Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
4s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2025, 08:57
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Resource
win10v2004-20250129-en
General
-
Target
JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
-
Size
1.4MB
-
MD5
689ef0f2e6af8ad3d32ab57e1b21a5ee
-
SHA1
3dd4725886252418e31e12ab069e73b12d6503b3
-
SHA256
52a7d48f7b130539b1f1c97736170ced7b48fe38473656a7d32405a9ca20a586
-
SHA512
c0695108cc48873f59aa149328320324f0d3ac208910465a57ef177173a0d6fc73cf62b0ebdc8f51c355134f09d7445328412d22ee6bb8c1490ad641bdd6bba2
-
SSDEEP
24576:2QuC55ocNjUen9Orr/dJN8DIo6YqJWVzlF2jXAo9ImxkSe8dZYZn3a9J4Ws/HIvZ:2zC5KcNjUg9ijN8Dv6TJWxlskfm7e8dn
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 24 IoCs
pid Process 4880 netsh.exe 116 netsh.exe 2984 netsh.exe 6312 netsh.exe 3268 netsh.exe 4944 netsh.exe 3036 netsh.exe 5976 netsh.exe 4496 netsh.exe 6304 netsh.exe 6296 netsh.exe 1836 netsh.exe 5956 netsh.exe 5916 netsh.exe 8088 netsh.exe 7356 netsh.exe 7876 netsh.exe 3084 netsh.exe 3176 netsh.exe 2912 netsh.exe 4536 netsh.exe 6620 netsh.exe 828 netsh.exe 828 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 5048 DECB07.EXE -
Loads dropped DLL 8 IoCs
pid Process 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 5048 DECB07.EXE -
Windows security modification 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\02A732\ JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe File created C:\Windows\SysWOW64\B526A5\DECB07.EXE JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe File opened for modification C:\Windows\SysWOW64\B526A5\ JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe File opened for modification C:\Windows\SysWOW64\06794E\ JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe File opened for modification C:\Windows\SysWOW64\04764D\ JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe -
resource yara_rule behavioral2/memory/2996-1-0x00000000021B0000-0x00000000031E3000-memory.dmp upx behavioral2/memory/2996-16-0x00000000021B0000-0x00000000031E3000-memory.dmp upx behavioral2/memory/2996-18-0x00000000021B0000-0x00000000031E3000-memory.dmp upx behavioral2/memory/2996-21-0x00000000021B0000-0x00000000031E3000-memory.dmp upx behavioral2/memory/2996-47-0x00000000021B0000-0x00000000031E3000-memory.dmp upx behavioral2/memory/2996-70-0x00000000021B0000-0x00000000031E3000-memory.dmp upx behavioral2/memory/1984-146-0x00000000021E0000-0x0000000003213000-memory.dmp upx behavioral2/memory/1984-135-0x00000000021E0000-0x0000000003213000-memory.dmp upx behavioral2/memory/1984-121-0x00000000021E0000-0x0000000003213000-memory.dmp upx behavioral2/memory/1984-162-0x00000000021E0000-0x0000000003213000-memory.dmp upx behavioral2/memory/1984-167-0x00000000021E0000-0x0000000003213000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1988 4944 WerFault.exe 155 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe Token: SeDebugPrivilege 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2996 wrote to memory of 804 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 9 PID 2996 wrote to memory of 800 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 10 PID 2996 wrote to memory of 316 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 13 PID 2996 wrote to memory of 1112 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 51 PID 2996 wrote to memory of 3100 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 52 PID 2996 wrote to memory of 3128 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 53 PID 2996 wrote to memory of 3448 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 56 PID 2996 wrote to memory of 3564 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 57 PID 2996 wrote to memory of 3764 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 58 PID 2996 wrote to memory of 3852 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 59 PID 2996 wrote to memory of 3920 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 60 PID 2996 wrote to memory of 4032 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 61 PID 2996 wrote to memory of 3888 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 62 PID 2996 wrote to memory of 4432 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 64 PID 2996 wrote to memory of 1148 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 75 PID 2996 wrote to memory of 2328 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 80 PID 2996 wrote to memory of 224 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 81 PID 2996 wrote to memory of 4864 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 83 PID 2996 wrote to memory of 4880 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 84 PID 2996 wrote to memory of 4880 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 84 PID 2996 wrote to memory of 4880 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 84 PID 2996 wrote to memory of 4452 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 86 PID 2996 wrote to memory of 4452 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 86 PID 2996 wrote to memory of 4452 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 86 PID 2996 wrote to memory of 5048 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 90 PID 2996 wrote to memory of 5048 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 90 PID 2996 wrote to memory of 5048 2996 JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe 90 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3100
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3128
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2996 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4880
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_689ef0f2e6af8ad3d32ab57e1b21a5ee3⤵
- System Location Discovery: System Language Discovery
PID:4452
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5048 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB074⤵PID:4528
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE4⤵PID:400
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB075⤵PID:3612
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE5⤵PID:1984
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable6⤵
- Modifies Windows Firewall
PID:1836
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB076⤵PID:2172
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE6⤵PID:3600
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB077⤵PID:3640
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE7⤵PID:1240
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB078⤵PID:2196
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE8⤵PID:3444
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable9⤵
- Modifies Windows Firewall
PID:3084
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB079⤵PID:4536
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE9⤵PID:452
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0710⤵PID:3584
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE10⤵PID:2716
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0711⤵PID:2764
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE11⤵PID:4944
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0712⤵PID:1556
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE12⤵PID:4356
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable13⤵
- Modifies Windows Firewall
PID:3268
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0713⤵PID:456
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE13⤵PID:2300
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0714⤵PID:1416
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE14⤵PID:1712
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0715⤵PID:1756
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE15⤵PID:3444
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable16⤵
- Modifies Windows Firewall
PID:3176
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0716⤵PID:2072
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE16⤵PID:4244
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0717⤵PID:1944
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE17⤵PID:4496
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0718⤵PID:1864
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE18⤵PID:3212
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable19⤵
- Modifies Windows Firewall
PID:2912
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0719⤵PID:3864
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE19⤵PID:2196
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0720⤵PID:3084
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE20⤵PID:4324
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0721⤵PID:2360
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE21⤵PID:1812
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable22⤵
- Modifies Windows Firewall
PID:4944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 8423⤵
- Program crash
PID:1988
-
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0722⤵PID:4076
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE22⤵PID:64
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0723⤵PID:560
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE23⤵PID:116
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable24⤵
- Modifies Windows Firewall
PID:3036
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0724⤵PID:5224
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE24⤵PID:5304
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0725⤵PID:5488
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE25⤵PID:5552
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0726⤵PID:5724
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE26⤵PID:5852
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable27⤵
- Modifies Windows Firewall
PID:5956
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0727⤵PID:3968
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE27⤵PID:3600
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0728⤵PID:5764
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE28⤵PID:1936
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable29⤵
- Modifies Windows Firewall
PID:5976
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0729⤵PID:5368
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE29⤵PID:5828
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0730⤵PID:64
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE30⤵PID:664
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable31⤵
- Modifies Windows Firewall
PID:116
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0731⤵PID:6140
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE31⤵PID:4016
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0732⤵PID:5304
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE32⤵PID:5512
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0733⤵PID:5948
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE33⤵PID:3968
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable34⤵
- Modifies Windows Firewall
PID:5916
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0734⤵PID:5624
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE34⤵PID:4984
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0735⤵PID:6064
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE35⤵PID:5196
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0736⤵PID:5728
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE36⤵PID:5308
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable37⤵
- Modifies Windows Firewall
PID:4536
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0737⤵PID:1784
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE37⤵PID:4940
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0738⤵PID:5460
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE38⤵PID:2140
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable39⤵
- Modifies Windows Firewall
PID:4496
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0739⤵PID:828
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE39⤵PID:4352
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0740⤵PID:212
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE40⤵PID:6164
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0741⤵PID:6404
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE41⤵PID:6472
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable42⤵
- Modifies Windows Firewall
PID:6620
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0742⤵PID:6832
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE42⤵PID:6904
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0743⤵PID:7044
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE43⤵PID:7088
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0744⤵PID:2472
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE44⤵PID:6264
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable45⤵
- Modifies Windows Firewall
PID:6304
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0745⤵PID:6576
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE45⤵PID:6740
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0746⤵PID:6384
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE46⤵PID:6892
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0747⤵PID:6696
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE47⤵PID:2904
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable48⤵
- Modifies Windows Firewall
PID:828
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0748⤵PID:4280
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE48⤵PID:6872
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0749⤵PID:6780
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE49⤵PID:6964
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable50⤵
- Modifies Windows Firewall
PID:6296
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0750⤵PID:4748
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE50⤵PID:6948
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0751⤵PID:5640
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE51⤵PID:6168
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0752⤵PID:6304
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE52⤵PID:7080
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable53⤵
- Modifies Windows Firewall
PID:2984
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0753⤵PID:6720
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE53⤵PID:4956
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0754⤵PID:7072
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE54⤵PID:6748
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0755⤵PID:6612
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE55⤵PID:5380
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable56⤵
- Modifies Windows Firewall
PID:828
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0756⤵PID:7280
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE56⤵PID:7352
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0757⤵PID:7504
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE57⤵PID:7572
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0758⤵PID:7848
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE58⤵PID:8004
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable59⤵
- Modifies Windows Firewall
PID:8088
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0759⤵PID:5596
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE59⤵PID:7228
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0760⤵PID:6352
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE60⤵PID:7452
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0761⤵PID:4188
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE61⤵PID:6804
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable62⤵
- Modifies Windows Firewall
PID:6312
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0762⤵PID:7288
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE62⤵PID:8116
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0763⤵PID:6896
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE63⤵PID:7316
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0764⤵PID:8008
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE64⤵PID:7780
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable65⤵
- Modifies Windows Firewall
PID:7356
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0765⤵PID:532
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE65⤵PID:7504
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0766⤵PID:7852
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE66⤵PID:6804
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0767⤵PID:6380
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE67⤵PID:6316
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable68⤵
- Modifies Windows Firewall
PID:7876
-
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0768⤵PID:7520
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE68⤵PID:8048
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0769⤵PID:8108
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE69⤵PID:4984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3564
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3764
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3852
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4032
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3888
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4432
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1148
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2328
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:224
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:4864
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
PID:3828
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:1568
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:4376
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:3252
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:2016
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:4924
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:3620
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:3216
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:2592
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:3720
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:3700
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:1744
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:2272
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:2844
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:1300
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:1416
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:856
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:4880
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:3356
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4944 -ip 49441⤵PID:852
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:2980
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5324
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5564
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:6088
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5360
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5264
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5112
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5584
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5844
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5776
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5496
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5756
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5820
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:4636
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:2736
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5924
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:4004
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:6396
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:6512
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:6916
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:7096
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5788
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:6844
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:6856
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:7040
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5736
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:6740
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:6292
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:6204
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:6116
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:2912
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:6624
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:2076
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:7344
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:7564
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:7952
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:7264
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:7428
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:6824
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:8052
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:6816
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:6628
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:3472
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:8096
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:7172
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:2432
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:8008
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
4Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5a56698f6b0817086cd3e0e51e72450fd
SHA14b097291aef5a5f81052ac8e4a18a5ef5bb7a258
SHA2562fff4661ce462c7daa3feb4b93c74949683bee62809780d474beed63ff488136
SHA5123193833714d90ef38d52b787676cd5a4248225ce684fcce13f6c2c563ed97f6968b48bbd7930694b6c9dcaef955f35388c098c88536635fadb9a8ef3366de423
-
Filesize
212KB
MD5627f4934f3dd2bb7c0d2b3e89e39c3f6
SHA1c0f62b769ba8f846db9e92b9cfe42252178cbd36
SHA2569963c3650fb358ad31536d5a6f972d849194a7ceb70b5637fef134c76a4ff09c
SHA512b391c20ff3e4e7d76349382eda4eedf5c05a5ca9d1e971acc0969063dd5e5399bd348b1a75ce0ada66e2b7cbabf0acddd3e3bfe0e7e082548176c1dc51bf55ba
-
Filesize
60KB
MD5e7d16f48ea3102391f30e626de055744
SHA189d820e8b73d561e006c8bf7c72c411cee4670a7
SHA2564ed364f79761bdd2ecbbe4fbf5d13034f63edd3b34f967a46cae7ebbe3c9fa22
SHA512368efb5aa4a3397f9b27e02c720ca8de899ae08e368c30129e7cf1dc3464ca0a4d15111232f5765a7c24b9ec3476555fb7a5771b1e5d1ada5073ed7418b9532a
-
Filesize
112KB
MD516e232e96f566e623b9ec4832c342f20
SHA19a572e7722bee54b804e932d65e6412e0fe3ee4f
SHA256c3e74981280b5bd50b196806119e8d156a5493721e17128ac86d2f8d6a9727fd
SHA512be633ac6aba048d95672487628133ddd63d0462b6ce818671d8c49275f3f3efeede2487828f7ee3ba9ba20d969ccf4bf793a107cfc3c7d139969bf88cf96632a
-
Filesize
316KB
MD5b6af7a492a22bbcbf9197295091291a2
SHA14ef062c75ba76aff1dc191511e32606aa07f295f
SHA256a53af08ac2a8c3bc7160dd8b5813fdfff1740eb08cc73b769051cfb8f5752636
SHA5128f7d5a9e92f802b020d1a949190ec89788532e3ded68ca411bd7608153bef191afe7d30710a5c4d581f256c3726007ca8cc113eff27f5892ce536fa70267affa
-
Filesize
180KB
MD5ce8bddb8a44b4a1a60c67759a5369a3b
SHA1a43aae5cbde236693fe2c2f0e00f5a5c3706766b
SHA2567147959370a3720449430692da54ec3c2de4af8fc58488a3773786e880b0a838
SHA512078ede6208fdefc8333b7012c7ef3d3ea7ea67374aa6c80dd1955583368e353d193625c648816337326c6920847c0cad6afea0e2098d2744b596e05f6698a063
-
Filesize
1.1MB
MD5db818bfe0241c5dda34a8e109bac66a9
SHA15218cf5fea996f786ae23071364b1abc82e51841
SHA25609aad19ecb05ef5e64415a4fd7e48a64a9dc10d208607af6503bfeaa31af6310
SHA5123de615dc918e00be6adc90b9e5add9508092e62ca388f8d770b3c4554dda033b5635708283b963510b8b31b9a66810378f0b95a67ba22047b5828c5ff7b06377
-
Filesize
40KB
MD5e4ee9465b283089b80b11694a3e894b6
SHA1dbde967d17e9031aaa9a5dec1ec7cddf9d869f27
SHA2567a281e98e894a5ea55f008e31606b61e5402107219e9dc2ea066bd5b2f40d752
SHA5126394401696e5b2df98828239047c1f165742db0e20dfc9a417f281043c4119371382f7abf4408605716d565a4d334b0213759f21621663296fc82bccac4c1c5e
-
Filesize
72KB
MD505b0bdaa5f673e724a58e6286025514e
SHA1045b21926785af7d06eb01e2f110ce3320b2d07d
SHA25652be11135fed11a587097c2a60aa8af751b8b8fd9bde4ed3de969d74639e94aa
SHA512494a4d743e3ea5046f1773232990fad208bc99454b17e831bcfc848d7f7edca3ccce575b12d1ddc2d2932014444363d64ff1e6acd205300ff5628859fce0a391
-
Filesize
257B
MD5fdf54b474b44e0f128a5899be97189a9
SHA131ebf1febebe639c1a8b5924d15c2b30e0647f84
SHA25639296d62251c3ba7ec537fa5be4c4eaf39cf2b59ca54678f920891d6b340036b
SHA512a21094de48a91183b5a18e0306d7c1ea6a0b54b815145c6e21d2bf4e457868a004790a0263c3a47083cbdafdcc9cdc48152c5efc68cb119d2afbcb93bac6be44
-
Filesize
1.4MB
MD5689ef0f2e6af8ad3d32ab57e1b21a5ee
SHA13dd4725886252418e31e12ab069e73b12d6503b3
SHA25652a7d48f7b130539b1f1c97736170ced7b48fe38473656a7d32405a9ca20a586
SHA512c0695108cc48873f59aa149328320324f0d3ac208910465a57ef177173a0d6fc73cf62b0ebdc8f51c355134f09d7445328412d22ee6bb8c1490ad641bdd6bba2