Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 19:30
Static task
static1
Behavioral task
behavioral1
Sample
56676839d1325a3d51d478f79d292b32_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
56676839d1325a3d51d478f79d292b32_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
56676839d1325a3d51d478f79d292b32_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
56676839d1325a3d51d478f79d292b32
-
SHA1
c8b24b041661f8a1f4b16691d8973961ab4a7fd4
-
SHA256
f73ef92a463852a6ab8e141805a52a85dba0ce251d8e1a2b3dc27412c25e4806
-
SHA512
880b4e1498285f6da929dc8001665e5e72ba3e6c16fc57d819429ac595fb4253789d38f5c457a7b5d3c374f3dedbd3aaaf4621f5a8e3e25279d46c571007e5eb
-
SSDEEP
12288:n6bLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+Dx:6bLgddQhfdmMSirYbcMNgef0
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile mssecsvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications mssecsvc.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\mssecsvc.exe = "C:\\WINDOWS\\mssecsvc.exe:*:enabled:@shell32.dll,-1" mssecsvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List mssecsvc.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3329) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 3216 mssecsvc.exe 692 mssecsvc.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2608 3216 WerFault.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 3216 mssecsvc.exe 3216 mssecsvc.exe 692 mssecsvc.exe 692 mssecsvc.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
mssecsvc.exepid process 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe 3216 mssecsvc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mssecsvc.exemssecsvc.exedescription pid process Token: SeDebugPrivilege 3216 mssecsvc.exe Token: SeDebugPrivilege 692 mssecsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 916 wrote to memory of 2400 916 rundll32.exe rundll32.exe PID 916 wrote to memory of 2400 916 rundll32.exe rundll32.exe PID 916 wrote to memory of 2400 916 rundll32.exe rundll32.exe PID 2400 wrote to memory of 3216 2400 rundll32.exe mssecsvc.exe PID 2400 wrote to memory of 3216 2400 rundll32.exe mssecsvc.exe PID 2400 wrote to memory of 3216 2400 rundll32.exe mssecsvc.exe PID 3216 wrote to memory of 608 3216 mssecsvc.exe winlogon.exe PID 3216 wrote to memory of 608 3216 mssecsvc.exe winlogon.exe PID 3216 wrote to memory of 608 3216 mssecsvc.exe winlogon.exe PID 3216 wrote to memory of 608 3216 mssecsvc.exe winlogon.exe PID 3216 wrote to memory of 608 3216 mssecsvc.exe winlogon.exe PID 3216 wrote to memory of 608 3216 mssecsvc.exe winlogon.exe PID 3216 wrote to memory of 668 3216 mssecsvc.exe lsass.exe PID 3216 wrote to memory of 668 3216 mssecsvc.exe lsass.exe PID 3216 wrote to memory of 668 3216 mssecsvc.exe lsass.exe PID 3216 wrote to memory of 668 3216 mssecsvc.exe lsass.exe PID 3216 wrote to memory of 668 3216 mssecsvc.exe lsass.exe PID 3216 wrote to memory of 668 3216 mssecsvc.exe lsass.exe PID 3216 wrote to memory of 780 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 780 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 780 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 780 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 780 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 780 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 788 3216 mssecsvc.exe fontdrvhost.exe PID 3216 wrote to memory of 788 3216 mssecsvc.exe fontdrvhost.exe PID 3216 wrote to memory of 788 3216 mssecsvc.exe fontdrvhost.exe PID 3216 wrote to memory of 788 3216 mssecsvc.exe fontdrvhost.exe PID 3216 wrote to memory of 788 3216 mssecsvc.exe fontdrvhost.exe PID 3216 wrote to memory of 788 3216 mssecsvc.exe fontdrvhost.exe PID 3216 wrote to memory of 796 3216 mssecsvc.exe fontdrvhost.exe PID 3216 wrote to memory of 796 3216 mssecsvc.exe fontdrvhost.exe PID 3216 wrote to memory of 796 3216 mssecsvc.exe fontdrvhost.exe PID 3216 wrote to memory of 796 3216 mssecsvc.exe fontdrvhost.exe PID 3216 wrote to memory of 796 3216 mssecsvc.exe fontdrvhost.exe PID 3216 wrote to memory of 796 3216 mssecsvc.exe fontdrvhost.exe PID 3216 wrote to memory of 896 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 896 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 896 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 896 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 896 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 896 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 956 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 956 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 956 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 956 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 956 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 956 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 1016 3216 mssecsvc.exe dwm.exe PID 3216 wrote to memory of 1016 3216 mssecsvc.exe dwm.exe PID 3216 wrote to memory of 1016 3216 mssecsvc.exe dwm.exe PID 3216 wrote to memory of 1016 3216 mssecsvc.exe dwm.exe PID 3216 wrote to memory of 1016 3216 mssecsvc.exe dwm.exe PID 3216 wrote to memory of 1016 3216 mssecsvc.exe dwm.exe PID 3216 wrote to memory of 408 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 408 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 408 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 408 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 408 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 408 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 996 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 996 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 996 3216 mssecsvc.exe svchost.exe PID 3216 wrote to memory of 996 3216 mssecsvc.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:608
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:1016
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:780
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵PID:3188
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3848
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3976
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4064
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:1512
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4204
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4536
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:3580
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:4492
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵PID:4616
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca2⤵PID:812
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:3272
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:404
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:5052
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:996
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:912
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1136
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1144
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1152
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1164
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1456
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2556
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1592
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1716
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1748
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1820
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:1972
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1840
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2072
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2236
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2276
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2588
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2852
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2916
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2924
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3300
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3480
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\56676839d1325a3d51d478f79d292b32_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\56676839d1325a3d51d478f79d292b32_JaffaCakes118.dll,#13⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 14165⤵
- Program crash
PID:2608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3644
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4028
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:3684
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3944
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3216 -ip 32161⤵PID:4560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD533f61e96560dac487704a979691d0643
SHA162cc63f85ba81f4e93218951766626b316e64270
SHA256085f4b0e113d68fe8559119f38d67d0e3b1975b55df28f645fcb1cd260939982
SHA51209c3dbb906d552ae0aa39d38f0c62bebe288c04187d71aebe688a6e9f37ab515650b7a199dd1bd6600c4d9737f25259ea3ecf786e8e451a42f7198d38d0c36ad