sality | 52a7d48f7b130539b1f1c97736170ced7b48fe38473656a7d32405a9ca20a586

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe

Windows security bypass 2 TTPs 6 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe

Disables Task Manager via registry modification
defense_evasion

Modifies Windows Firewall 2 TTPs 24 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4880	netsh.exe
116	netsh.exe
2984	netsh.exe
6312	netsh.exe
3268	netsh.exe
4944	netsh.exe
3036	netsh.exe
5976	netsh.exe
4496	netsh.exe
6304	netsh.exe
6296	netsh.exe
1836	netsh.exe
5956	netsh.exe
5916	netsh.exe
8088	netsh.exe
7356	netsh.exe
7876	netsh.exe
3084	netsh.exe
3176	netsh.exe
2912	netsh.exe
4536	netsh.exe
6620	netsh.exe
828	netsh.exe
828	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
5048	DECB07.EXE

Loads dropped DLL 8 IoCs

pid	Process
2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
5048	DECB07.EXE

Windows security modification 2 TTPs 7 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

persistence privilege_escalation

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\02A732\	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
File opened for modification	C:\Windows\SysWOW64\B526A5\	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
File opened for modification	C:\Windows\SysWOW64\06794E\	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
File opened for modification	C:\Windows\SysWOW64\04764D\	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2996-1-0x00000000021B0000-0x00000000031E3000-memory.dmp	upx
behavioral2/memory/2996-16-0x00000000021B0000-0x00000000031E3000-memory.dmp	upx
behavioral2/memory/2996-18-0x00000000021B0000-0x00000000031E3000-memory.dmp	upx
behavioral2/memory/2996-21-0x00000000021B0000-0x00000000031E3000-memory.dmp	upx
behavioral2/memory/2996-47-0x00000000021B0000-0x00000000031E3000-memory.dmp	upx
behavioral2/memory/2996-70-0x00000000021B0000-0x00000000031E3000-memory.dmp	upx
behavioral2/memory/1984-146-0x00000000021E0000-0x0000000003213000-memory.dmp	upx
behavioral2/memory/1984-135-0x00000000021E0000-0x0000000003213000-memory.dmp	upx
behavioral2/memory/1984-121-0x00000000021E0000-0x0000000003213000-memory.dmp	upx
behavioral2/memory/1984-162-0x00000000021E0000-0x0000000003213000-memory.dmp	upx
behavioral2/memory/1984-167-0x00000000021E0000-0x0000000003213000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1988	4944	WerFault.exe	155

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Token: SeDebugPrivilege	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 804	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	9
PID 2996 wrote to memory of 800	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	10
PID 2996 wrote to memory of 316	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	13
PID 2996 wrote to memory of 1112	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	51
PID 2996 wrote to memory of 3100	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	52
PID 2996 wrote to memory of 3128	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	53
PID 2996 wrote to memory of 3448	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	56
PID 2996 wrote to memory of 3564	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	57
PID 2996 wrote to memory of 3764	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	58
PID 2996 wrote to memory of 3852	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	59
PID 2996 wrote to memory of 3920	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	60
PID 2996 wrote to memory of 4032	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	61
PID 2996 wrote to memory of 3888	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	62
PID 2996 wrote to memory of 4432	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	64
PID 2996 wrote to memory of 1148	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	75
PID 2996 wrote to memory of 2328	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	80
PID 2996 wrote to memory of 224	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	81
PID 2996 wrote to memory of 4864	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	83
PID 2996 wrote to memory of 4880	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	84
PID 2996 wrote to memory of 4880	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	84
PID 2996 wrote to memory of 4880	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	84
PID 2996 wrote to memory of 4452	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	86
PID 2996 wrote to memory of 4452	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	86
PID 2996 wrote to memory of 4452	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	86
PID 2996 wrote to memory of 5048	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	90
PID 2996 wrote to memory of 5048	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	90
PID 2996 wrote to memory of 5048	2996	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe	90

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:316

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3100

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3128

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe"
  2⤵
  - UAC bypass
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Loads dropped DLL
  - Windows security modification
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2996
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4880
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4452
- - C:\Windows\SysWOW64\B526A5\DECB07.EXE
    C:\Windows\system32\B526A5\DECB07.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5048
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\B526A5\DECB07
      4⤵
      PID:4528
  - - C:\Windows\SysWOW64\B526A5\DECB07.EXE
      C:\Windows\system32\B526A5\DECB07.EXE
      4⤵
      PID:400
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        5⤵
        
        PID:3612
    - - C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        5⤵
        
        PID:1984
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        6⤵
        Modifies Windows Firewall
        
        PID:1836
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        6⤵
        
        PID:2172
      - C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        6⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        7⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        7⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        8⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        8⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        9⤵
        Modifies Windows Firewall
        
        PID:3084
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        9⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        9⤵
        
        PID:452
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        10⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        10⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        11⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        11⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        12⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        12⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        13⤵
        Modifies Windows Firewall
        
        PID:3268
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        13⤵
        
        PID:456
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        13⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        14⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        14⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        15⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        15⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        16⤵
        Modifies Windows Firewall
        
        PID:3176
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        16⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        16⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        17⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        17⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        18⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        18⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        19⤵
        Modifies Windows Firewall
        
        PID:2912
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        19⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        19⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        20⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        20⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        21⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        21⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        22⤵
        Modifies Windows Firewall
        
        PID:4944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 84
        23⤵
        Program crash
        
        PID:1988
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        22⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        22⤵
        
        PID:64
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        23⤵
        
        PID:560
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        23⤵
        
        PID:116
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        24⤵
        Modifies Windows Firewall
        
        PID:3036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        24⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        24⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        25⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        25⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        26⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        26⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        27⤵
        Modifies Windows Firewall
        
        PID:5956
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        27⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        27⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        28⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        28⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        29⤵
        Modifies Windows Firewall
        
        PID:5976
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        29⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        29⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        30⤵
        
        PID:64
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        30⤵
        
        PID:664
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        31⤵
        Modifies Windows Firewall
        
        PID:116
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        31⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        31⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        32⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        32⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        33⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        33⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        34⤵
        Modifies Windows Firewall
        
        PID:5916
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        34⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        34⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        35⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        35⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        36⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        36⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        37⤵
        Modifies Windows Firewall
        
        PID:4536
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        37⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        37⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        38⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        38⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        39⤵
        Modifies Windows Firewall
        
        PID:4496
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        39⤵
        
        PID:828
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        39⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        40⤵
        
        PID:212
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        40⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        41⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        41⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        42⤵
        Modifies Windows Firewall
        
        PID:6620
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        42⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        42⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        43⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        43⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        44⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        44⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        45⤵
        Modifies Windows Firewall
        
        PID:6304
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        45⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        45⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        46⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        46⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        47⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        47⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        48⤵
        Modifies Windows Firewall
        
        PID:828
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        48⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        48⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        49⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        49⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        50⤵
        Modifies Windows Firewall
        
        PID:6296
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        50⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        50⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        51⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        51⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        52⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        52⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        53⤵
        Modifies Windows Firewall
        
        PID:2984
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        53⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        53⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        54⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        54⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        55⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        55⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        56⤵
        Modifies Windows Firewall
        
        PID:828
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        56⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        56⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        57⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        57⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        58⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        58⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        59⤵
        Modifies Windows Firewall
        
        PID:8088
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        59⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        59⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        60⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        60⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        61⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        61⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        62⤵
        Modifies Windows Firewall
        
        PID:6312
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        62⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        62⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        63⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        63⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        64⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        64⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        65⤵
        Modifies Windows Firewall
        
        PID:7356
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        65⤵
        
        PID:532
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        65⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        66⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        66⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        67⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        67⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        68⤵
        Modifies Windows Firewall
        
        PID:7876
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        68⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        68⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        69⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        69⤵
        
        PID:4984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3764

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4032

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4432

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1148

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2328

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:224

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:4864

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3828

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1568

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4376

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3252

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2016

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2592

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3720

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3700

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1744

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2272

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1300

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1416

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:856

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4880

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3356

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4944 -ip 4944
1⤵
PID:852

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2980

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5564

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6088

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5360

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5264

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5112

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5776

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5496

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5756

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5820

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4636

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4004

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6396

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6512

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6916

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7096

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5788

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6856

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6740

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6292

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6204

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6116

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2076

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7344

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7564

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7952

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7264

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7428

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6824

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8052

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6628

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3472

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8096

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7172

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2432

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry