Analysis
-
max time kernel
95s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2024 23:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f141d95f050fc4581c8661df64539d76_JaffaCakes118.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
f141d95f050fc4581c8661df64539d76_JaffaCakes118.dll
-
Size
120KB
-
MD5
f141d95f050fc4581c8661df64539d76
-
SHA1
019a50f80ae9cc9a535226a1aed5c13ac2f76c05
-
SHA256
e0a556d7144fff4cff0366901441197e6b02ddf7a5ca02f80fafde1cd8990f87
-
SHA512
d17553b5f041d50d8cbf891cca2323181d257c335f4e93b05999da4903f0b6815adf78a10bb197c5525ff5ae4378fc7265746332725ea3fda69f628d8cbd516c
-
SSDEEP
3072:UTxBqc9P5UzF9jq5Y6tAlpQPGVxCEgu14EE:iBV9By3q5YSrPGVguZE
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5791a1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5791a1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b8a1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b8a1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b8a1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5791a1.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5791a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b8a1.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5791a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5791a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5791a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b8a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b8a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b8a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5791a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5791a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5791a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b8a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b8a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b8a1.exe -
Executes dropped EXE 3 IoCs
pid Process 5068 e5791a1.exe 1576 e579923.exe 2288 e57b8a1.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5791a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b8a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5791a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5791a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b8a1.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b8a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5791a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5791a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b8a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5791a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5791a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b8a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b8a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b8a1.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5791a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b8a1.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: e5791a1.exe File opened (read-only) \??\J: e5791a1.exe File opened (read-only) \??\M: e5791a1.exe File opened (read-only) \??\G: e57b8a1.exe File opened (read-only) \??\E: e5791a1.exe File opened (read-only) \??\I: e5791a1.exe File opened (read-only) \??\K: e5791a1.exe File opened (read-only) \??\L: e5791a1.exe File opened (read-only) \??\E: e57b8a1.exe File opened (read-only) \??\H: e5791a1.exe -
resource yara_rule behavioral2/memory/5068-6-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-7-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-9-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-10-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-13-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-12-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-14-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-11-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-29-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-27-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-20-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-36-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-37-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-38-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-39-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-40-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-50-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-59-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-62-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-63-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-64-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-65-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-67-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-70-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/5068-74-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2288-97-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/2288-139-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5791ef e5791a1.exe File opened for modification C:\Windows\SYSTEM.INI e5791a1.exe File created C:\Windows\e57e87b e57b8a1.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5791a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579923.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b8a1.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5068 e5791a1.exe 5068 e5791a1.exe 5068 e5791a1.exe 5068 e5791a1.exe 2288 e57b8a1.exe 2288 e57b8a1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe Token: SeDebugPrivilege 5068 e5791a1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2756 wrote to memory of 4036 2756 rundll32.exe 83 PID 2756 wrote to memory of 4036 2756 rundll32.exe 83 PID 2756 wrote to memory of 4036 2756 rundll32.exe 83 PID 4036 wrote to memory of 5068 4036 rundll32.exe 84 PID 4036 wrote to memory of 5068 4036 rundll32.exe 84 PID 4036 wrote to memory of 5068 4036 rundll32.exe 84 PID 5068 wrote to memory of 780 5068 e5791a1.exe 8 PID 5068 wrote to memory of 788 5068 e5791a1.exe 9 PID 5068 wrote to memory of 316 5068 e5791a1.exe 13 PID 5068 wrote to memory of 2860 5068 e5791a1.exe 49 PID 5068 wrote to memory of 2936 5068 e5791a1.exe 50 PID 5068 wrote to memory of 2988 5068 e5791a1.exe 51 PID 5068 wrote to memory of 3380 5068 e5791a1.exe 56 PID 5068 wrote to memory of 3536 5068 e5791a1.exe 57 PID 5068 wrote to memory of 3736 5068 e5791a1.exe 58 PID 5068 wrote to memory of 3832 5068 e5791a1.exe 59 PID 5068 wrote to memory of 3908 5068 e5791a1.exe 60 PID 5068 wrote to memory of 3992 5068 e5791a1.exe 61 PID 5068 wrote to memory of 4176 5068 e5791a1.exe 62 PID 5068 wrote to memory of 372 5068 e5791a1.exe 75 PID 5068 wrote to memory of 3624 5068 e5791a1.exe 76 PID 5068 wrote to memory of 2204 5068 e5791a1.exe 81 PID 5068 wrote to memory of 2756 5068 e5791a1.exe 82 PID 5068 wrote to memory of 4036 5068 e5791a1.exe 83 PID 5068 wrote to memory of 4036 5068 e5791a1.exe 83 PID 4036 wrote to memory of 1576 4036 rundll32.exe 85 PID 4036 wrote to memory of 1576 4036 rundll32.exe 85 PID 4036 wrote to memory of 1576 4036 rundll32.exe 85 PID 4036 wrote to memory of 2288 4036 rundll32.exe 86 PID 4036 wrote to memory of 2288 4036 rundll32.exe 86 PID 4036 wrote to memory of 2288 4036 rundll32.exe 86 PID 5068 wrote to memory of 780 5068 e5791a1.exe 8 PID 5068 wrote to memory of 788 5068 e5791a1.exe 9 PID 5068 wrote to memory of 316 5068 e5791a1.exe 13 PID 5068 wrote to memory of 2860 5068 e5791a1.exe 49 PID 5068 wrote to memory of 2936 5068 e5791a1.exe 50 PID 5068 wrote to memory of 2988 5068 e5791a1.exe 51 PID 5068 wrote to memory of 3380 5068 e5791a1.exe 56 PID 5068 wrote to memory of 3536 5068 e5791a1.exe 57 PID 5068 wrote to memory of 3736 5068 e5791a1.exe 58 PID 5068 wrote to memory of 3832 5068 e5791a1.exe 59 PID 5068 wrote to memory of 3908 5068 e5791a1.exe 60 PID 5068 wrote to memory of 3992 5068 e5791a1.exe 61 PID 5068 wrote to memory of 4176 5068 e5791a1.exe 62 PID 5068 wrote to memory of 372 5068 e5791a1.exe 75 PID 5068 wrote to memory of 3624 5068 e5791a1.exe 76 PID 5068 wrote to memory of 2204 5068 e5791a1.exe 81 PID 5068 wrote to memory of 1576 5068 e5791a1.exe 85 PID 5068 wrote to memory of 1576 5068 e5791a1.exe 85 PID 5068 wrote to memory of 2288 5068 e5791a1.exe 86 PID 5068 wrote to memory of 2288 5068 e5791a1.exe 86 PID 2288 wrote to memory of 780 2288 e57b8a1.exe 8 PID 2288 wrote to memory of 788 2288 e57b8a1.exe 9 PID 2288 wrote to memory of 316 2288 e57b8a1.exe 13 PID 2288 wrote to memory of 2860 2288 e57b8a1.exe 49 PID 2288 wrote to memory of 2936 2288 e57b8a1.exe 50 PID 2288 wrote to memory of 2988 2288 e57b8a1.exe 51 PID 2288 wrote to memory of 3380 2288 e57b8a1.exe 56 PID 2288 wrote to memory of 3536 2288 e57b8a1.exe 57 PID 2288 wrote to memory of 3736 2288 e57b8a1.exe 58 PID 2288 wrote to memory of 3832 2288 e57b8a1.exe 59 PID 2288 wrote to memory of 3908 2288 e57b8a1.exe 60 PID 2288 wrote to memory of 3992 2288 e57b8a1.exe 61 PID 2288 wrote to memory of 4176 2288 e57b8a1.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5791a1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b8a1.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2936
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2988
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f141d95f050fc4581c8661df64539d76_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f141d95f050fc4581c8661df64539d76_JaffaCakes118.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\e5791a1.exeC:\Users\Admin\AppData\Local\Temp\e5791a1.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5068
-
-
C:\Users\Admin\AppData\Local\Temp\e579923.exeC:\Users\Admin\AppData\Local\Temp\e579923.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1576
-
-
C:\Users\Admin\AppData\Local\Temp\e57b8a1.exeC:\Users\Admin\AppData\Local\Temp\e57b8a1.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2288
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3536
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4176
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:372
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3624
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2204
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD51de125688654410d39f5b25c502c7858
SHA1838f8bf910f39f74150c993168feeb55a0943082
SHA256348a6f547f5ec0f189a124b7ce8cdd6be00549e3b7b31a4ea4c32d9c30e0deb5
SHA51222a9ddf1cc4bd28333b6190a713ac3a2ddaecd995b4c676571c922a678fa61a3a04a2c4997fd8106a545d73f00c61873335f9aaabb9c597896fb9138fbc47e7d
-
Filesize
257B
MD5cf2713e57883a89f81046f4d68c0467e
SHA1386b48aea1b814ad2f08484e9e28bb8bcef45e2d
SHA256b9d605f0287b1826a0b5882610221510b0e7b63c4a4ee85f0baea91363a181e4
SHA5129c31b4d14b0ce71d4ff27c5fc97849ee94a9f7c679ab7a8a5532aaa1be6331fa645d8094d90d7acbc015bed0b1c1225c159fca39115c3b2f6707073f4ac6db5c