Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2025 08:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_a92b34c4e58a7615d78580f95a736367.dll
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
General
-
Target
JaffaCakes118_a92b34c4e58a7615d78580f95a736367.dll
-
Size
120KB
-
MD5
a92b34c4e58a7615d78580f95a736367
-
SHA1
cddbb7e198238d90aad06fe6ee6a97503abe7f16
-
SHA256
4c57b765b8e870aee04062b3ac503b1cf1c1c35ee807810bbdc5bf2aa229d9a5
-
SHA512
1d5fdde991b47d59bcfcbf761831b96e9fcd2b561644d9c20abfb9801bd2c201a0c21df445ac22b3e8da861d1f5707cadf6158445fb8e57bd9e3681a181aadcc
-
SSDEEP
3072:o4rHTdGz932V37r++MY5J1bWvlDX6uRb:o4rp893U/nMY5J1avt6wb
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57901a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57901a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57b3a0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57b3a0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57b3a0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57901a.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b3a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57901a.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57901a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57901a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b3a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b3a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57901a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57901a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57901a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b3a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b3a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b3a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b3a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57901a.exe -
Executes dropped EXE 3 IoCs
pid Process 544 e57901a.exe 396 e579182.exe 1928 e57b3a0.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57b3a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57901a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57901a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57b3a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57b3a0.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57b3a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57901a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57b3a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57b3a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57b3a0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57901a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57901a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57901a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57901a.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57901a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b3a0.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: e57901a.exe File opened (read-only) \??\E: e57b3a0.exe File opened (read-only) \??\G: e57901a.exe File opened (read-only) \??\I: e57901a.exe File opened (read-only) \??\P: e57901a.exe File opened (read-only) \??\L: e57901a.exe File opened (read-only) \??\O: e57901a.exe File opened (read-only) \??\G: e57b3a0.exe File opened (read-only) \??\H: e57b3a0.exe File opened (read-only) \??\E: e57901a.exe File opened (read-only) \??\K: e57901a.exe File opened (read-only) \??\N: e57901a.exe File opened (read-only) \??\H: e57901a.exe File opened (read-only) \??\M: e57901a.exe -
resource yara_rule behavioral2/memory/544-6-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-9-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-19-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-30-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-11-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-10-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-8-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-32-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-33-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-34-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-35-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-36-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-37-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-38-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-39-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-41-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-50-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-60-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-62-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-63-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-65-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-67-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-70-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-71-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-73-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-75-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-76-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/544-78-0x0000000000770000-0x000000000182A000-memory.dmp upx behavioral2/memory/1928-104-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/1928-149-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57901a.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57901a.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57901a.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e579097 e57901a.exe File opened for modification C:\Windows\SYSTEM.INI e57901a.exe File created C:\Windows\e57e0cb e57b3a0.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57901a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e579182.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e57b3a0.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 544 e57901a.exe 544 e57901a.exe 544 e57901a.exe 544 e57901a.exe 1928 e57b3a0.exe 1928 e57b3a0.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe Token: SeDebugPrivilege 544 e57901a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4684 wrote to memory of 2432 4684 rundll32.exe 84 PID 4684 wrote to memory of 2432 4684 rundll32.exe 84 PID 4684 wrote to memory of 2432 4684 rundll32.exe 84 PID 2432 wrote to memory of 544 2432 rundll32.exe 85 PID 2432 wrote to memory of 544 2432 rundll32.exe 85 PID 2432 wrote to memory of 544 2432 rundll32.exe 85 PID 544 wrote to memory of 800 544 e57901a.exe 9 PID 544 wrote to memory of 808 544 e57901a.exe 10 PID 544 wrote to memory of 316 544 e57901a.exe 13 PID 544 wrote to memory of 2584 544 e57901a.exe 44 PID 544 wrote to memory of 2636 544 e57901a.exe 45 PID 544 wrote to memory of 2748 544 e57901a.exe 47 PID 544 wrote to memory of 3600 544 e57901a.exe 56 PID 544 wrote to memory of 3744 544 e57901a.exe 57 PID 544 wrote to memory of 3920 544 e57901a.exe 58 PID 544 wrote to memory of 4016 544 e57901a.exe 59 PID 544 wrote to memory of 4080 544 e57901a.exe 60 PID 544 wrote to memory of 1356 544 e57901a.exe 61 PID 544 wrote to memory of 4148 544 e57901a.exe 62 PID 544 wrote to memory of 4668 544 e57901a.exe 75 PID 544 wrote to memory of 4420 544 e57901a.exe 76 PID 544 wrote to memory of 1824 544 e57901a.exe 81 PID 544 wrote to memory of 2364 544 e57901a.exe 82 PID 544 wrote to memory of 4684 544 e57901a.exe 83 PID 544 wrote to memory of 2432 544 e57901a.exe 84 PID 544 wrote to memory of 2432 544 e57901a.exe 84 PID 2432 wrote to memory of 396 2432 rundll32.exe 86 PID 2432 wrote to memory of 396 2432 rundll32.exe 86 PID 2432 wrote to memory of 396 2432 rundll32.exe 86 PID 2432 wrote to memory of 1928 2432 rundll32.exe 95 PID 2432 wrote to memory of 1928 2432 rundll32.exe 95 PID 2432 wrote to memory of 1928 2432 rundll32.exe 95 PID 544 wrote to memory of 800 544 e57901a.exe 9 PID 544 wrote to memory of 808 544 e57901a.exe 10 PID 544 wrote to memory of 316 544 e57901a.exe 13 PID 544 wrote to memory of 2584 544 e57901a.exe 44 PID 544 wrote to memory of 2636 544 e57901a.exe 45 PID 544 wrote to memory of 2748 544 e57901a.exe 47 PID 544 wrote to memory of 3600 544 e57901a.exe 56 PID 544 wrote to memory of 3744 544 e57901a.exe 57 PID 544 wrote to memory of 3920 544 e57901a.exe 58 PID 544 wrote to memory of 4016 544 e57901a.exe 59 PID 544 wrote to memory of 4080 544 e57901a.exe 60 PID 544 wrote to memory of 1356 544 e57901a.exe 61 PID 544 wrote to memory of 4148 544 e57901a.exe 62 PID 544 wrote to memory of 4668 544 e57901a.exe 75 PID 544 wrote to memory of 4420 544 e57901a.exe 76 PID 544 wrote to memory of 1824 544 e57901a.exe 81 PID 544 wrote to memory of 2364 544 e57901a.exe 82 PID 544 wrote to memory of 396 544 e57901a.exe 86 PID 544 wrote to memory of 396 544 e57901a.exe 86 PID 544 wrote to memory of 4436 544 e57901a.exe 88 PID 544 wrote to memory of 4492 544 e57901a.exe 89 PID 544 wrote to memory of 1928 544 e57901a.exe 95 PID 544 wrote to memory of 1928 544 e57901a.exe 95 PID 1928 wrote to memory of 800 1928 e57b3a0.exe 9 PID 1928 wrote to memory of 808 1928 e57b3a0.exe 10 PID 1928 wrote to memory of 316 1928 e57b3a0.exe 13 PID 1928 wrote to memory of 2584 1928 e57b3a0.exe 44 PID 1928 wrote to memory of 2636 1928 e57b3a0.exe 45 PID 1928 wrote to memory of 2748 1928 e57b3a0.exe 47 PID 1928 wrote to memory of 3600 1928 e57b3a0.exe 56 PID 1928 wrote to memory of 3744 1928 e57b3a0.exe 57 PID 1928 wrote to memory of 3920 1928 e57b3a0.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57901a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57b3a0.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2636
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2748
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3600
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a92b34c4e58a7615d78580f95a736367.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a92b34c4e58a7615d78580f95a736367.dll,#13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\e57901a.exeC:\Users\Admin\AppData\Local\Temp\e57901a.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:544
-
-
C:\Users\Admin\AppData\Local\Temp\e579182.exeC:\Users\Admin\AppData\Local\Temp\e579182.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:396
-
-
C:\Users\Admin\AppData\Local\Temp\e57b3a0.exeC:\Users\Admin\AppData\Local\Temp\e57b3a0.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1928
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3744
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3920
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4080
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1356
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4148
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4668
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4420
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1824
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2364
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4436
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4492
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD511e227323efbe2e0f985564bf762f658
SHA1d223743da87d093781411620fe8307bb41707afc
SHA25607aea57376584311a0f51aecf4d6595d3354d604a425afdf2d9bd7b4c23b9e53
SHA51283124c6086d8e42f908eb0e360b14d7b49c8d5c14e83c5394dfc048a3fdd162b077e2a75e17ace1384e69b65e21b7bd21a550545da2f4b2e5bd05da676ea18f2
-
Filesize
257B
MD5d78ac83939cb5dbd088f31b72470c4b7
SHA15a77df1df9efa30f7fa015bba9a315b76541cdcf
SHA256aec5773cb0776c828115bd0a53822290a2c7476aac587bf274b70ebe76eb5fbd
SHA512b275303c5068f3856b20bd553a3b6948b266551c17a2b509c9dbd1bdb65ea8e0abba6177468b3addd6afcd87a85c5dc698f69a8e7228acdfb352118af6837531