Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 03:13
Static task
static1
Behavioral task
behavioral1
Sample
f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe
-
Size
128KB
-
MD5
f99a4ce7033cefaa73cc83babc2b1579
-
SHA1
be7a9935e4e64b09adb8aa3f431bc1baedb8bb93
-
SHA256
4539ff1fed008cc275d8e3b9e998332c0d04cb5e65df83131dad408b53a4efba
-
SHA512
7dac6fa9b4594a9e3fe0c6ad4d1631d6f39bd42e74964050887fea079b8517163bad81b1cb5a39cf96bbaf5222c08b7e571078f9946ffaa5d9bd75a3e3997a26
-
SSDEEP
3072:4m4oJFI01fw8HdL1otBFuJ5YXoLT/MWzFE:4mjF919LiX+5YYHkWq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3604 trivax1.Bin.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\trivax1.Bin.exe = "C:\\trivax1.Bin\\trivax1.Bin.exe" trivax1.Bin.exe -
resource yara_rule behavioral2/memory/4984-2-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral2/memory/4984-3-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral2/memory/4984-5-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral2/memory/3604-13-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral2/memory/3604-15-0x0000000000400000-0x0000000000468000-memory.dmp upx behavioral2/memory/3604-19-0x0000000000400000-0x0000000000468000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trivax1.Bin.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\PhishingFilter trivax1.Bin.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" trivax1.Bin.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0" trivax1.Bin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery trivax1.Bin.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0" trivax1.Bin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe 3604 trivax1.Bin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe Token: SeDebugPrivilege 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe Token: SeDebugPrivilege 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe Token: SeDebugPrivilege 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe Token: SeDebugPrivilege 3604 trivax1.Bin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4984 wrote to memory of 3440 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 56 PID 4984 wrote to memory of 616 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 5 PID 4984 wrote to memory of 676 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 7 PID 4984 wrote to memory of 784 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 8 PID 4984 wrote to memory of 792 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 9 PID 4984 wrote to memory of 800 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 10 PID 4984 wrote to memory of 900 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 11 PID 4984 wrote to memory of 956 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 12 PID 4984 wrote to memory of 384 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 13 PID 4984 wrote to memory of 740 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 14 PID 4984 wrote to memory of 1000 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 15 PID 4984 wrote to memory of 1068 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 16 PID 4984 wrote to memory of 1108 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 17 PID 4984 wrote to memory of 1124 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 18 PID 4984 wrote to memory of 1204 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 19 PID 4984 wrote to memory of 1216 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 20 PID 4984 wrote to memory of 1260 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 21 PID 4984 wrote to memory of 1348 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 22 PID 4984 wrote to memory of 1356 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 23 PID 4984 wrote to memory of 1460 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 24 PID 4984 wrote to memory of 1468 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 25 PID 4984 wrote to memory of 1520 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 26 PID 4984 wrote to memory of 1528 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 27 PID 4984 wrote to memory of 1636 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 28 PID 4984 wrote to memory of 1704 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 29 PID 4984 wrote to memory of 1760 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 30 PID 4984 wrote to memory of 1780 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 31 PID 4984 wrote to memory of 1928 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 32 PID 4984 wrote to memory of 2004 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 33 PID 4984 wrote to memory of 2016 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 34 PID 4984 wrote to memory of 2028 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 35 PID 4984 wrote to memory of 1724 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 36 PID 4984 wrote to memory of 2060 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 37 PID 4984 wrote to memory of 2156 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 38 PID 4984 wrote to memory of 2228 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 39 PID 4984 wrote to memory of 2256 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 40 PID 4984 wrote to memory of 2336 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 41 PID 4984 wrote to memory of 2548 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 42 PID 4984 wrote to memory of 2556 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 43 PID 4984 wrote to memory of 2568 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 44 PID 4984 wrote to memory of 2620 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 45 PID 4984 wrote to memory of 2760 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 46 PID 4984 wrote to memory of 2768 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 47 PID 4984 wrote to memory of 2820 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 48 PID 4984 wrote to memory of 2836 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 49 PID 4984 wrote to memory of 2852 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 50 PID 4984 wrote to memory of 2848 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 51 PID 4984 wrote to memory of 2928 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 52 PID 4984 wrote to memory of 3100 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 54 PID 4984 wrote to memory of 3348 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 55 PID 4984 wrote to memory of 3440 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 56 PID 4984 wrote to memory of 3556 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 57 PID 4984 wrote to memory of 3744 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 58 PID 4984 wrote to memory of 3836 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 59 PID 4984 wrote to memory of 3916 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 60 PID 4984 wrote to memory of 4004 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 61 PID 4984 wrote to memory of 3900 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 62 PID 4984 wrote to memory of 4436 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 65 PID 4984 wrote to memory of 3208 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 67 PID 4984 wrote to memory of 1872 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 68 PID 4984 wrote to memory of 1416 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 69 PID 4984 wrote to memory of 4076 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 70 PID 4984 wrote to memory of 4732 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 71 PID 4984 wrote to memory of 4692 4984 f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe 72
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:784
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:384
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:676
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:800
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵PID:3100
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3744
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3836
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3916
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:4004
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3900
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:4076
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3880
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵PID:4284
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4808
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵PID:1504
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵PID:4536
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding2⤵PID:1736
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:900
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:740
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1068
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1124
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1204
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1216
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2768
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1460
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2568
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1520
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1528
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1636
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1704
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1760
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1780
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2004
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:2016
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2028
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1724
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2060
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2156
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2228
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2256
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2548
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2620
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2820
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2852
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3348
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f99a4ce7033cefaa73cc83babc2b1579_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\trivax1.Bin\trivax1.Bin.exe"C:\trivax1.Bin\trivax1.Bin.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:3208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:1872
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:1416
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:4732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:528
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 053d967bc206ccf8830e20e0a018cd9d MNusuLHyFka8/xNHP3xHXA.0.1.0.0.01⤵PID:1448
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4876
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:3324
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:4564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:2644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD596f4ed1e6523ea5fd57e457fe8e12977
SHA19c48d689c0d46dd4b30f3441715a384014993be2
SHA2563e017d7f2bcc0fa41a28f1403d006ab19e46c209b276151c0e53ebda7fe50f64
SHA51251f9c662f29090a940a6d231e8bf607f43368f73e415edc3138b2ae5f47ab7fb8c96f460e0c822549923c33077c2794aa01586941cecf0f2be739f096a351a08
-
Filesize
128KB
MD5f99a4ce7033cefaa73cc83babc2b1579
SHA1be7a9935e4e64b09adb8aa3f431bc1baedb8bb93
SHA2564539ff1fed008cc275d8e3b9e998332c0d04cb5e65df83131dad408b53a4efba
SHA5127dac6fa9b4594a9e3fe0c6ad4d1631d6f39bd42e74964050887fea079b8517163bad81b1cb5a39cf96bbaf5222c08b7e571078f9946ffaa5d9bd75a3e3997a26