Analysis
-
max time kernel
138s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 20:43
Static task
static1
Behavioral task
behavioral1
Sample
4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll
Resource
win7-20240508-en
General
-
Target
4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll
-
Size
120KB
-
MD5
4bceefbe345b452abeb46ece84d2ed50
-
SHA1
c77be676463a84a7350f0a43f3117e79562efa16
-
SHA256
93fe6d0e6779b13610e5106a44faa5f7089232d5ef85926bf9a0eb8a6e774a5d
-
SHA512
d0f877869d769d866750b6b05165c7c63b5043b0830591c634a4b9577edd323d10bd24a23766d80884dfa7b490721d59240b929b7d54d726dab53afb57e9f392
-
SSDEEP
1536:LKlY9zzPhfAkgf1nF8BleBXWX8TtKjf1ZIh8O8uOyVh8Y2Cdv4TVEKLx3yScvxv/:mizPGnF8BuEk3Y/CdyFncvRu3
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
e573894.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573894.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573894.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573894.exe -
Processes:
e573894.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573894.exe -
Processes:
e573894.exee57543a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57543a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57543a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57543a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57543a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57543a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57543a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573894.exe -
Executes dropped EXE 4 IoCs
Processes:
e573894.exee5739cd.exee57543a.exee57544a.exepid process 5644 e573894.exe 2852 e5739cd.exe 3812 e57543a.exe 1820 e57544a.exe -
Processes:
resource yara_rule behavioral2/memory/5644-10-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-9-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-13-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-19-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-34-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-28-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-27-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-12-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-11-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-8-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-37-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-36-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-38-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-39-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-40-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-42-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-43-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-57-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-59-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-60-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-74-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-78-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-76-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-80-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-82-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-83-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-84-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-92-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-95-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-98-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-99-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/5644-105-0x0000000000820000-0x00000000018DA000-memory.dmp upx behavioral2/memory/3812-128-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx behavioral2/memory/3812-134-0x0000000000B60000-0x0000000001C1A000-memory.dmp upx -
Processes:
e573894.exee57543a.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57543a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57543a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57543a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57543a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573894.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573894.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57543a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57543a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57543a.exe -
Processes:
e573894.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573894.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e573894.exedescription ioc process File opened (read-only) \??\R: e573894.exe File opened (read-only) \??\T: e573894.exe File opened (read-only) \??\K: e573894.exe File opened (read-only) \??\M: e573894.exe File opened (read-only) \??\O: e573894.exe File opened (read-only) \??\Q: e573894.exe File opened (read-only) \??\J: e573894.exe File opened (read-only) \??\L: e573894.exe File opened (read-only) \??\E: e573894.exe File opened (read-only) \??\G: e573894.exe File opened (read-only) \??\H: e573894.exe File opened (read-only) \??\I: e573894.exe File opened (read-only) \??\N: e573894.exe File opened (read-only) \??\P: e573894.exe File opened (read-only) \??\S: e573894.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e573894.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e573894.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e573894.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e573894.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e573894.exe -
Drops file in Windows directory 2 IoCs
Processes:
e573894.exedescription ioc process File created C:\Windows\e5738d3 e573894.exe File opened for modification C:\Windows\SYSTEM.INI e573894.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e573894.exepid process 5644 e573894.exe 5644 e573894.exe 5644 e573894.exe 5644 e573894.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e573894.exedescription pid process Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe Token: SeDebugPrivilege 5644 e573894.exe -
Suspicious use of WriteProcessMemory 59 IoCs
Processes:
rundll32.exerundll32.exee573894.exedescription pid process target process PID 4908 wrote to memory of 5844 4908 rundll32.exe rundll32.exe PID 4908 wrote to memory of 5844 4908 rundll32.exe rundll32.exe PID 4908 wrote to memory of 5844 4908 rundll32.exe rundll32.exe PID 5844 wrote to memory of 5644 5844 rundll32.exe e573894.exe PID 5844 wrote to memory of 5644 5844 rundll32.exe e573894.exe PID 5844 wrote to memory of 5644 5844 rundll32.exe e573894.exe PID 5644 wrote to memory of 792 5644 e573894.exe fontdrvhost.exe PID 5644 wrote to memory of 800 5644 e573894.exe fontdrvhost.exe PID 5644 wrote to memory of 468 5644 e573894.exe dwm.exe PID 5644 wrote to memory of 2712 5644 e573894.exe sihost.exe PID 5644 wrote to memory of 2780 5644 e573894.exe svchost.exe PID 5644 wrote to memory of 2956 5644 e573894.exe taskhostw.exe PID 5644 wrote to memory of 3440 5644 e573894.exe Explorer.EXE PID 5644 wrote to memory of 3584 5644 e573894.exe svchost.exe PID 5644 wrote to memory of 3760 5644 e573894.exe DllHost.exe PID 5644 wrote to memory of 3848 5644 e573894.exe StartMenuExperienceHost.exe PID 5644 wrote to memory of 3916 5644 e573894.exe RuntimeBroker.exe PID 5644 wrote to memory of 4008 5644 e573894.exe SearchApp.exe PID 5644 wrote to memory of 4192 5644 e573894.exe RuntimeBroker.exe PID 5644 wrote to memory of 4240 5644 e573894.exe TextInputHost.exe PID 5644 wrote to memory of 1876 5644 e573894.exe RuntimeBroker.exe PID 5644 wrote to memory of 4900 5644 e573894.exe backgroundTaskHost.exe PID 5644 wrote to memory of 4620 5644 e573894.exe backgroundTaskHost.exe PID 5644 wrote to memory of 4908 5644 e573894.exe rundll32.exe PID 5644 wrote to memory of 5844 5644 e573894.exe rundll32.exe PID 5644 wrote to memory of 5844 5644 e573894.exe rundll32.exe PID 5844 wrote to memory of 2852 5844 rundll32.exe e5739cd.exe PID 5844 wrote to memory of 2852 5844 rundll32.exe e5739cd.exe PID 5844 wrote to memory of 2852 5844 rundll32.exe e5739cd.exe PID 5844 wrote to memory of 3812 5844 rundll32.exe e57543a.exe PID 5844 wrote to memory of 3812 5844 rundll32.exe e57543a.exe PID 5844 wrote to memory of 3812 5844 rundll32.exe e57543a.exe PID 5844 wrote to memory of 1820 5844 rundll32.exe e57544a.exe PID 5844 wrote to memory of 1820 5844 rundll32.exe e57544a.exe PID 5844 wrote to memory of 1820 5844 rundll32.exe e57544a.exe PID 5644 wrote to memory of 792 5644 e573894.exe fontdrvhost.exe PID 5644 wrote to memory of 800 5644 e573894.exe fontdrvhost.exe PID 5644 wrote to memory of 468 5644 e573894.exe dwm.exe PID 5644 wrote to memory of 2712 5644 e573894.exe sihost.exe PID 5644 wrote to memory of 2780 5644 e573894.exe svchost.exe PID 5644 wrote to memory of 2956 5644 e573894.exe taskhostw.exe PID 5644 wrote to memory of 3440 5644 e573894.exe Explorer.EXE PID 5644 wrote to memory of 3584 5644 e573894.exe svchost.exe PID 5644 wrote to memory of 3760 5644 e573894.exe DllHost.exe PID 5644 wrote to memory of 3848 5644 e573894.exe StartMenuExperienceHost.exe PID 5644 wrote to memory of 3916 5644 e573894.exe RuntimeBroker.exe PID 5644 wrote to memory of 4008 5644 e573894.exe SearchApp.exe PID 5644 wrote to memory of 4192 5644 e573894.exe RuntimeBroker.exe PID 5644 wrote to memory of 4240 5644 e573894.exe TextInputHost.exe PID 5644 wrote to memory of 1876 5644 e573894.exe RuntimeBroker.exe PID 5644 wrote to memory of 4900 5644 e573894.exe backgroundTaskHost.exe PID 5644 wrote to memory of 2852 5644 e573894.exe e5739cd.exe PID 5644 wrote to memory of 2852 5644 e573894.exe e5739cd.exe PID 5644 wrote to memory of 5404 5644 e573894.exe RuntimeBroker.exe PID 5644 wrote to memory of 4744 5644 e573894.exe RuntimeBroker.exe PID 5644 wrote to memory of 3812 5644 e573894.exe e57543a.exe PID 5644 wrote to memory of 3812 5644 e573894.exe e57543a.exe PID 5644 wrote to memory of 1820 5644 e573894.exe e57544a.exe PID 5644 wrote to memory of 1820 5644 e573894.exe e57544a.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
e573894.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573894.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:468
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2780
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2956
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4bceefbe345b452abeb46ece84d2ed50_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:5844 -
C:\Users\Admin\AppData\Local\Temp\e573894.exeC:\Users\Admin\AppData\Local\Temp\e573894.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5644
-
-
C:\Users\Admin\AppData\Local\Temp\e5739cd.exeC:\Users\Admin\AppData\Local\Temp\e5739cd.exe4⤵
- Executes dropped EXE
PID:2852
-
-
C:\Users\Admin\AppData\Local\Temp\e57543a.exeC:\Users\Admin\AppData\Local\Temp\e57543a.exe4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:3812
-
-
C:\Users\Admin\AppData\Local\Temp\e57544a.exeC:\Users\Admin\AppData\Local\Temp\e57544a.exe4⤵
- Executes dropped EXE
PID:1820
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3584
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3760
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3848
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3916
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4192
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4240
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1876
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4900
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4620
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5404
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4744
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5fec4f783bd68280cc60aedb74e1a4481
SHA105a05fc98323e28d5bb5a2a194a05698911faaea
SHA256d2927b19d9a11f5998311d9a6a98c169dbed017cc197b5180f1cb6de99c2a526
SHA512f582543b4a3151b352e2f4fe300b69db0dd1329f5cf87e512edb8a6178cedb6cc85700eb29043bfe0c5d7673d177ca07513b73a5c1f2238c76162b8c523e3b72