Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2024, 20:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
711ae558d7286ad13644149159044dcc_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
3 signatures
150 seconds
General
-
Target
711ae558d7286ad13644149159044dcc_JaffaCakes118.exe
-
Size
408KB
-
MD5
711ae558d7286ad13644149159044dcc
-
SHA1
57810350fb7267b2870d8d4bdabfedf9710ca7e0
-
SHA256
eab1b6c30aad7cd1f0ffa2f5214f4f616c07276d18e917bed2f70b36a100864e
-
SHA512
37cc209630974a9005e4e49d2eb96170bcc935a2612d7d0a65fe99aed1870660fb855255bbde6a78c2f2064e4a5ad352f222fb570259362bf02faf8989ea655f
-
SSDEEP
6144:k+bELf/Mi/cWdi5pV/JNWOVhMtWk8mW4e5/K74cDtN3e:OdOpNX1hxmuyN3e
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WinAlert.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WinSysApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Commgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WinSysApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Commgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WinAlert.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WinAlert.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Commgr.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Commgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WinAlert.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WinSysApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WinAlert.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WinAlert.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Commgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Commgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WinSysApp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation WinSysApp.exe -
Executes dropped EXE 8 IoCs
pid Process 4004 Commgr.exe 924 WinSysApp.exe 2764 WinAlert.exe 2968 WinAlert.exe 3912 Commgr.exe 2728 WinSysApp.exe 1016 WinAlert.exe 1092 Commgr.exe -
resource yara_rule behavioral2/memory/3992-2-0x00000000023E0000-0x0000000003410000-memory.dmp upx behavioral2/memory/3992-12-0x00000000023E0000-0x0000000003410000-memory.dmp upx behavioral2/memory/3992-17-0x00000000023E0000-0x0000000003410000-memory.dmp upx behavioral2/memory/3992-29-0x00000000023E0000-0x0000000003410000-memory.dmp upx behavioral2/memory/3992-174-0x00000000023E0000-0x0000000003410000-memory.dmp upx behavioral2/memory/3992-199-0x00000000023E0000-0x0000000003410000-memory.dmp upx behavioral2/memory/3992-209-0x00000000023E0000-0x0000000003410000-memory.dmp upx behavioral2/memory/3992-240-0x00000000023E0000-0x0000000003410000-memory.dmp upx behavioral2/memory/3992-242-0x00000000023E0000-0x0000000003410000-memory.dmp upx -
Adds Run key to start application 2 TTPs 39 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe" 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe" Commgr.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe" Commgr.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe" Commgr.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe" WinAlert.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe" 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe" 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe" WinSysApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe" Commgr.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe" Commgr.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe" WinAlert.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe" WinSysApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe" WinSysApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe" WinAlert.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe" 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe" WinAlert.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe" WinAlert.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe" Commgr.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe" Commgr.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe" WinAlert.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe" WinSysApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe" WinAlert.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe" WinSysApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe" WinAlert.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe" WinAlert.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe" WinAlert.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe" 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe" 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe" WinSysApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Alerter = "C:\\Program Files\\Windows Alerter\\WinAlert.exe" WinSysApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe" WinAlert.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe" WinSysApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe" WinSysApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe" WinAlert.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe" Commgr.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe" Commgr.exe Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe" Commgr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowMessenger = "C:\\RECYCLER\\X-1-5-21-1960408961-725345543-839522115-1003\\WinSysApp.exe" Commgr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Common Files Manager = "C:\\Program Files\\Windows Common Files\\Commgr.exe" Commgr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Commgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinSysApp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinAlert.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinAlert.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WinSysApp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe Token: SeDebugPrivilege 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3992 wrote to memory of 808 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 9 PID 3992 wrote to memory of 816 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 10 PID 3992 wrote to memory of 316 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 13 PID 3992 wrote to memory of 2708 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 51 PID 3992 wrote to memory of 3104 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 52 PID 3992 wrote to memory of 3144 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 53 PID 3992 wrote to memory of 3516 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 56 PID 3992 wrote to memory of 3624 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 57 PID 3992 wrote to memory of 3812 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 58 PID 3992 wrote to memory of 3900 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 59 PID 3992 wrote to memory of 3968 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 60 PID 3992 wrote to memory of 4060 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 61 PID 3992 wrote to memory of 4104 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 62 PID 3992 wrote to memory of 5048 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 74 PID 3992 wrote to memory of 2236 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 76 PID 3992 wrote to memory of 552 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 81 PID 3992 wrote to memory of 3128 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 82 PID 3992 wrote to memory of 4004 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 88 PID 3992 wrote to memory of 4004 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 88 PID 3992 wrote to memory of 4004 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 88 PID 3992 wrote to memory of 2764 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 86 PID 3992 wrote to memory of 2764 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 86 PID 3992 wrote to memory of 2764 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 86 PID 3992 wrote to memory of 924 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 87 PID 3992 wrote to memory of 924 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 87 PID 3992 wrote to memory of 924 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 87 PID 3992 wrote to memory of 2968 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 85 PID 3992 wrote to memory of 2968 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 85 PID 3992 wrote to memory of 2968 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 85 PID 3992 wrote to memory of 3912 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 89 PID 3992 wrote to memory of 3912 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 89 PID 3992 wrote to memory of 3912 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 89 PID 3992 wrote to memory of 2728 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 90 PID 3992 wrote to memory of 2728 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 90 PID 3992 wrote to memory of 2728 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 90 PID 924 wrote to memory of 1016 924 WinSysApp.exe 91 PID 924 wrote to memory of 1016 924 WinSysApp.exe 91 PID 924 wrote to memory of 1016 924 WinSysApp.exe 91 PID 924 wrote to memory of 1092 924 WinSysApp.exe 92 PID 924 wrote to memory of 1092 924 WinSysApp.exe 92 PID 924 wrote to memory of 1092 924 WinSysApp.exe 92 PID 3992 wrote to memory of 808 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 9 PID 3992 wrote to memory of 816 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 10 PID 3992 wrote to memory of 316 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 13 PID 3992 wrote to memory of 2708 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 51 PID 3992 wrote to memory of 3104 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 52 PID 3992 wrote to memory of 3144 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 53 PID 3992 wrote to memory of 3516 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 56 PID 3992 wrote to memory of 3624 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 57 PID 3992 wrote to memory of 3812 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 58 PID 3992 wrote to memory of 3900 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 59 PID 3992 wrote to memory of 3968 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 60 PID 3992 wrote to memory of 4060 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 61 PID 3992 wrote to memory of 4104 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 62 PID 3992 wrote to memory of 5048 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 74 PID 3992 wrote to memory of 2236 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 76 PID 3992 wrote to memory of 552 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 81 PID 3992 wrote to memory of 2764 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 86 PID 3992 wrote to memory of 2764 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 86 PID 3992 wrote to memory of 924 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 87 PID 3992 wrote to memory of 924 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 87 PID 3992 wrote to memory of 4004 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 88 PID 3992 wrote to memory of 4004 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 88 PID 3992 wrote to memory of 3180 3992 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe 95 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 711ae558d7286ad13644149159044dcc_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:816
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3104
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3144
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\711ae558d7286ad13644149159044dcc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\711ae558d7286ad13644149159044dcc_JaffaCakes118.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3992 -
C:\Program Files\Windows Alerter\WinAlert.exe"C:\Program Files\Windows Alerter\WinAlert.exe"3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2968
-
-
C:\Program Files\Windows Alerter\WinAlert.exe"C:\Program Files\Windows Alerter\WinAlert.exe"3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2764
-
-
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Program Files\Windows Alerter\WinAlert.exe"C:\Program Files\Windows Alerter\WinAlert.exe"4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
PID:1016
-
-
C:\Program Files\Windows Common Files\Commgr.exe"C:\Program Files\Windows Common Files\Commgr.exe"4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
PID:1092
-
-
-
C:\Program Files\Windows Common Files\Commgr.exe"C:\Program Files\Windows Common Files\Commgr.exe"3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4004
-
-
C:\Program Files\Windows Common Files\Commgr.exe"C:\Program Files\Windows Common Files\Commgr.exe"3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
PID:3912
-
-
C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"C:\RECYCLER\X-1-5-21-1960408961-725345543-839522115-1003\WinSysApp.exe"3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
PID:2728
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3624
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3812
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3900
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3968
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4060
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4104
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:5048
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2236
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:552
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3128
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3180
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1656
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:3684
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:824
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4520
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5711ae558d7286ad13644149159044dcc
SHA157810350fb7267b2870d8d4bdabfedf9710ca7e0
SHA256eab1b6c30aad7cd1f0ffa2f5214f4f616c07276d18e917bed2f70b36a100864e
SHA51237cc209630974a9005e4e49d2eb96170bcc935a2612d7d0a65fe99aed1870660fb855255bbde6a78c2f2064e4a5ad352f222fb570259362bf02faf8989ea655f
-
Filesize
336KB
MD53853b62423d65907b0f15acac4223d23
SHA11f7dd659a1a8dac667b0a6be86364bdcfe2dc953
SHA2562776f9a48377ddb6592b60c6ba5a0a19921331702de7afca4243d31263fb3871
SHA51224a0416ec99bf6ab285782f792ab7a6ddfd242cc33d9aba0ad063972e28b3551a2ae523737b4a85d74de6648adb9fecd9860948f3ab896401ef11935a6dd53a5