Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
02/02/2025, 22:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_81b7e24b277f60f44f5098cca27fb004.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
JaffaCakes118_81b7e24b277f60f44f5098cca27fb004.dll
-
Size
120KB
-
MD5
81b7e24b277f60f44f5098cca27fb004
-
SHA1
2f98fc8ba330183a5f2e3c700141168f63959693
-
SHA256
783d5fec332f73daaf8616c3b1e947acd83302c71790aa7a6162ca68c131e7c2
-
SHA512
4fb6e15ed8d8e6c63e145b92d94363373664416a8c94369ebc0a9375478830867bd80c58c26cd38a08dbb3c0b00b8e3cfac28f45f88858264480a008cdbe70e7
-
SSDEEP
1536:JS6RmzC34BdKPOBtegHZoTItDO8PV/ZSkAOIym1fzyvZYU773io7vkFo3r:JPAzC34L7oktKNkRiLyvZYU773iakO
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b508.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b508.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57885a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57885a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57885a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b508.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57885a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b508.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57885a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57885a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57885a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b508.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b508.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b508.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b508.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57885a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57885a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57885a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b508.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b508.exe -
Executes dropped EXE 3 IoCs
pid Process 2308 e57885a.exe 4044 e5789c1.exe 2852 e57b508.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57885a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b508.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b508.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57885a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57885a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57885a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b508.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b508.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b508.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b508.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57885a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57885a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b508.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57885a.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57885a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b508.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: e57885a.exe File opened (read-only) \??\E: e57b508.exe File opened (read-only) \??\G: e57b508.exe File opened (read-only) \??\E: e57885a.exe File opened (read-only) \??\H: e57885a.exe File opened (read-only) \??\I: e57885a.exe File opened (read-only) \??\L: e57885a.exe File opened (read-only) \??\H: e57b508.exe File opened (read-only) \??\I: e57b508.exe File opened (read-only) \??\J: e57b508.exe File opened (read-only) \??\G: e57885a.exe File opened (read-only) \??\J: e57885a.exe File opened (read-only) \??\K: e57885a.exe -
resource yara_rule behavioral2/memory/2308-8-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-6-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-9-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-24-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-23-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-29-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-22-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-12-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-11-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-10-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-33-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-37-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-36-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-38-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-39-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-40-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-54-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-56-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-57-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-59-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-60-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-62-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-65-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-66-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2308-69-0x00000000007A0000-0x000000000185A000-memory.dmp upx behavioral2/memory/2852-93-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/2852-144-0x00000000007F0000-0x00000000018AA000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5788a8 e57885a.exe File opened for modification C:\Windows\SYSTEM.INI e57885a.exe File created C:\Windows\e57dc56 e57b508.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57885a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e5789c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b508.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2308 e57885a.exe 2308 e57885a.exe 2308 e57885a.exe 2308 e57885a.exe 2852 e57b508.exe 2852 e57b508.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe Token: SeDebugPrivilege 2308 e57885a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3212 wrote to memory of 4692 3212 rundll32.exe 83 PID 3212 wrote to memory of 4692 3212 rundll32.exe 83 PID 3212 wrote to memory of 4692 3212 rundll32.exe 83 PID 4692 wrote to memory of 2308 4692 rundll32.exe 85 PID 4692 wrote to memory of 2308 4692 rundll32.exe 85 PID 4692 wrote to memory of 2308 4692 rundll32.exe 85 PID 2308 wrote to memory of 796 2308 e57885a.exe 9 PID 2308 wrote to memory of 804 2308 e57885a.exe 10 PID 2308 wrote to memory of 316 2308 e57885a.exe 13 PID 2308 wrote to memory of 2652 2308 e57885a.exe 44 PID 2308 wrote to memory of 2672 2308 e57885a.exe 45 PID 2308 wrote to memory of 2904 2308 e57885a.exe 51 PID 2308 wrote to memory of 3528 2308 e57885a.exe 56 PID 2308 wrote to memory of 3700 2308 e57885a.exe 57 PID 2308 wrote to memory of 3876 2308 e57885a.exe 58 PID 2308 wrote to memory of 3968 2308 e57885a.exe 59 PID 2308 wrote to memory of 4032 2308 e57885a.exe 60 PID 2308 wrote to memory of 3560 2308 e57885a.exe 61 PID 2308 wrote to memory of 4216 2308 e57885a.exe 62 PID 2308 wrote to memory of 212 2308 e57885a.exe 75 PID 2308 wrote to memory of 1376 2308 e57885a.exe 76 PID 2308 wrote to memory of 976 2308 e57885a.exe 80 PID 2308 wrote to memory of 2468 2308 e57885a.exe 81 PID 2308 wrote to memory of 3212 2308 e57885a.exe 82 PID 2308 wrote to memory of 4692 2308 e57885a.exe 83 PID 2308 wrote to memory of 4692 2308 e57885a.exe 83 PID 2308 wrote to memory of 4608 2308 e57885a.exe 84 PID 4692 wrote to memory of 4044 4692 rundll32.exe 86 PID 4692 wrote to memory of 4044 4692 rundll32.exe 86 PID 4692 wrote to memory of 4044 4692 rundll32.exe 86 PID 2308 wrote to memory of 796 2308 e57885a.exe 9 PID 2308 wrote to memory of 804 2308 e57885a.exe 10 PID 2308 wrote to memory of 316 2308 e57885a.exe 13 PID 2308 wrote to memory of 2652 2308 e57885a.exe 44 PID 2308 wrote to memory of 2672 2308 e57885a.exe 45 PID 2308 wrote to memory of 2904 2308 e57885a.exe 51 PID 2308 wrote to memory of 3528 2308 e57885a.exe 56 PID 2308 wrote to memory of 3700 2308 e57885a.exe 57 PID 2308 wrote to memory of 3876 2308 e57885a.exe 58 PID 2308 wrote to memory of 3968 2308 e57885a.exe 59 PID 2308 wrote to memory of 4032 2308 e57885a.exe 60 PID 2308 wrote to memory of 3560 2308 e57885a.exe 61 PID 2308 wrote to memory of 4216 2308 e57885a.exe 62 PID 2308 wrote to memory of 212 2308 e57885a.exe 75 PID 2308 wrote to memory of 1376 2308 e57885a.exe 76 PID 2308 wrote to memory of 976 2308 e57885a.exe 80 PID 2308 wrote to memory of 2468 2308 e57885a.exe 81 PID 2308 wrote to memory of 3212 2308 e57885a.exe 82 PID 2308 wrote to memory of 4044 2308 e57885a.exe 86 PID 2308 wrote to memory of 4044 2308 e57885a.exe 86 PID 2308 wrote to memory of 1812 2308 e57885a.exe 87 PID 2308 wrote to memory of 840 2308 e57885a.exe 88 PID 2308 wrote to memory of 4104 2308 e57885a.exe 90 PID 4692 wrote to memory of 2852 4692 rundll32.exe 92 PID 4692 wrote to memory of 2852 4692 rundll32.exe 92 PID 4692 wrote to memory of 2852 4692 rundll32.exe 92 PID 2852 wrote to memory of 796 2852 e57b508.exe 9 PID 2852 wrote to memory of 804 2852 e57b508.exe 10 PID 2852 wrote to memory of 316 2852 e57b508.exe 13 PID 2852 wrote to memory of 2652 2852 e57b508.exe 44 PID 2852 wrote to memory of 2672 2852 e57b508.exe 45 PID 2852 wrote to memory of 2904 2852 e57b508.exe 51 PID 2852 wrote to memory of 3528 2852 e57b508.exe 56 PID 2852 wrote to memory of 3700 2852 e57b508.exe 57 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57885a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b508.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2672
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2904
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3528
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81b7e24b277f60f44f5098cca27fb004.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81b7e24b277f60f44f5098cca27fb004.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Users\Admin\AppData\Local\Temp\e57885a.exeC:\Users\Admin\AppData\Local\Temp\e57885a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2308
-
-
C:\Users\Admin\AppData\Local\Temp\e5789c1.exeC:\Users\Admin\AppData\Local\Temp\e5789c1.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4044
-
-
C:\Users\Admin\AppData\Local\Temp\e57b508.exeC:\Users\Admin\AppData\Local\Temp\e57b508.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2852
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3700
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3876
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3968
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4032
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3560
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4216
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:212
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1376
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:976
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2468
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:4608
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1812
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:840
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:4104
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD572c61afef7530076c380c0f813f3b902
SHA169153e4df572c09c638cad46b3737cd814ac074f
SHA256aa972e899447d140135c8ced7066a3cc04b816cf33bd4cfb34051b8134e026b4
SHA5120e5dbea9d4fe666fd3da8e5b4a5243d946a688a2167fbed6c8ac35d8119953bb07b05fc31a3a7db11d066e6604244243ca6680aeb441985341bb66be44cf91db
-
Filesize
257B
MD5dce55841bc1a1d004a8494fd48ea6a46
SHA1a945235033fec666ccb3bd148c2c9e7483169787
SHA256b9de262112c20b5f948f18b730e67fb0408cdd957189ade01fc39a0181e5c335
SHA512ce15f33ccae07077552e09cd96640a133e8bea04c463d826d986199ff7323b9a100e90c9e6a8ba7d9d16a13b8981759daca379e4eb5cea432d8a653f0317e795