Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 00:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d46b5e6b67bf9760e57f8c5809cedda4_JaffaCakes118.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
d46b5e6b67bf9760e57f8c5809cedda4_JaffaCakes118.dll
-
Size
120KB
-
MD5
d46b5e6b67bf9760e57f8c5809cedda4
-
SHA1
de77e025f74953f80232346d07d0ef6ca75e6685
-
SHA256
cb304a4747bedfb125dd8be887d3f439877d9134999fe2b6eceea4632cc89618
-
SHA512
e57b637e4a0b2ea5d8d269d181eec23a464d7299cd4f89ba38117e90aeb21f7874afdd9fe2be05a9ad66ef72cf061d0e44f1e0b4be5c4f78c1a3174c37cf0e20
-
SSDEEP
3072:OUwz3ZeWtWkb9Q6f2tlf2rwE2ulVfbSiF0l:0QAb9Hilf28E24GZ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577782.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577782.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577782.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579bd2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579bd2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579bd2.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579bd2.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579bd2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579bd2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579bd2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579bd2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579bd2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579bd2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577782.exe -
Executes dropped EXE 3 IoCs
pid Process 4304 e577782.exe 4024 e5778f9.exe 3776 e579bd2.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579bd2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579bd2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579bd2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579bd2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579bd2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579bd2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579bd2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577782.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579bd2.exe -
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e577782.exe File opened (read-only) \??\J: e577782.exe File opened (read-only) \??\E: e579bd2.exe File opened (read-only) \??\H: e579bd2.exe File opened (read-only) \??\E: e577782.exe File opened (read-only) \??\G: e577782.exe File opened (read-only) \??\L: e577782.exe File opened (read-only) \??\M: e577782.exe File opened (read-only) \??\G: e579bd2.exe File opened (read-only) \??\H: e577782.exe File opened (read-only) \??\K: e577782.exe -
resource yara_rule behavioral2/memory/4304-6-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-7-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-19-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-20-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-32-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-11-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-10-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-9-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-33-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-35-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-34-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-36-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-37-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-38-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-46-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-47-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-57-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-60-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-61-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-63-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-64-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-66-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-67-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-70-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4304-75-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/3776-99-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/3776-143-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57c91c e579bd2.exe File created C:\Windows\e5777df e577782.exe File opened for modification C:\Windows\SYSTEM.INI e577782.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577782.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5778f9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579bd2.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4304 e577782.exe 4304 e577782.exe 4304 e577782.exe 4304 e577782.exe 3776 e579bd2.exe 3776 e579bd2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe Token: SeDebugPrivilege 4304 e577782.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4440 wrote to memory of 3276 4440 rundll32.exe 83 PID 4440 wrote to memory of 3276 4440 rundll32.exe 83 PID 4440 wrote to memory of 3276 4440 rundll32.exe 83 PID 3276 wrote to memory of 4304 3276 rundll32.exe 84 PID 3276 wrote to memory of 4304 3276 rundll32.exe 84 PID 3276 wrote to memory of 4304 3276 rundll32.exe 84 PID 4304 wrote to memory of 780 4304 e577782.exe 8 PID 4304 wrote to memory of 788 4304 e577782.exe 9 PID 4304 wrote to memory of 332 4304 e577782.exe 13 PID 4304 wrote to memory of 2332 4304 e577782.exe 50 PID 4304 wrote to memory of 2952 4304 e577782.exe 51 PID 4304 wrote to memory of 1472 4304 e577782.exe 52 PID 4304 wrote to memory of 3436 4304 e577782.exe 56 PID 4304 wrote to memory of 3560 4304 e577782.exe 57 PID 4304 wrote to memory of 3740 4304 e577782.exe 58 PID 4304 wrote to memory of 3828 4304 e577782.exe 59 PID 4304 wrote to memory of 3892 4304 e577782.exe 60 PID 4304 wrote to memory of 4000 4304 e577782.exe 61 PID 4304 wrote to memory of 428 4304 e577782.exe 62 PID 4304 wrote to memory of 2928 4304 e577782.exe 74 PID 4304 wrote to memory of 2132 4304 e577782.exe 76 PID 4304 wrote to memory of 3404 4304 e577782.exe 81 PID 4304 wrote to memory of 4440 4304 e577782.exe 82 PID 4304 wrote to memory of 3276 4304 e577782.exe 83 PID 4304 wrote to memory of 3276 4304 e577782.exe 83 PID 3276 wrote to memory of 4024 3276 rundll32.exe 85 PID 3276 wrote to memory of 4024 3276 rundll32.exe 85 PID 3276 wrote to memory of 4024 3276 rundll32.exe 85 PID 3276 wrote to memory of 3776 3276 rundll32.exe 86 PID 3276 wrote to memory of 3776 3276 rundll32.exe 86 PID 3276 wrote to memory of 3776 3276 rundll32.exe 86 PID 4304 wrote to memory of 780 4304 e577782.exe 8 PID 4304 wrote to memory of 788 4304 e577782.exe 9 PID 4304 wrote to memory of 332 4304 e577782.exe 13 PID 4304 wrote to memory of 2332 4304 e577782.exe 50 PID 4304 wrote to memory of 2952 4304 e577782.exe 51 PID 4304 wrote to memory of 1472 4304 e577782.exe 52 PID 4304 wrote to memory of 3436 4304 e577782.exe 56 PID 4304 wrote to memory of 3560 4304 e577782.exe 57 PID 4304 wrote to memory of 3740 4304 e577782.exe 58 PID 4304 wrote to memory of 3828 4304 e577782.exe 59 PID 4304 wrote to memory of 3892 4304 e577782.exe 60 PID 4304 wrote to memory of 4000 4304 e577782.exe 61 PID 4304 wrote to memory of 428 4304 e577782.exe 62 PID 4304 wrote to memory of 2928 4304 e577782.exe 74 PID 4304 wrote to memory of 2132 4304 e577782.exe 76 PID 4304 wrote to memory of 3404 4304 e577782.exe 81 PID 4304 wrote to memory of 4024 4304 e577782.exe 85 PID 4304 wrote to memory of 4024 4304 e577782.exe 85 PID 4304 wrote to memory of 3776 4304 e577782.exe 86 PID 4304 wrote to memory of 3776 4304 e577782.exe 86 PID 3776 wrote to memory of 780 3776 e579bd2.exe 8 PID 3776 wrote to memory of 788 3776 e579bd2.exe 9 PID 3776 wrote to memory of 332 3776 e579bd2.exe 13 PID 3776 wrote to memory of 2332 3776 e579bd2.exe 50 PID 3776 wrote to memory of 2952 3776 e579bd2.exe 51 PID 3776 wrote to memory of 1472 3776 e579bd2.exe 52 PID 3776 wrote to memory of 3436 3776 e579bd2.exe 56 PID 3776 wrote to memory of 3560 3776 e579bd2.exe 57 PID 3776 wrote to memory of 3740 3776 e579bd2.exe 58 PID 3776 wrote to memory of 3828 3776 e579bd2.exe 59 PID 3776 wrote to memory of 3892 3776 e579bd2.exe 60 PID 3776 wrote to memory of 4000 3776 e579bd2.exe 61 PID 3776 wrote to memory of 428 3776 e579bd2.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579bd2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577782.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2952
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:1472
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d46b5e6b67bf9760e57f8c5809cedda4_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d46b5e6b67bf9760e57f8c5809cedda4_JaffaCakes118.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\e577782.exeC:\Users\Admin\AppData\Local\Temp\e577782.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4304
-
-
C:\Users\Admin\AppData\Local\Temp\e5778f9.exeC:\Users\Admin\AppData\Local\Temp\e5778f9.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4024
-
-
C:\Users\Admin\AppData\Local\Temp\e579bd2.exeC:\Users\Admin\AppData\Local\Temp\e579bd2.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3776
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3560
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3740
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3828
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3892
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:428
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2928
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2132
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3404
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD53020401d39dd9e167debc33b803339c5
SHA1b4df9ad12384a5022b1e4b951709615c58b44782
SHA256e2185fea69995550d6a42f8e365fa566c137f560159ae77828c709f2689a6eaa
SHA5121a0bd824235355cc98545f7bdd6352567dd5ed555267eafca7220615e6a4415632db2729a320641a6ef12b8396c9ca540c98f795b74873feeb26c47bae4bb028
-
Filesize
257B
MD51d5be8f40f9d2e8d904ba4201efedd20
SHA1d548f589ba4b64076bce64522d31652cd15cf4d0
SHA25691a737d1405bd041f95b21f20ead94214211a998eb121fb9055667e80050e9d8
SHA512b339fe63285102b48f75902913615f88662359d2474ad1934116208c9574569888bb915ef68a959059e79b20f8dc30fcfbfefaed6e1885c7ac3e2170e1f2b8ae