Analysis
-
max time kernel
94s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 01:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d490bad709a7d91e203aaa1f22b634ba_JaffaCakes118.dll
Resource
win7-20240708-en
windows7-x64
17 signatures
150 seconds
General
-
Target
d490bad709a7d91e203aaa1f22b634ba_JaffaCakes118.dll
-
Size
120KB
-
MD5
d490bad709a7d91e203aaa1f22b634ba
-
SHA1
4dc62b954e2d323ca36c2a870c8030ee0705d47c
-
SHA256
c6dafefda47e65567f1e1845955f2282b0c3a943f45c62bb3abc63459a8a1fb4
-
SHA512
9453ec5db32d2a6674a5f5a93748453f0e45f7986a89fe210a4683ba53230592803d821f33c35f1abf54c2e8ac13e2ac12379509e1e405eac302592dc90e4233
-
SSDEEP
1536:vEPG3K6QDzgJqiGqrEkf+rvmGd1YO3vK0kYrz+fKvt/vp4vlWiJvAECr7ksuZDo1:vEPG3GDIquEm+KAbiyz+SBEoQAECr7p
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a662.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a662.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a662.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57cc58.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57cc58.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57cc58.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cc58.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57cc58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57cc58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57cc58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57cc58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57cc58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57cc58.exe -
Executes dropped EXE 3 IoCs
pid Process 4740 e57a662.exe 2808 e57a930.exe 3356 e57cc58.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57cc58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57cc58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57cc58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57cc58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a662.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57cc58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57cc58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a662.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57cc58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a662.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cc58.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a662.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: e57a662.exe File opened (read-only) \??\I: e57a662.exe File opened (read-only) \??\K: e57a662.exe File opened (read-only) \??\L: e57a662.exe File opened (read-only) \??\E: e57cc58.exe File opened (read-only) \??\G: e57cc58.exe File opened (read-only) \??\E: e57a662.exe File opened (read-only) \??\G: e57a662.exe File opened (read-only) \??\J: e57a662.exe File opened (read-only) \??\M: e57a662.exe File opened (read-only) \??\N: e57a662.exe File opened (read-only) \??\H: e57cc58.exe -
resource yara_rule behavioral2/memory/4740-6-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-9-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-8-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-10-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-21-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-11-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-34-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-35-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-33-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-30-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-36-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-32-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-37-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-38-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-39-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-49-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-56-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-61-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-63-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-65-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-66-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-68-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-70-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-72-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-74-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/4740-75-0x0000000000790000-0x000000000184A000-memory.dmp upx behavioral2/memory/3356-99-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/3356-143-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57a662.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57a662.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57a662.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57a72d e57a662.exe File opened for modification C:\Windows\SYSTEM.INI e57a662.exe File created C:\Windows\e57f9b2 e57cc58.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a662.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a930.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57cc58.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4740 e57a662.exe 4740 e57a662.exe 4740 e57a662.exe 4740 e57a662.exe 3356 e57cc58.exe 3356 e57cc58.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe Token: SeDebugPrivilege 4740 e57a662.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3088 wrote to memory of 3592 3088 rundll32.exe 82 PID 3088 wrote to memory of 3592 3088 rundll32.exe 82 PID 3088 wrote to memory of 3592 3088 rundll32.exe 82 PID 3592 wrote to memory of 4740 3592 rundll32.exe 83 PID 3592 wrote to memory of 4740 3592 rundll32.exe 83 PID 3592 wrote to memory of 4740 3592 rundll32.exe 83 PID 4740 wrote to memory of 796 4740 e57a662.exe 9 PID 4740 wrote to memory of 800 4740 e57a662.exe 10 PID 4740 wrote to memory of 332 4740 e57a662.exe 13 PID 4740 wrote to memory of 2568 4740 e57a662.exe 44 PID 4740 wrote to memory of 2576 4740 e57a662.exe 45 PID 4740 wrote to memory of 2692 4740 e57a662.exe 47 PID 4740 wrote to memory of 3416 4740 e57a662.exe 56 PID 4740 wrote to memory of 3540 4740 e57a662.exe 57 PID 4740 wrote to memory of 3744 4740 e57a662.exe 58 PID 4740 wrote to memory of 3836 4740 e57a662.exe 59 PID 4740 wrote to memory of 3900 4740 e57a662.exe 60 PID 4740 wrote to memory of 4004 4740 e57a662.exe 61 PID 4740 wrote to memory of 3560 4740 e57a662.exe 62 PID 4740 wrote to memory of 1040 4740 e57a662.exe 74 PID 4740 wrote to memory of 4520 4740 e57a662.exe 75 PID 4740 wrote to memory of 4476 4740 e57a662.exe 80 PID 4740 wrote to memory of 3088 4740 e57a662.exe 81 PID 4740 wrote to memory of 3592 4740 e57a662.exe 82 PID 4740 wrote to memory of 3592 4740 e57a662.exe 82 PID 3592 wrote to memory of 2808 3592 rundll32.exe 84 PID 3592 wrote to memory of 2808 3592 rundll32.exe 84 PID 3592 wrote to memory of 2808 3592 rundll32.exe 84 PID 3592 wrote to memory of 3356 3592 rundll32.exe 86 PID 3592 wrote to memory of 3356 3592 rundll32.exe 86 PID 3592 wrote to memory of 3356 3592 rundll32.exe 86 PID 4740 wrote to memory of 796 4740 e57a662.exe 9 PID 4740 wrote to memory of 800 4740 e57a662.exe 10 PID 4740 wrote to memory of 332 4740 e57a662.exe 13 PID 4740 wrote to memory of 2568 4740 e57a662.exe 44 PID 4740 wrote to memory of 2576 4740 e57a662.exe 45 PID 4740 wrote to memory of 2692 4740 e57a662.exe 47 PID 4740 wrote to memory of 3416 4740 e57a662.exe 56 PID 4740 wrote to memory of 3540 4740 e57a662.exe 57 PID 4740 wrote to memory of 3744 4740 e57a662.exe 58 PID 4740 wrote to memory of 3836 4740 e57a662.exe 59 PID 4740 wrote to memory of 3900 4740 e57a662.exe 60 PID 4740 wrote to memory of 4004 4740 e57a662.exe 61 PID 4740 wrote to memory of 3560 4740 e57a662.exe 62 PID 4740 wrote to memory of 1040 4740 e57a662.exe 74 PID 4740 wrote to memory of 4520 4740 e57a662.exe 75 PID 4740 wrote to memory of 4476 4740 e57a662.exe 80 PID 4740 wrote to memory of 2808 4740 e57a662.exe 84 PID 4740 wrote to memory of 2808 4740 e57a662.exe 84 PID 4740 wrote to memory of 3356 4740 e57a662.exe 86 PID 4740 wrote to memory of 3356 4740 e57a662.exe 86 PID 3356 wrote to memory of 796 3356 e57cc58.exe 9 PID 3356 wrote to memory of 800 3356 e57cc58.exe 10 PID 3356 wrote to memory of 332 3356 e57cc58.exe 13 PID 3356 wrote to memory of 2568 3356 e57cc58.exe 44 PID 3356 wrote to memory of 2576 3356 e57cc58.exe 45 PID 3356 wrote to memory of 2692 3356 e57cc58.exe 47 PID 3356 wrote to memory of 3416 3356 e57cc58.exe 56 PID 3356 wrote to memory of 3540 3356 e57cc58.exe 57 PID 3356 wrote to memory of 3744 3356 e57cc58.exe 58 PID 3356 wrote to memory of 3836 3356 e57cc58.exe 59 PID 3356 wrote to memory of 3900 3356 e57cc58.exe 60 PID 3356 wrote to memory of 4004 3356 e57cc58.exe 61 PID 3356 wrote to memory of 3560 3356 e57cc58.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a662.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57cc58.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2576
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2692
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3416
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d490bad709a7d91e203aaa1f22b634ba_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d490bad709a7d91e203aaa1f22b634ba_JaffaCakes118.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\e57a662.exeC:\Users\Admin\AppData\Local\Temp\e57a662.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4740
-
-
C:\Users\Admin\AppData\Local\Temp\e57a930.exeC:\Users\Admin\AppData\Local\Temp\e57a930.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\e57cc58.exeC:\Users\Admin\AppData\Local\Temp\e57cc58.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3356
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3540
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3744
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3900
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4004
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3560
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1040
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4520
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4476
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4636
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD52ea5b245fd74a96d63bcb80b996b285b
SHA113af52f29d5b56ee7d2c22a59c88094a6fad6e40
SHA2562b3d643b9bfd9bc80a5cd835a6b0bbbaf75c5a356bfa01c4e665b941ca455d14
SHA5125516afeaef3c303e750f1008159676a4af7e29cff327176b74ff853b54f1424a1f67b0a050fd91297bd87f944bee60f34b33f33d097c08e3620b6a70c305db07
-
Filesize
257B
MD512dc71a97a4cad62415051713e54b03d
SHA13daca990adc2c2b0b01093707a19e8b2494044b6
SHA25642fce4f2b70e20676e8f0bee404e7bdb5c719d14f9e264e1f7a3a021cc73d79b
SHA5122cd4d33b8b86ca89268aa88f89f92cd131d6767ab314950e672e63cbf39909f20efb777eda0d8b8d59139353c7337e66e9866fb29c2cf1ea20f5a1eeeb015c14