivilege	2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Token: SeDebugPrivilege	2324	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
Token: SeDebugPrivilege	624	windows.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 3176	2768	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	83
PID 2768 wrote to memory of 3176	2768	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	83
PID 2768 wrote to memory of 3176	2768	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	83
PID 2768 wrote to memory of 3176	2768	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	83
PID 2768 wrote to memory of 3176	2768	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	83
PID 2768 wrote to memory of 3176	2768	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	83
PID 2768 wrote to memory of 3176	2768	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	83
PID 2768 wrote to memory of 3176	2768	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	83
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54
PID 3176 wrote to memory of 3144	3176	JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe	54

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:796
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:384

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:784
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3308
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3812
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3912
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3996
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:4080
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3748
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4068
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:1284
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:1568
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:1684
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3516
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:1172
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3400
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1596
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:336
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:1940

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1180
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1440
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2168

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2940

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:3012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:3032

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3144
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
    C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:3928
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7adca0ca09b92b86708eb4149485a009.exe"
      4⤵
      Checks computer location settings
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2324
    - - C:\Windows\SysWOW64\windows.exe
        
        "C:\Windows\system32\windows.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
      - C:\Windows\SysWOW64\windows.exe
        
        C:\Windows\SysWOW64\windows.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 564
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2800

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:5028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4164 -ip 4164
  2⤵
  PID:1872

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe c4f1158d8d6e58c6245a4b54c7884c12 gqEZNUmGAUKpvw8oD1T8CA.0.1.0.0.0
1⤵
PID:1964
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4760

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery