fddd8a1155040392de6207873bb353228237ae61f0026a35dba6efd5fdf3329e

Analysis

max time kernel
130s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a1b268d10ffcdc3200a42370ce7ac99_JaffaCakes118.dll
Size

787KB
MD5

1a1b268d10ffcdc3200a42370ce7ac99
SHA1

ddcf5b4e5350f6af84f1f35072e887909c538157
SHA256

fddd8a1155040392de6207873bb353228237ae61f0026a35dba6efd5fdf3329e
SHA512

82558bbc7f48de0a8a3c5f1eb7d70acb5a06957bc35cda2632c0b22e5503fc21f7e22eab9c5e9d5b7fbef40adf9341209f5eae41a533f6fdfd5ba61e5ef10498
SSDEEP

12288:Q7Cx0aLl21dgY5Ax5q09jpZ4AAf4jB5th6ZgvkoSVRDFLJ+3Y4:Q7Cx7Ll21+g+j1Bd6ZgvwhG3

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	rundll32.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	rundll32.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\rundll32.exe = "C:\\Windows\\SysWOW64\\rundll32.exe:*:enabled:@shell32.dll,-1"	rundll32.exe

Drops file in Drivers directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File opened for modification C:\Windows\system32\DRIVERS\ETC\HOSTS rundll32.exe
Executes dropped EXE 1 IoCs

Processes:

rundll32mgr.exe

pid process

3440 rundll32mgr.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\ETC\HOSTS	rundll32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2656-2-0x0000000010000000-0x0000000010381000-memory.dmp	upx
C:\Windows\SysWOW64\rundll32mgr.exe	upx
behavioral2/memory/3440-5-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3440-16-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2656-20-0x0000000010000000-0x0000000010381000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1116 3440 WerFault.exe rundll32mgr.exe
892 2656 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32mgr.exe

pid process

3440 rundll32mgr.exe
3440 rundll32mgr.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

pid	pid_target	process	target process
1116	3440	WerFault.exe	rundll32mgr.exe
892	2656	WerFault.exe	rundll32.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

rundll32mgr.exe

pid	process
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe
3440	rundll32mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32mgr.exe

description pid process

Token: SeDebugPrivilege 3440 rundll32mgr.exe

description	pid	process
Token: SeDebugPrivilege	3440	rundll32mgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exerundll32mgr.exe

description	pid	process	target process
PID 940 wrote to memory of 2656	940	rundll32.exe	rundll32.exe
PID 940 wrote to memory of 2656	940	rundll32.exe	rundll32.exe
PID 940 wrote to memory of 2656	940	rundll32.exe	rundll32.exe
PID 2656 wrote to memory of 3440	2656	rundll32.exe	rundll32mgr.exe
PID 2656 wrote to memory of 3440	2656	rundll32.exe	rundll32mgr.exe
PID 2656 wrote to memory of 3440	2656	rundll32.exe	rundll32mgr.exe
PID 3440 wrote to memory of 624	3440	rundll32mgr.exe	winlogon.exe
PID 3440 wrote to memory of 624	3440	rundll32mgr.exe	winlogon.exe
PID 3440 wrote to memory of 624	3440	rundll32mgr.exe	winlogon.exe
PID 3440 wrote to memory of 624	3440	rundll32mgr.exe	winlogon.exe
PID 3440 wrote to memory of 624	3440	rundll32mgr.exe	winlogon.exe
PID 3440 wrote to memory of 624	3440	rundll32mgr.exe	winlogon.exe
PID 3440 wrote to memory of 680	3440	rundll32mgr.exe	lsass.exe
PID 3440 wrote to memory of 680	3440	rundll32mgr.exe	lsass.exe
PID 3440 wrote to memory of 680	3440	rundll32mgr.exe	lsass.exe
PID 3440 wrote to memory of 680	3440	rundll32mgr.exe	lsass.exe
PID 3440 wrote to memory of 680	3440	rundll32mgr.exe	lsass.exe
PID 3440 wrote to memory of 680	3440	rundll32mgr.exe	lsass.exe
PID 3440 wrote to memory of 804	3440	rundll32mgr.exe	fontdrvhost.exe
PID 3440 wrote to memory of 804	3440	rundll32mgr.exe	fontdrvhost.exe
PID 3440 wrote to memory of 804	3440	rundll32mgr.exe	fontdrvhost.exe
PID 3440 wrote to memory of 804	3440	rundll32mgr.exe	fontdrvhost.exe
PID 3440 wrote to memory of 804	3440	rundll32mgr.exe	fontdrvhost.exe
PID 3440 wrote to memory of 804	3440	rundll32mgr.exe	fontdrvhost.exe
PID 3440 wrote to memory of 812	3440	rundll32mgr.exe	fontdrvhost.exe
PID 3440 wrote to memory of 812	3440	rundll32mgr.exe	fontdrvhost.exe
PID 3440 wrote to memory of 812	3440	rundll32mgr.exe	fontdrvhost.exe
PID 3440 wrote to memory of 812	3440	rundll32mgr.exe	fontdrvhost.exe
PID 3440 wrote to memory of 812	3440	rundll32mgr.exe	fontdrvhost.exe
PID 3440 wrote to memory of 812	3440	rundll32mgr.exe	fontdrvhost.exe
PID 3440 wrote to memory of 820	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 820	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 820	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 820	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 820	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 820	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 920	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 920	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 920	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 920	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 920	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 920	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 980	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 980	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 980	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 980	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 980	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 980	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 396	3440	rundll32mgr.exe	dwm.exe
PID 3440 wrote to memory of 396	3440	rundll32mgr.exe	dwm.exe
PID 3440 wrote to memory of 396	3440	rundll32mgr.exe	dwm.exe
PID 3440 wrote to memory of 396	3440	rundll32mgr.exe	dwm.exe
PID 3440 wrote to memory of 396	3440	rundll32mgr.exe	dwm.exe
PID 3440 wrote to memory of 396	3440	rundll32mgr.exe	dwm.exe
PID 3440 wrote to memory of 408	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 408	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 408	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 408	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 408	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 408	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 1056	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 1056	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 1056	3440	rundll32mgr.exe	svchost.exe
PID 3440 wrote to memory of 1056	3440	rundll32mgr.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:804

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:396

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:820

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
2⤵
PID:3176

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3904

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
2⤵
PID:4004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4068

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
2⤵
PID:676

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4232

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
PID:4588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:4600

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
2⤵
PID:1492

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3788

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
2⤵
PID:1172

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:4116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1228

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2844

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
2⤵
PID:3068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1544

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2068

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2880

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3540

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3572

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a1b268d10ffcdc3200a42370ce7ac99_JaffaCakes118.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a1b268d10ffcdc3200a42370ce7ac99_JaffaCakes118.dll,#1
3⤵
- Modifies firewall policy service
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 264
5⤵
- Program crash
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 640
4⤵
- Program crash
PID:892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4720

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2656 -ip 2656
2⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3440 -ip 3440
2⤵
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
127KB

MD5
0ef920d7712d21dda563cab92b29b216

SHA1
643c7ae3eb3e8b89cdeba3bbb15604e7f210040c

SHA256
7cfaf531184febc33eb4c3de5f9bbeb4d946020ed1ad6b7e3fccefd121dd8e86

SHA512
948d74f9b9997354b256fe2b3545a564d5a3683bf274900e92e32d374e2e708685ac1f85d710cf09514cfd9cec4323509fd9598a8620078f074182b384e33bfe

Download Submit
memory/2656-10-0x0000000076FE3000-0x0000000076FE4000-memory.dmp

Filesize
4KB

Download
memory/2656-6-0x000000007F1E0000-0x000000007F1EC000-memory.dmp

Filesize
48KB

Download
memory/2656-9-0x000000007F1E0000-0x000000007F1EC000-memory.dmp

Filesize
48KB

Download
memory/2656-8-0x0000000076FE2000-0x0000000076FE3000-memory.dmp

Filesize
4KB

Download
memory/2656-2-0x0000000010000000-0x0000000010381000-memory.dmp

Filesize
3.5MB

Download
memory/2656-11-0x000000007F1E0000-0x000000007F1EC000-memory.dmp

Filesize
48KB

Download
memory/2656-17-0x000000007F1E0000-0x000000007F1EC000-memory.dmp

Filesize
48KB

Download
memory/2656-20-0x0000000010000000-0x0000000010381000-memory.dmp

Filesize
3.5MB

Download
memory/3440-5-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3440-12-0x0000000076FE2000-0x0000000076FE3000-memory.dmp

Filesize
4KB

Download
memory/3440-14-0x0000000076FE3000-0x0000000076FE4000-memory.dmp

Filesize
4KB

Download
memory/3440-13-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3440-16-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download