Analysis
-
max time kernel
94s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 07:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e06026354858f1d8b4a512b211b6b842_JaffaCakes118.dll
Resource
win7-20241010-en
windows7-x64
17 signatures
150 seconds
General
-
Target
e06026354858f1d8b4a512b211b6b842_JaffaCakes118.dll
-
Size
120KB
-
MD5
e06026354858f1d8b4a512b211b6b842
-
SHA1
6034302391ebf60bbd49bbf92bb95c60b2df5894
-
SHA256
f1e5cd4488c5b89648dcf6d0be041510a8435269f993a9f0c648dfea7d78bff9
-
SHA512
1a1acd1bd3183be6f7d60847bab65aa22dd78f64278d821eb6e122d1e53da690e344f9aa5952e7c350b386660eb337514352027b7317213476a9a4bfcaf064b2
-
SSDEEP
3072:0wBhO0+VOfsESiCfJ8cLSQop30LaGAWDWLoHTN:0QU8EESFBn2jpkdxGoHTN
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57a20c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577abe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577abe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577abe.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57a20c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57a20c.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577abe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a20c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577abe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577abe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577abe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a20c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a20c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577abe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577abe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a20c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a20c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a20c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a20c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577abe.exe -
Executes dropped EXE 3 IoCs
pid Process 2364 e577abe.exe 4808 e577d2f.exe 664 e57a20c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577abe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577abe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577abe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57a20c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577abe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57a20c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577abe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577abe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577abe.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57a20c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57a20c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57a20c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57a20c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57a20c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577abe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a20c.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: e577abe.exe File opened (read-only) \??\G: e577abe.exe File opened (read-only) \??\K: e577abe.exe File opened (read-only) \??\L: e577abe.exe File opened (read-only) \??\M: e577abe.exe File opened (read-only) \??\E: e57a20c.exe File opened (read-only) \??\H: e577abe.exe File opened (read-only) \??\I: e577abe.exe File opened (read-only) \??\J: e577abe.exe File opened (read-only) \??\N: e577abe.exe File opened (read-only) \??\G: e57a20c.exe File opened (read-only) \??\H: e57a20c.exe -
resource yara_rule behavioral2/memory/2364-7-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-18-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-11-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-10-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-9-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-12-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-30-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-33-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-32-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-19-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-35-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-36-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-37-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-38-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-39-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-57-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-60-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-62-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-63-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-65-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-66-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-67-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-69-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-72-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/2364-76-0x0000000000760000-0x000000000181A000-memory.dmp upx behavioral2/memory/664-95-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/664-143-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e577abe.exe File created C:\Windows\e57cca6 e57a20c.exe File created C:\Windows\e577b3b e577abe.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577abe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577d2f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57a20c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2364 e577abe.exe 2364 e577abe.exe 2364 e577abe.exe 2364 e577abe.exe 664 e57a20c.exe 664 e57a20c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe Token: SeDebugPrivilege 2364 e577abe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4080 wrote to memory of 2824 4080 rundll32.exe 82 PID 4080 wrote to memory of 2824 4080 rundll32.exe 82 PID 4080 wrote to memory of 2824 4080 rundll32.exe 82 PID 2824 wrote to memory of 2364 2824 rundll32.exe 83 PID 2824 wrote to memory of 2364 2824 rundll32.exe 83 PID 2824 wrote to memory of 2364 2824 rundll32.exe 83 PID 2364 wrote to memory of 780 2364 e577abe.exe 8 PID 2364 wrote to memory of 788 2364 e577abe.exe 9 PID 2364 wrote to memory of 1020 2364 e577abe.exe 13 PID 2364 wrote to memory of 2316 2364 e577abe.exe 51 PID 2364 wrote to memory of 1400 2364 e577abe.exe 52 PID 2364 wrote to memory of 3104 2364 e577abe.exe 53 PID 2364 wrote to memory of 3392 2364 e577abe.exe 56 PID 2364 wrote to memory of 3556 2364 e577abe.exe 57 PID 2364 wrote to memory of 3740 2364 e577abe.exe 58 PID 2364 wrote to memory of 3836 2364 e577abe.exe 59 PID 2364 wrote to memory of 3900 2364 e577abe.exe 60 PID 2364 wrote to memory of 3984 2364 e577abe.exe 61 PID 2364 wrote to memory of 3384 2364 e577abe.exe 62 PID 2364 wrote to memory of 400 2364 e577abe.exe 75 PID 2364 wrote to memory of 1852 2364 e577abe.exe 76 PID 2364 wrote to memory of 4080 2364 e577abe.exe 81 PID 2364 wrote to memory of 2824 2364 e577abe.exe 82 PID 2364 wrote to memory of 2824 2364 e577abe.exe 82 PID 2824 wrote to memory of 4808 2824 rundll32.exe 84 PID 2824 wrote to memory of 4808 2824 rundll32.exe 84 PID 2824 wrote to memory of 4808 2824 rundll32.exe 84 PID 2824 wrote to memory of 664 2824 rundll32.exe 85 PID 2824 wrote to memory of 664 2824 rundll32.exe 85 PID 2824 wrote to memory of 664 2824 rundll32.exe 85 PID 2364 wrote to memory of 780 2364 e577abe.exe 8 PID 2364 wrote to memory of 788 2364 e577abe.exe 9 PID 2364 wrote to memory of 1020 2364 e577abe.exe 13 PID 2364 wrote to memory of 2316 2364 e577abe.exe 51 PID 2364 wrote to memory of 1400 2364 e577abe.exe 52 PID 2364 wrote to memory of 3104 2364 e577abe.exe 53 PID 2364 wrote to memory of 3392 2364 e577abe.exe 56 PID 2364 wrote to memory of 3556 2364 e577abe.exe 57 PID 2364 wrote to memory of 3740 2364 e577abe.exe 58 PID 2364 wrote to memory of 3836 2364 e577abe.exe 59 PID 2364 wrote to memory of 3900 2364 e577abe.exe 60 PID 2364 wrote to memory of 3984 2364 e577abe.exe 61 PID 2364 wrote to memory of 3384 2364 e577abe.exe 62 PID 2364 wrote to memory of 400 2364 e577abe.exe 75 PID 2364 wrote to memory of 1852 2364 e577abe.exe 76 PID 2364 wrote to memory of 4808 2364 e577abe.exe 84 PID 2364 wrote to memory of 4808 2364 e577abe.exe 84 PID 2364 wrote to memory of 664 2364 e577abe.exe 85 PID 2364 wrote to memory of 664 2364 e577abe.exe 85 PID 664 wrote to memory of 780 664 e57a20c.exe 8 PID 664 wrote to memory of 788 664 e57a20c.exe 9 PID 664 wrote to memory of 1020 664 e57a20c.exe 13 PID 664 wrote to memory of 2316 664 e57a20c.exe 51 PID 664 wrote to memory of 1400 664 e57a20c.exe 52 PID 664 wrote to memory of 3104 664 e57a20c.exe 53 PID 664 wrote to memory of 3392 664 e57a20c.exe 56 PID 664 wrote to memory of 3556 664 e57a20c.exe 57 PID 664 wrote to memory of 3740 664 e57a20c.exe 58 PID 664 wrote to memory of 3836 664 e57a20c.exe 59 PID 664 wrote to memory of 3900 664 e57a20c.exe 60 PID 664 wrote to memory of 3984 664 e57a20c.exe 61 PID 664 wrote to memory of 3384 664 e57a20c.exe 62 PID 664 wrote to memory of 400 664 e57a20c.exe 75 PID 664 wrote to memory of 1852 664 e57a20c.exe 76 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577abe.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57a20c.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:1400
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3104
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3392
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e06026354858f1d8b4a512b211b6b842_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e06026354858f1d8b4a512b211b6b842_JaffaCakes118.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\e577abe.exeC:\Users\Admin\AppData\Local\Temp\e577abe.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2364
-
-
C:\Users\Admin\AppData\Local\Temp\e577d2f.exeC:\Users\Admin\AppData\Local\Temp\e577d2f.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4808
-
-
C:\Users\Admin\AppData\Local\Temp\e57a20c.exeC:\Users\Admin\AppData\Local\Temp\e57a20c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:664
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3556
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3740
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3836
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3900
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3984
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3384
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:400
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1852
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5533df28da5f415137b44c9c7b0e80935
SHA1e74ea0808dab246319a12042e95b0e1d5cfdf513
SHA25641b96a9a92cadfefdc179f644bc01b7caccc3f3a3b370765cf155d51b68da697
SHA5124bcc9a92055f0c6d70651074bcb825f9d6e756ee5d8873371034e780b61291b3a3a16edc3f29ce402c8bc897c4f031809bda4a1bed41c79222d18b200c0844ef
-
Filesize
257B
MD5c0765cebdd9105eaeed16099651013d1
SHA1073002c00ce739d016e6336d9e2a9ab812d0f263
SHA256fd6c34111156c90c34f358f9d890c27147e9d378f63a10855de4e98280735908
SHA51274678cacd55a66ea0593d3ca10c1817e93903db96688d6318c36498f9d9e1dcadae3f3ed774e52d3be63ef034145bd441e7490ee1aa12ac0f6dd5147062865e9