Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 02:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
86b04757abc8cca38203713e7532e130_NeikiAnalytics.dll
Resource
win7-20240508-en
windows7-x64
15 signatures
150 seconds
General
-
Target
86b04757abc8cca38203713e7532e130_NeikiAnalytics.dll
-
Size
120KB
-
MD5
86b04757abc8cca38203713e7532e130
-
SHA1
5a31e4e17b1cf26c5f6757494d3040c18c297729
-
SHA256
35f289ed554716e5f8f5624ccaa609b8b6b687dc97e8b4e842673d87003d2995
-
SHA512
fd1933bcaa21429297043a6d7eb3079cd9acb55ae51bb99b84517ebfc0dae1519ae8dc660cbc3cbc7bd0f925a7f36b3f62446b54a2701bab18324eaa551a95af
-
SSDEEP
3072:ORNJ1OVdRvlcdU0Od7u/bdXKyUlATq0UYK3kT:ORT1OV3vshOt05Kr2G0zDT
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57324b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57324b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57324b.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e574e3f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e574e3f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e574e3f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574e3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57324b.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574e3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574e3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574e3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574e3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57324b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57324b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57324b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57324b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57324b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57324b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574e3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574e3f.exe -
Executes dropped EXE 3 IoCs
pid Process 5072 e57324b.exe 3084 e573393.exe 4400 e574e3f.exe -
resource yara_rule behavioral2/memory/5072-10-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-12-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-11-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-23-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-34-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-29-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-13-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-28-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-6-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-9-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-8-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-37-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-36-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-38-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-39-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-40-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-42-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-43-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-52-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-54-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-55-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-65-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-66-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-69-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-72-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-74-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-77-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-79-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-86-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-87-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-90-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/5072-91-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4400-122-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/4400-158-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574e3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57324b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57324b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574e3f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e574e3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57324b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574e3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574e3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57324b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57324b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574e3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57324b.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57324b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574e3f.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57324b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574e3f.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: e57324b.exe File opened (read-only) \??\S: e57324b.exe File opened (read-only) \??\E: e57324b.exe File opened (read-only) \??\N: e57324b.exe File opened (read-only) \??\O: e57324b.exe File opened (read-only) \??\E: e574e3f.exe File opened (read-only) \??\G: e574e3f.exe File opened (read-only) \??\G: e57324b.exe File opened (read-only) \??\I: e57324b.exe File opened (read-only) \??\J: e57324b.exe File opened (read-only) \??\K: e57324b.exe File opened (read-only) \??\T: e57324b.exe File opened (read-only) \??\H: e57324b.exe File opened (read-only) \??\M: e57324b.exe File opened (read-only) \??\P: e57324b.exe File opened (read-only) \??\Q: e57324b.exe File opened (read-only) \??\R: e57324b.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e57324b.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57324b.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57324b.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57324b.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e573289 e57324b.exe File opened for modification C:\Windows\SYSTEM.INI e57324b.exe File created C:\Windows\e57827e e574e3f.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5072 e57324b.exe 5072 e57324b.exe 5072 e57324b.exe 5072 e57324b.exe 4400 e574e3f.exe 4400 e574e3f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe Token: SeDebugPrivilege 5072 e57324b.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1068 wrote to memory of 5244 1068 rundll32.exe 82 PID 1068 wrote to memory of 5244 1068 rundll32.exe 82 PID 1068 wrote to memory of 5244 1068 rundll32.exe 82 PID 5244 wrote to memory of 5072 5244 rundll32.exe 83 PID 5244 wrote to memory of 5072 5244 rundll32.exe 83 PID 5244 wrote to memory of 5072 5244 rundll32.exe 83 PID 5072 wrote to memory of 784 5072 e57324b.exe 8 PID 5072 wrote to memory of 792 5072 e57324b.exe 9 PID 5072 wrote to memory of 332 5072 e57324b.exe 13 PID 5072 wrote to memory of 2932 5072 e57324b.exe 49 PID 5072 wrote to memory of 2968 5072 e57324b.exe 50 PID 5072 wrote to memory of 1424 5072 e57324b.exe 51 PID 5072 wrote to memory of 3472 5072 e57324b.exe 56 PID 5072 wrote to memory of 3604 5072 e57324b.exe 57 PID 5072 wrote to memory of 3788 5072 e57324b.exe 58 PID 5072 wrote to memory of 3876 5072 e57324b.exe 59 PID 5072 wrote to memory of 3944 5072 e57324b.exe 60 PID 5072 wrote to memory of 4024 5072 e57324b.exe 61 PID 5072 wrote to memory of 4192 5072 e57324b.exe 62 PID 5072 wrote to memory of 4624 5072 e57324b.exe 73 PID 5072 wrote to memory of 4648 5072 e57324b.exe 74 PID 5072 wrote to memory of 2076 5072 e57324b.exe 79 PID 5072 wrote to memory of 2344 5072 e57324b.exe 80 PID 5072 wrote to memory of 1068 5072 e57324b.exe 81 PID 5072 wrote to memory of 5244 5072 e57324b.exe 82 PID 5072 wrote to memory of 5244 5072 e57324b.exe 82 PID 5244 wrote to memory of 3084 5244 rundll32.exe 84 PID 5244 wrote to memory of 3084 5244 rundll32.exe 84 PID 5244 wrote to memory of 3084 5244 rundll32.exe 84 PID 5244 wrote to memory of 4400 5244 rundll32.exe 95 PID 5244 wrote to memory of 4400 5244 rundll32.exe 95 PID 5244 wrote to memory of 4400 5244 rundll32.exe 95 PID 5072 wrote to memory of 784 5072 e57324b.exe 8 PID 5072 wrote to memory of 792 5072 e57324b.exe 9 PID 5072 wrote to memory of 332 5072 e57324b.exe 13 PID 5072 wrote to memory of 2932 5072 e57324b.exe 49 PID 5072 wrote to memory of 2968 5072 e57324b.exe 50 PID 5072 wrote to memory of 1424 5072 e57324b.exe 51 PID 5072 wrote to memory of 3472 5072 e57324b.exe 56 PID 5072 wrote to memory of 3604 5072 e57324b.exe 57 PID 5072 wrote to memory of 3788 5072 e57324b.exe 58 PID 5072 wrote to memory of 3876 5072 e57324b.exe 59 PID 5072 wrote to memory of 3944 5072 e57324b.exe 60 PID 5072 wrote to memory of 4024 5072 e57324b.exe 61 PID 5072 wrote to memory of 4192 5072 e57324b.exe 62 PID 5072 wrote to memory of 4624 5072 e57324b.exe 73 PID 5072 wrote to memory of 4648 5072 e57324b.exe 74 PID 5072 wrote to memory of 2076 5072 e57324b.exe 79 PID 5072 wrote to memory of 3084 5072 e57324b.exe 84 PID 5072 wrote to memory of 3084 5072 e57324b.exe 84 PID 5072 wrote to memory of 5504 5072 e57324b.exe 86 PID 5072 wrote to memory of 4344 5072 e57324b.exe 87 PID 5072 wrote to memory of 4400 5072 e57324b.exe 95 PID 5072 wrote to memory of 4400 5072 e57324b.exe 95 PID 4400 wrote to memory of 784 4400 e574e3f.exe 8 PID 4400 wrote to memory of 792 4400 e574e3f.exe 9 PID 4400 wrote to memory of 332 4400 e574e3f.exe 13 PID 4400 wrote to memory of 2932 4400 e574e3f.exe 49 PID 4400 wrote to memory of 2968 4400 e574e3f.exe 50 PID 4400 wrote to memory of 1424 4400 e574e3f.exe 51 PID 4400 wrote to memory of 3472 4400 e574e3f.exe 56 PID 4400 wrote to memory of 3604 4400 e574e3f.exe 57 PID 4400 wrote to memory of 3788 4400 e574e3f.exe 58 PID 4400 wrote to memory of 3876 4400 e574e3f.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574e3f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57324b.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2968
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:1424
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3472
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\86b04757abc8cca38203713e7532e130_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\86b04757abc8cca38203713e7532e130_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:5244 -
C:\Users\Admin\AppData\Local\Temp\e57324b.exeC:\Users\Admin\AppData\Local\Temp\e57324b.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5072
-
-
C:\Users\Admin\AppData\Local\Temp\e573393.exeC:\Users\Admin\AppData\Local\Temp\e573393.exe4⤵
- Executes dropped EXE
PID:3084
-
-
C:\Users\Admin\AppData\Local\Temp\e574e3f.exeC:\Users\Admin\AppData\Local\Temp\e574e3f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4400
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3604
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3788
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3876
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3944
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4024
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4192
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4624
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4648
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2076
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2344
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5504
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4344
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5c05debb04449823455e7586930e71dc6
SHA1ecbc0b5648b1dfc8abcf16c36c350589b6cb2ced
SHA256d4ed92834b83b6d7446a84702396bf37cfcf8d47b9c7bf9e88abfd0f1b1d6ae3
SHA512c4f81e8cbfd47228e1321c775e69f00b98ab82d4d92add6385565d21e72d6e2409d50a525862677002203134c4328eceeb0043acb4fce47c1737ee5727cf77ca
-
Filesize
257B
MD5917eb2eef87263e49b21ea6bb8136f0e
SHA12311b54ac50ecaf8cb2ff7ef253e6785cd3fb58b
SHA256b6b3291534dc81c6dd09e6c17cc7ce6ca0b2a5c0da5c97e34f84b3f9a4839127
SHA512876d15d52af3dc32912b450c32ca3bcf0ababd7b2bdf60dadd36c33e172631fb645b596edc97612871555f42983ade068822ecc7935f44eadcd2441101dad961