Analysis
-
max time kernel
94s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 10:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d1e8bb3aeea615b55a273c56de13a657_JaffaCakes118.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
d1e8bb3aeea615b55a273c56de13a657_JaffaCakes118.dll
-
Size
120KB
-
MD5
d1e8bb3aeea615b55a273c56de13a657
-
SHA1
f0ca8b3e24ab0e523271bd398ebf842bfde05e3b
-
SHA256
e7544e995e7c96878ec0941e240f33a1be94dcde6905ad5d7af9a777c9dd3a84
-
SHA512
37f4345e944476f224dacde973f046bbf75afde6e9924cafa4a82bda9ce68198c1fe4e2e9cbf2bb01e497d246d5521cd17acae996f6102cce2ab792896630587
-
SSDEEP
3072:xWNvFAjFZ+caA5WeEdwkFKjXD4W/bg6lWlBOWCQAOxox:xcvFAjb+caA5We94mcSMXCJNx
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57f84a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57f84a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57f84a.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f84a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f84a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f84a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f84a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f84a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f84a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f84a.exe -
Executes dropped EXE 3 IoCs
pid Process 1372 e57bbfd.exe 3732 e57c023.exe 1700 e57f84a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57f84a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57bbfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57f84a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57f84a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57f84a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57f84a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57f84a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57f84a.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f84a.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e57bbfd.exe File opened (read-only) \??\I: e57bbfd.exe File opened (read-only) \??\J: e57bbfd.exe File opened (read-only) \??\E: e57f84a.exe File opened (read-only) \??\G: e57f84a.exe File opened (read-only) \??\H: e57f84a.exe File opened (read-only) \??\E: e57bbfd.exe File opened (read-only) \??\G: e57bbfd.exe -
resource yara_rule behavioral2/memory/1372-6-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-10-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-8-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-9-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-28-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-30-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-17-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-33-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-32-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-11-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-35-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-36-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-40-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-41-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-42-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-44-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-52-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-55-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-58-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-59-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1372-61-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1700-87-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1700-89-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1700-93-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1700-92-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/1700-135-0x00000000007A0000-0x000000000185A000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57bca9 e57bbfd.exe File opened for modification C:\Windows\SYSTEM.INI e57bbfd.exe File created C:\Windows\e582025 e57f84a.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57bbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57c023.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57f84a.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1372 e57bbfd.exe 1372 e57bbfd.exe 1372 e57bbfd.exe 1372 e57bbfd.exe 1700 e57f84a.exe 1700 e57f84a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe Token: SeDebugPrivilege 1372 e57bbfd.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 4036 wrote to memory of 2712 4036 rundll32.exe 82 PID 4036 wrote to memory of 2712 4036 rundll32.exe 82 PID 4036 wrote to memory of 2712 4036 rundll32.exe 82 PID 2712 wrote to memory of 1372 2712 rundll32.exe 83 PID 2712 wrote to memory of 1372 2712 rundll32.exe 83 PID 2712 wrote to memory of 1372 2712 rundll32.exe 83 PID 1372 wrote to memory of 768 1372 e57bbfd.exe 8 PID 1372 wrote to memory of 776 1372 e57bbfd.exe 9 PID 1372 wrote to memory of 1020 1372 e57bbfd.exe 13 PID 1372 wrote to memory of 3064 1372 e57bbfd.exe 50 PID 1372 wrote to memory of 2156 1372 e57bbfd.exe 51 PID 1372 wrote to memory of 3100 1372 e57bbfd.exe 52 PID 1372 wrote to memory of 3500 1372 e57bbfd.exe 56 PID 1372 wrote to memory of 3636 1372 e57bbfd.exe 57 PID 1372 wrote to memory of 3808 1372 e57bbfd.exe 58 PID 1372 wrote to memory of 3908 1372 e57bbfd.exe 59 PID 1372 wrote to memory of 4004 1372 e57bbfd.exe 60 PID 1372 wrote to memory of 3364 1372 e57bbfd.exe 61 PID 1372 wrote to memory of 4124 1372 e57bbfd.exe 62 PID 1372 wrote to memory of 2288 1372 e57bbfd.exe 64 PID 1372 wrote to memory of 3192 1372 e57bbfd.exe 76 PID 1372 wrote to memory of 4036 1372 e57bbfd.exe 81 PID 1372 wrote to memory of 2712 1372 e57bbfd.exe 82 PID 1372 wrote to memory of 2712 1372 e57bbfd.exe 82 PID 2712 wrote to memory of 3732 2712 rundll32.exe 84 PID 2712 wrote to memory of 3732 2712 rundll32.exe 84 PID 2712 wrote to memory of 3732 2712 rundll32.exe 84 PID 1372 wrote to memory of 768 1372 e57bbfd.exe 8 PID 1372 wrote to memory of 776 1372 e57bbfd.exe 9 PID 1372 wrote to memory of 1020 1372 e57bbfd.exe 13 PID 1372 wrote to memory of 3064 1372 e57bbfd.exe 50 PID 1372 wrote to memory of 2156 1372 e57bbfd.exe 51 PID 1372 wrote to memory of 3100 1372 e57bbfd.exe 52 PID 1372 wrote to memory of 3500 1372 e57bbfd.exe 56 PID 1372 wrote to memory of 3636 1372 e57bbfd.exe 57 PID 1372 wrote to memory of 3808 1372 e57bbfd.exe 58 PID 1372 wrote to memory of 3908 1372 e57bbfd.exe 59 PID 1372 wrote to memory of 4004 1372 e57bbfd.exe 60 PID 1372 wrote to memory of 3364 1372 e57bbfd.exe 61 PID 1372 wrote to memory of 4124 1372 e57bbfd.exe 62 PID 1372 wrote to memory of 2288 1372 e57bbfd.exe 64 PID 1372 wrote to memory of 3192 1372 e57bbfd.exe 76 PID 1372 wrote to memory of 4036 1372 e57bbfd.exe 81 PID 1372 wrote to memory of 3732 1372 e57bbfd.exe 84 PID 1372 wrote to memory of 3732 1372 e57bbfd.exe 84 PID 2712 wrote to memory of 1700 2712 rundll32.exe 85 PID 2712 wrote to memory of 1700 2712 rundll32.exe 85 PID 2712 wrote to memory of 1700 2712 rundll32.exe 85 PID 1700 wrote to memory of 768 1700 e57f84a.exe 8 PID 1700 wrote to memory of 776 1700 e57f84a.exe 9 PID 1700 wrote to memory of 1020 1700 e57f84a.exe 13 PID 1700 wrote to memory of 3064 1700 e57f84a.exe 50 PID 1700 wrote to memory of 2156 1700 e57f84a.exe 51 PID 1700 wrote to memory of 3100 1700 e57f84a.exe 52 PID 1700 wrote to memory of 3500 1700 e57f84a.exe 56 PID 1700 wrote to memory of 3636 1700 e57f84a.exe 57 PID 1700 wrote to memory of 3808 1700 e57f84a.exe 58 PID 1700 wrote to memory of 3908 1700 e57f84a.exe 59 PID 1700 wrote to memory of 4004 1700 e57f84a.exe 60 PID 1700 wrote to memory of 3364 1700 e57f84a.exe 61 PID 1700 wrote to memory of 4124 1700 e57f84a.exe 62 PID 1700 wrote to memory of 2288 1700 e57f84a.exe 64 PID 1700 wrote to memory of 3192 1700 e57f84a.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57bbfd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57f84a.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3064
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2156
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3100
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3500
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1e8bb3aeea615b55a273c56de13a657_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1e8bb3aeea615b55a273c56de13a657_JaffaCakes118.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\e57bbfd.exeC:\Users\Admin\AppData\Local\Temp\e57bbfd.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1372
-
-
C:\Users\Admin\AppData\Local\Temp\e57c023.exeC:\Users\Admin\AppData\Local\Temp\e57c023.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3732
-
-
C:\Users\Admin\AppData\Local\Temp\e57f84a.exeC:\Users\Admin\AppData\Local\Temp\e57f84a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1700
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3636
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3808
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3908
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4004
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3364
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4124
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2288
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3192
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5d5ce09d61788d38e66319ae18ee5aba7
SHA1133336764a3ed736484256be9e89ee890abc7ede
SHA2569877043695447e3eb2da5d09367f17fb2b7448406569f2f466015ccc5728a506
SHA51226449fb3a93dfea24323023b07e681a922dc0d55e689335bc3a52dfa097722fe7c73698b9b7206801348bfbbd6bf44c6497e5ff760630c327ea5776b29c8b244
-
Filesize
257B
MD5f96cea43f101d06793c377d5c2645134
SHA192a2cca6eaa96a83107ad051f245fdb9babdbd43
SHA256643b198434e29decfa64bbc1d5934808603ff5561425ceb4607c648bcfb9920f
SHA51280de877bdd999cc860e0936dae9fb14a18a0a3b1ea926b0bbce9f291ac18fff527a244807b55827743510150a4eb42274386103d9d036f7e26cb6148c1bdbb90