Analysis
-
max time kernel
92s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 17:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fc7274aad440ca7d679a24510650ddb1_JaffaCakes118.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
fc7274aad440ca7d679a24510650ddb1_JaffaCakes118.dll
-
Size
120KB
-
MD5
fc7274aad440ca7d679a24510650ddb1
-
SHA1
cb10c8a0891a4f0680bd7e9e53db91edb5e03afa
-
SHA256
a83307df0ab0118dc893590e6448f66983e0173df076e10f25a9d1c56a2fd952
-
SHA512
f645f4e10b3832b5e925d9c2be8fa7f1bdd66d6d1447e4b101574635ba99adc5a02b9ed62c458f04f8dd3939ec52e335d639bb5832d0832b795cfed494612f60
-
SSDEEP
3072:Ye27jUGi+Ju9bWcOkD8Tq3r0mEPY8Ln8Vvy30:Ye27w+SOkYOvy
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5772ce.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5772ce.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57aeaf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57aeaf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57aeaf.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5772ce.exe -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5772ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57aeaf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5772ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5772ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5772ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5772ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5772ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5772ce.exe -
Executes dropped EXE 4 IoCs
pid Process 4144 e5772ce.exe 2880 e577465.exe 452 e57aeaf.exe 1992 e57aece.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5772ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5772ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5772ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57aeaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5772ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5772ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5772ce.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5772ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57aeaf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57aeaf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5772ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57aeaf.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: e5772ce.exe File opened (read-only) \??\E: e57aeaf.exe File opened (read-only) \??\E: e5772ce.exe File opened (read-only) \??\G: e5772ce.exe File opened (read-only) \??\H: e5772ce.exe File opened (read-only) \??\I: e5772ce.exe -
resource yara_rule behavioral2/memory/4144-6-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-8-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-9-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-10-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-30-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-25-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-14-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-33-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-34-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-11-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-35-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-36-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-37-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-42-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-43-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-45-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-57-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-62-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-63-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-65-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/4144-68-0x00000000007C0000-0x000000000187A000-memory.dmp upx behavioral2/memory/452-94-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/452-90-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/452-98-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/452-96-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/452-93-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/452-95-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/452-92-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/452-141-0x0000000000830000-0x00000000018EA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57735b e5772ce.exe File opened for modification C:\Windows\SYSTEM.INI e5772ce.exe File created C:\Windows\e57d62c e57aeaf.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5772ce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e577465.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57aeaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57aece.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4144 e5772ce.exe 4144 e5772ce.exe 4144 e5772ce.exe 4144 e5772ce.exe 452 e57aeaf.exe 452 e57aeaf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe Token: SeDebugPrivilege 4144 e5772ce.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1884 wrote to memory of 3700 1884 rundll32.exe 82 PID 1884 wrote to memory of 3700 1884 rundll32.exe 82 PID 1884 wrote to memory of 3700 1884 rundll32.exe 82 PID 3700 wrote to memory of 4144 3700 rundll32.exe 83 PID 3700 wrote to memory of 4144 3700 rundll32.exe 83 PID 3700 wrote to memory of 4144 3700 rundll32.exe 83 PID 4144 wrote to memory of 800 4144 e5772ce.exe 9 PID 4144 wrote to memory of 808 4144 e5772ce.exe 10 PID 4144 wrote to memory of 412 4144 e5772ce.exe 13 PID 4144 wrote to memory of 2540 4144 e5772ce.exe 42 PID 4144 wrote to memory of 2572 4144 e5772ce.exe 43 PID 4144 wrote to memory of 2836 4144 e5772ce.exe 49 PID 4144 wrote to memory of 3448 4144 e5772ce.exe 56 PID 4144 wrote to memory of 3608 4144 e5772ce.exe 57 PID 4144 wrote to memory of 3792 4144 e5772ce.exe 58 PID 4144 wrote to memory of 3884 4144 e5772ce.exe 59 PID 4144 wrote to memory of 3948 4144 e5772ce.exe 60 PID 4144 wrote to memory of 4036 4144 e5772ce.exe 61 PID 4144 wrote to memory of 3068 4144 e5772ce.exe 74 PID 4144 wrote to memory of 3628 4144 e5772ce.exe 76 PID 4144 wrote to memory of 1884 4144 e5772ce.exe 81 PID 4144 wrote to memory of 3700 4144 e5772ce.exe 82 PID 4144 wrote to memory of 3700 4144 e5772ce.exe 82 PID 3700 wrote to memory of 2880 3700 rundll32.exe 84 PID 3700 wrote to memory of 2880 3700 rundll32.exe 84 PID 3700 wrote to memory of 2880 3700 rundll32.exe 84 PID 4144 wrote to memory of 800 4144 e5772ce.exe 9 PID 4144 wrote to memory of 808 4144 e5772ce.exe 10 PID 4144 wrote to memory of 412 4144 e5772ce.exe 13 PID 4144 wrote to memory of 2540 4144 e5772ce.exe 42 PID 4144 wrote to memory of 2572 4144 e5772ce.exe 43 PID 4144 wrote to memory of 2836 4144 e5772ce.exe 49 PID 4144 wrote to memory of 3448 4144 e5772ce.exe 56 PID 4144 wrote to memory of 3608 4144 e5772ce.exe 57 PID 4144 wrote to memory of 3792 4144 e5772ce.exe 58 PID 4144 wrote to memory of 3884 4144 e5772ce.exe 59 PID 4144 wrote to memory of 3948 4144 e5772ce.exe 60 PID 4144 wrote to memory of 4036 4144 e5772ce.exe 61 PID 4144 wrote to memory of 3068 4144 e5772ce.exe 74 PID 4144 wrote to memory of 3628 4144 e5772ce.exe 76 PID 4144 wrote to memory of 1884 4144 e5772ce.exe 81 PID 4144 wrote to memory of 2880 4144 e5772ce.exe 84 PID 4144 wrote to memory of 2880 4144 e5772ce.exe 84 PID 3700 wrote to memory of 452 3700 rundll32.exe 85 PID 3700 wrote to memory of 452 3700 rundll32.exe 85 PID 3700 wrote to memory of 452 3700 rundll32.exe 85 PID 3700 wrote to memory of 1992 3700 rundll32.exe 86 PID 3700 wrote to memory of 1992 3700 rundll32.exe 86 PID 3700 wrote to memory of 1992 3700 rundll32.exe 86 PID 452 wrote to memory of 800 452 e57aeaf.exe 9 PID 452 wrote to memory of 808 452 e57aeaf.exe 10 PID 452 wrote to memory of 412 452 e57aeaf.exe 13 PID 452 wrote to memory of 2540 452 e57aeaf.exe 42 PID 452 wrote to memory of 2572 452 e57aeaf.exe 43 PID 452 wrote to memory of 2836 452 e57aeaf.exe 49 PID 452 wrote to memory of 3448 452 e57aeaf.exe 56 PID 452 wrote to memory of 3608 452 e57aeaf.exe 57 PID 452 wrote to memory of 3792 452 e57aeaf.exe 58 PID 452 wrote to memory of 3884 452 e57aeaf.exe 59 PID 452 wrote to memory of 3948 452 e57aeaf.exe 60 PID 452 wrote to memory of 4036 452 e57aeaf.exe 61 PID 452 wrote to memory of 3068 452 e57aeaf.exe 74 PID 452 wrote to memory of 3628 452 e57aeaf.exe 76 PID 452 wrote to memory of 1992 452 e57aeaf.exe 86 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5772ce.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57aeaf.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:412
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2572
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2836
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fc7274aad440ca7d679a24510650ddb1_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fc7274aad440ca7d679a24510650ddb1_JaffaCakes118.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\e5772ce.exeC:\Users\Admin\AppData\Local\Temp\e5772ce.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4144
-
-
C:\Users\Admin\AppData\Local\Temp\e577465.exeC:\Users\Admin\AppData\Local\Temp\e577465.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880
-
-
C:\Users\Admin\AppData\Local\Temp\e57aeaf.exeC:\Users\Admin\AppData\Local\Temp\e57aeaf.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:452
-
-
C:\Users\Admin\AppData\Local\Temp\e57aece.exeC:\Users\Admin\AppData\Local\Temp\e57aece.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1992
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3608
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3792
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3884
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3948
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4036
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3068
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3628
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5e41a864df2f5e05d062647601dd0e64a
SHA15b9c3d38feb12a966970b1ef21c814d5c8dc7cc9
SHA25623cef8c6f9907f04823c8f61d143446b38844982983710db087439a12d2e7cbb
SHA5121aff659c75fb58b043fc0644add95d07e918655b71863b77d56f98b49ee4c6d038f4e89f25ad7adc863d2e1a423aecf27862fad1bfc7127843caa8c3e0e026c2
-
Filesize
257B
MD5cd12f542b5bde6c742ad8c2544b70d9a
SHA1adeed26a769007dfdcd2a437e41762d9a8cb8e19
SHA2564fa3fc57f1096306d55c21eb8b7c9ce237edd69befe9d56b43c7bcb9ac87fdc7
SHA512543332a4db2c479b557d87a38d872902f5587c601013f1542efcfe5daf2d27c4474666b1d685aa2eef07ddb76d7e36856f4ec88af35b3aa8dc355b9bb1c5025b