Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
25s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 18:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe
-
Size
215KB
-
MD5
46fc9c3f0b2cb404b5d2f55e76886763
-
SHA1
55dad8f50b2b17271623bb3f3923c1e963a26d91
-
SHA256
5c05c7b7bace103ed8af779d5f383ca53eb5ce84fa9430ed2c95b8050915c23d
-
SHA512
2a116940b6882654ac5d2c33e0a00078a96673c7b53883f1e9887835153ad11e28439d27ac535a3fb9ab2e395c7ada081744e2455601b47c1164a72395906d12
-
SSDEEP
3072:FzAKb/OW+OTwgkNZ0UMKRovRrHTyxL/zZy9TNz+E4Gm4Rq13bnPoMbLwAyS8c/je:Fv/OW+OT6f+rHTyxJFE4GmJ/D+Oqz0Cz
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nsu86F3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" nsu86F3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nsu86F3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nsu86F3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nsu86F3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nsu86F3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nsu86F3.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" nsu86F3.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4788 netsh.exe 4076 netsh.exe -
Deletes itself 1 IoCs
pid Process 2280 nsu86F3.exe -
Executes dropped EXE 1 IoCs
pid Process 2280 nsu86F3.exe -
resource yara_rule behavioral2/memory/1236-1-0x0000000002390000-0x00000000033BE000-memory.dmp upx behavioral2/memory/1236-16-0x0000000002390000-0x00000000033BE000-memory.dmp upx behavioral2/memory/1236-9-0x0000000002390000-0x00000000033BE000-memory.dmp upx behavioral2/memory/1236-3-0x0000000002390000-0x00000000033BE000-memory.dmp upx behavioral2/memory/2280-18-0x0000000004420000-0x000000000544E000-memory.dmp upx behavioral2/memory/2280-20-0x0000000004420000-0x000000000544E000-memory.dmp upx behavioral2/memory/2280-21-0x0000000004420000-0x000000000544E000-memory.dmp upx behavioral2/memory/2280-33-0x0000000004420000-0x000000000544E000-memory.dmp upx behavioral2/memory/2280-34-0x0000000004420000-0x000000000544E000-memory.dmp upx behavioral2/memory/2280-52-0x0000000004420000-0x000000000544E000-memory.dmp upx behavioral2/memory/2280-58-0x0000000004420000-0x000000000544E000-memory.dmp upx behavioral2/memory/2280-61-0x0000000004420000-0x000000000544E000-memory.dmp upx behavioral2/memory/2280-82-0x0000000004420000-0x000000000544E000-memory.dmp upx behavioral2/memory/2280-93-0x0000000004420000-0x000000000544E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nsu86F3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nsu86F3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nsu86F3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nsu86F3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" nsu86F3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nsu86F3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc nsu86F3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nsu86F3.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe nsu86F3.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe nsu86F3.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe nsu86F3.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1236 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe 1236 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe 2280 nsu86F3.exe 2280 nsu86F3.exe 2280 nsu86F3.exe 2280 nsu86F3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe Token: SeDebugPrivilege 2280 nsu86F3.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 1236 wrote to memory of 4788 1236 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe 84 PID 1236 wrote to memory of 4788 1236 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe 84 PID 1236 wrote to memory of 4788 1236 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe 84 PID 1236 wrote to memory of 2280 1236 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe 85 PID 1236 wrote to memory of 2280 1236 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe 85 PID 1236 wrote to memory of 2280 1236 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe 85 PID 2280 wrote to memory of 4076 2280 nsu86F3.exe 91 PID 2280 wrote to memory of 4076 2280 nsu86F3.exe 91 PID 2280 wrote to memory of 4076 2280 nsu86F3.exe 91 PID 2280 wrote to memory of 780 2280 nsu86F3.exe 8 PID 2280 wrote to memory of 788 2280 nsu86F3.exe 9 PID 2280 wrote to memory of 384 2280 nsu86F3.exe 13 PID 2280 wrote to memory of 2672 2280 nsu86F3.exe 44 PID 2280 wrote to memory of 2680 2280 nsu86F3.exe 45 PID 2280 wrote to memory of 2772 2280 nsu86F3.exe 47 PID 2280 wrote to memory of 3396 2280 nsu86F3.exe 55 PID 2280 wrote to memory of 3588 2280 nsu86F3.exe 57 PID 2280 wrote to memory of 3776 2280 nsu86F3.exe 58 PID 2280 wrote to memory of 3948 2280 nsu86F3.exe 59 PID 2280 wrote to memory of 4012 2280 nsu86F3.exe 60 PID 2280 wrote to memory of 3076 2280 nsu86F3.exe 61 PID 2280 wrote to memory of 3676 2280 nsu86F3.exe 62 PID 2280 wrote to memory of 4628 2280 nsu86F3.exe 74 PID 2280 wrote to memory of 4280 2280 nsu86F3.exe 77 PID 2280 wrote to memory of 3212 2280 nsu86F3.exe 81 PID 2280 wrote to memory of 3688 2280 nsu86F3.exe 88 PID 2280 wrote to memory of 4076 2280 nsu86F3.exe 91 PID 2280 wrote to memory of 4076 2280 nsu86F3.exe 91 PID 2280 wrote to memory of 780 2280 nsu86F3.exe 8 PID 2280 wrote to memory of 788 2280 nsu86F3.exe 9 PID 2280 wrote to memory of 384 2280 nsu86F3.exe 13 PID 2280 wrote to memory of 2672 2280 nsu86F3.exe 44 PID 2280 wrote to memory of 2680 2280 nsu86F3.exe 45 PID 2280 wrote to memory of 2772 2280 nsu86F3.exe 47 PID 2280 wrote to memory of 3396 2280 nsu86F3.exe 55 PID 2280 wrote to memory of 3588 2280 nsu86F3.exe 57 PID 2280 wrote to memory of 3776 2280 nsu86F3.exe 58 PID 2280 wrote to memory of 3948 2280 nsu86F3.exe 59 PID 2280 wrote to memory of 4012 2280 nsu86F3.exe 60 PID 2280 wrote to memory of 3076 2280 nsu86F3.exe 61 PID 2280 wrote to memory of 3676 2280 nsu86F3.exe 62 PID 2280 wrote to memory of 4628 2280 nsu86F3.exe 74 PID 2280 wrote to memory of 4280 2280 nsu86F3.exe 77 PID 2280 wrote to memory of 3212 2280 nsu86F3.exe 81 PID 2280 wrote to memory of 3688 2280 nsu86F3.exe 88 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nsu86F3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2680
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2772
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\46fc9c3f0b2cb404b5d2f55e76886763_JaffaCakes118.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1236 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4788
-
-
C:\Users\Admin\AppData\Local\Temp\nsu86F3.exe"C:\Users\Admin\AppData\Local\Temp\nsu86F3.exe" uninstallfrom=C:\Users\Admin\AppData\Local\Temp3⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2280 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4076
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3588
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3776
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3948
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4012
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3676
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4628
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4280
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3212
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3688
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD5790ed64ceb9b256dc5549296c88e6a18
SHA1344e4cbf8f82c62c1e97ba0768cf7dac27260bd4
SHA2566ecc3c8b11a1952f0dff48ccdfa0bdb146762d5e3fe12ee906a4cb94b43f713a
SHA5126600a0310073be0d4b58f44d6f3fb7930f4efe8415a05af7a7e790b10e526ea7a5291b7d394ae595374ca6f2f033d3d6f5b8b348760315cb61043b75aa47c923
-
Filesize
215KB
MD546fc9c3f0b2cb404b5d2f55e76886763
SHA155dad8f50b2b17271623bb3f3923c1e963a26d91
SHA2565c05c7b7bace103ed8af779d5f383ca53eb5ce84fa9430ed2c95b8050915c23d
SHA5122a116940b6882654ac5d2c33e0a00078a96673c7b53883f1e9887835153ad11e28439d27ac535a3fb9ab2e395c7ada081744e2455601b47c1164a72395906d12
-
Filesize
257B
MD5971a80fdf585b03bc2aa6333b4d60776
SHA12c46e5c1050b01b40ca36837903da7299c92b467
SHA256dfc5e2a706e1c7f262d281ee6071a9358b64760d74c8674fc7dbfd7cb842d478
SHA5128928b10f88942423bc0793dc38aca491fa0b03e5a37532ad2614de5fcf681ad7c80cd18e77bc407dfdb4088966bba70ee301c8a88f508807af4649f61097f0c3