Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 08:23
Behavioral task
behavioral1
Sample
b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe
-
Size
53KB
-
MD5
b7b60f40d54acafc51e9d9085173d178
-
SHA1
6df5521548d757c6c3b733aeea0a7c4769296efb
-
SHA256
d8556a5f40b0e2f1e8b573fa30bd9bfc194e45cf315021a90ccb5f68f5239617
-
SHA512
74876d685803a674c6cf6897798b19c0e37931e439fdf45d8fe6e65b7c017d7409ac5a55c1fe8a425e6d586cc40f830b89ffc1f5d8b33695efd6b0ce711e3130
-
SSDEEP
768:MRSL/qpe0RYzIVz85KpBw+qLTSijd1qCtzlXa1ZYRG28uhog+fTT7nmBBUnXG17l:MRSAZ7VhKDTSijd1q0E2higi+snXw7nl
Malware Config
Extracted
gozi
Signatures
-
Gozi family
-
ACProtect 1.3x - 1.4x DLL software 5 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000a000000023b90-3.dat acprotect behavioral2/memory/2780-7-0x00000000021F0000-0x00000000021F7000-memory.dmp acprotect behavioral2/memory/2780-21-0x00000000021F0000-0x00000000021F7000-memory.dmp acprotect behavioral2/memory/556-32-0x00000000006C0000-0x00000000006C7000-memory.dmp acprotect behavioral2/memory/556-35-0x00000000006C0000-0x00000000006C7000-memory.dmp acprotect -
Executes dropped EXE 1 IoCs
pid Process 556 taskdir.exe -
Loads dropped DLL 5 IoCs
pid Process 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 556 taskdir.exe 556 taskdir.exe 556 taskdir.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskdir = "C:\\Windows\\system32\\taskdir.exe" b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\taskdir.exe taskdir.exe File created C:\Windows\SysWOW64\zlbw.dll taskdir.exe File created C:\Windows\SysWOW64\adir.dll b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe File created C:\Windows\SysWOW64\taskdir.exe b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\taskdir.exe b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\adir.dll taskdir.exe -
resource yara_rule behavioral2/memory/2780-0-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/2780-1-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/files/0x000a000000023b90-3.dat upx behavioral2/memory/2780-7-0x00000000021F0000-0x00000000021F7000-memory.dmp upx behavioral2/files/0x000a000000023b91-15.dat upx behavioral2/memory/2780-21-0x00000000021F0000-0x00000000021F7000-memory.dmp upx behavioral2/memory/2780-20-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/556-31-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/556-32-0x00000000006C0000-0x00000000006C7000-memory.dmp upx behavioral2/memory/556-29-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/556-35-0x00000000006C0000-0x00000000006C7000-memory.dmp upx behavioral2/memory/556-36-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/556-40-0x0000000000400000-0x0000000000492000-memory.dmp upx behavioral2/memory/556-50-0x0000000000400000-0x0000000000492000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdir.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 556 taskdir.exe 556 taskdir.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe Token: SeDebugPrivilege 556 taskdir.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2780 wrote to memory of 616 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 5 PID 2780 wrote to memory of 676 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 7 PID 2780 wrote to memory of 780 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 8 PID 2780 wrote to memory of 784 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 9 PID 2780 wrote to memory of 796 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 10 PID 2780 wrote to memory of 904 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 11 PID 2780 wrote to memory of 956 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 12 PID 2780 wrote to memory of 376 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 13 PID 2780 wrote to memory of 436 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 14 PID 2780 wrote to memory of 608 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 15 PID 2780 wrote to memory of 1052 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 16 PID 2780 wrote to memory of 1088 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 17 PID 2780 wrote to memory of 1096 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 18 PID 2780 wrote to memory of 1168 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 19 PID 2780 wrote to memory of 1180 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 20 PID 2780 wrote to memory of 1260 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 21 PID 2780 wrote to memory of 1296 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 22 PID 2780 wrote to memory of 1344 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 23 PID 2780 wrote to memory of 1380 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 24 PID 2780 wrote to memory of 1512 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 25 PID 2780 wrote to memory of 1540 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 26 PID 2780 wrote to memory of 1548 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 27 PID 2780 wrote to memory of 1596 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 28 PID 2780 wrote to memory of 1712 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 29 PID 2780 wrote to memory of 1752 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 30 PID 2780 wrote to memory of 1772 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 31 PID 2780 wrote to memory of 1912 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 32 PID 2780 wrote to memory of 1992 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 33 PID 2780 wrote to memory of 2012 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 34 PID 2780 wrote to memory of 2064 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 35 PID 2780 wrote to memory of 2072 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 36 PID 2780 wrote to memory of 2120 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 37 PID 2780 wrote to memory of 2212 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 38 PID 2780 wrote to memory of 2320 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 39 PID 2780 wrote to memory of 2452 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 40 PID 2780 wrote to memory of 2496 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 41 PID 2780 wrote to memory of 2584 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 42 PID 2780 wrote to memory of 2596 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 43 PID 2780 wrote to memory of 2684 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 44 PID 2780 wrote to memory of 2708 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 45 PID 2780 wrote to memory of 2768 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 46 PID 2780 wrote to memory of 2784 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 47 PID 2780 wrote to memory of 2820 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 48 PID 2780 wrote to memory of 2904 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 49 PID 2780 wrote to memory of 2920 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 50 PID 2780 wrote to memory of 2956 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 51 PID 2780 wrote to memory of 2964 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 52 PID 2780 wrote to memory of 3268 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 54 PID 2780 wrote to memory of 3308 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 55 PID 2780 wrote to memory of 3508 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 56 PID 2780 wrote to memory of 3668 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 57 PID 2780 wrote to memory of 3864 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 58 PID 2780 wrote to memory of 3964 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 59 PID 2780 wrote to memory of 4068 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 60 PID 2780 wrote to memory of 2472 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 61 PID 2780 wrote to memory of 4116 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 62 PID 2780 wrote to memory of 3332 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 65 PID 2780 wrote to memory of 4808 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 66 PID 2780 wrote to memory of 1792 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 68 PID 2780 wrote to memory of 4652 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 69 PID 2780 wrote to memory of 4404 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 70 PID 2780 wrote to memory of 3572 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 71 PID 2780 wrote to memory of 3780 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 72 PID 2780 wrote to memory of 1940 2780 b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe 73
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:784
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:376
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:676
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:796
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵PID:3268
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:3864
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3964
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4068
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:2472
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4116
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:3572
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:1940
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵PID:1696
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:2168
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵PID:1928
-
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵PID:4816
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1052
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1096
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1180
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2708
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1512
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2584
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1548
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1992
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2012
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2064
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2072
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2120
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2212
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2320
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2452
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:2684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2768
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2820
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2904
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2920
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3308
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\taskdir.exeb7b60f40d54acafc51e9d9085173d178_JaffaCakes118.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:3332
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:4808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4652
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:4404
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:692
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 1054da5bde2098330eee41ef1a4cb8be M2x69LuIpEqUtp0rkdEslA.0.1.0.0.01⤵PID:3600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3704
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:1460
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:1012
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:1560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD598ac73e7f16bee91997972938a5a15ec
SHA1f50d881d892db1c0ead85b3354983aea83b00556
SHA25649f126f41d3fa235cb2cfbb9feaba1770228c6b90b4cdb37d127c13cd118eabe
SHA5120625f5f5c4b29004b22ee14255d06356706472afb611ae97bd8fe281af88d956b6f8b4c7c345a00116694816ba5d9fae2f5400d520d5d9a2fc152ddb9459999d
-
Filesize
53KB
MD5b7b60f40d54acafc51e9d9085173d178
SHA16df5521548d757c6c3b733aeea0a7c4769296efb
SHA256d8556a5f40b0e2f1e8b573fa30bd9bfc194e45cf315021a90ccb5f68f5239617
SHA51274876d685803a674c6cf6897798b19c0e37931e439fdf45d8fe6e65b7c017d7409ac5a55c1fe8a425e6d586cc40f830b89ffc1f5d8b33695efd6b0ce711e3130
-
Filesize
45KB
MD5f42601d4ac18bb06d830b6f8e4500adf
SHA166ff00d72ed68fa417638b514610c7cf611ddb90
SHA2562c54ec6433444a5173a38c75f46c8bec63f90c3ed6efea20beac76c67bc27c95
SHA5128011e932f363fd5730a2cf27ca36a8b62e1c1e61d188bb08b6aad927e2b1a06f8b2ee1c26fff4863fa99d1675fc72d4159b331a3ae25acee0b18e3e41dcb741f