Analysis
-
max time kernel
148s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 12:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a368900d694dcd3c16af66f1116529a0_NeikiAnalytics.dll
Resource
win7-20240221-en
windows7-x64
15 signatures
150 seconds
General
-
Target
a368900d694dcd3c16af66f1116529a0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
a368900d694dcd3c16af66f1116529a0
-
SHA1
e20594826c4f3255daf78fd9edb9b7195028a04b
-
SHA256
cc8412bfa514cab2f7b00f9e42da8f0a46bee9a672ba9d04820d452a7c4e0a28
-
SHA512
4c3af44fbe9db638161115ce1e1babc1bb602679c4096972687db0377342d372d29a494415b01df398c913c55075c14b348f9e74c21a55d7df5aaa9fa38b7579
-
SSDEEP
3072:eaWfEFcG3qtcZsyrSeFyAmsz4NzIyKOXxNDjwFujrc:nW8r3MhyrDwceXr4uE
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575fd3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575fd3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575fd3.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e579337.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e579337.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e579337.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575fd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579337.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575fd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575fd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575fd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575fd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575fd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575fd3.exe -
Executes dropped EXE 3 IoCs
pid Process 2824 e575fd3.exe 2940 e576225.exe 4056 e579337.exe -
resource yara_rule behavioral2/memory/2824-6-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-10-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-8-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-11-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-9-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-18-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-19-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-31-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-29-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-12-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-36-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-37-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-38-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-39-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-40-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-46-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-55-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-56-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-57-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-64-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-66-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-68-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-71-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/2824-72-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/4056-100-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4056-107-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/4056-131-0x00000000007F0000-0x00000000018AA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575fd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575fd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575fd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e579337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e579337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e579337.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e579337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575fd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575fd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575fd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e579337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e579337.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e579337.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575fd3.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575fd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579337.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e575fd3.exe File opened (read-only) \??\J: e575fd3.exe File opened (read-only) \??\K: e575fd3.exe File opened (read-only) \??\L: e575fd3.exe File opened (read-only) \??\M: e575fd3.exe File opened (read-only) \??\E: e575fd3.exe File opened (read-only) \??\G: e575fd3.exe File opened (read-only) \??\H: e575fd3.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e57ba95 e579337.exe File created C:\Windows\e576031 e575fd3.exe File opened for modification C:\Windows\SYSTEM.INI e575fd3.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2824 e575fd3.exe 2824 e575fd3.exe 2824 e575fd3.exe 2824 e575fd3.exe 4056 e579337.exe 4056 e579337.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe Token: SeDebugPrivilege 2824 e575fd3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3672 wrote to memory of 4424 3672 rundll32.exe 83 PID 3672 wrote to memory of 4424 3672 rundll32.exe 83 PID 3672 wrote to memory of 4424 3672 rundll32.exe 83 PID 4424 wrote to memory of 2824 4424 rundll32.exe 84 PID 4424 wrote to memory of 2824 4424 rundll32.exe 84 PID 4424 wrote to memory of 2824 4424 rundll32.exe 84 PID 2824 wrote to memory of 800 2824 e575fd3.exe 9 PID 2824 wrote to memory of 804 2824 e575fd3.exe 10 PID 2824 wrote to memory of 380 2824 e575fd3.exe 13 PID 2824 wrote to memory of 2876 2824 e575fd3.exe 49 PID 2824 wrote to memory of 2968 2824 e575fd3.exe 50 PID 2824 wrote to memory of 3068 2824 e575fd3.exe 51 PID 2824 wrote to memory of 3436 2824 e575fd3.exe 56 PID 2824 wrote to memory of 3584 2824 e575fd3.exe 57 PID 2824 wrote to memory of 3792 2824 e575fd3.exe 58 PID 2824 wrote to memory of 3892 2824 e575fd3.exe 59 PID 2824 wrote to memory of 3960 2824 e575fd3.exe 60 PID 2824 wrote to memory of 4040 2824 e575fd3.exe 61 PID 2824 wrote to memory of 4188 2824 e575fd3.exe 62 PID 2824 wrote to memory of 4616 2824 e575fd3.exe 64 PID 2824 wrote to memory of 4052 2824 e575fd3.exe 75 PID 2824 wrote to memory of 2716 2824 e575fd3.exe 80 PID 2824 wrote to memory of 3336 2824 e575fd3.exe 81 PID 2824 wrote to memory of 3672 2824 e575fd3.exe 82 PID 2824 wrote to memory of 4424 2824 e575fd3.exe 83 PID 2824 wrote to memory of 4424 2824 e575fd3.exe 83 PID 4424 wrote to memory of 2940 4424 rundll32.exe 85 PID 4424 wrote to memory of 2940 4424 rundll32.exe 85 PID 4424 wrote to memory of 2940 4424 rundll32.exe 85 PID 2824 wrote to memory of 800 2824 e575fd3.exe 9 PID 2824 wrote to memory of 804 2824 e575fd3.exe 10 PID 2824 wrote to memory of 380 2824 e575fd3.exe 13 PID 2824 wrote to memory of 2876 2824 e575fd3.exe 49 PID 2824 wrote to memory of 2968 2824 e575fd3.exe 50 PID 2824 wrote to memory of 3068 2824 e575fd3.exe 51 PID 2824 wrote to memory of 3436 2824 e575fd3.exe 56 PID 2824 wrote to memory of 3584 2824 e575fd3.exe 57 PID 2824 wrote to memory of 3792 2824 e575fd3.exe 58 PID 2824 wrote to memory of 3892 2824 e575fd3.exe 59 PID 2824 wrote to memory of 3960 2824 e575fd3.exe 60 PID 2824 wrote to memory of 4040 2824 e575fd3.exe 61 PID 2824 wrote to memory of 4188 2824 e575fd3.exe 62 PID 2824 wrote to memory of 4616 2824 e575fd3.exe 64 PID 2824 wrote to memory of 4052 2824 e575fd3.exe 75 PID 2824 wrote to memory of 2716 2824 e575fd3.exe 80 PID 2824 wrote to memory of 3336 2824 e575fd3.exe 81 PID 2824 wrote to memory of 3672 2824 e575fd3.exe 82 PID 2824 wrote to memory of 2940 2824 e575fd3.exe 85 PID 2824 wrote to memory of 2940 2824 e575fd3.exe 85 PID 4424 wrote to memory of 4056 4424 rundll32.exe 92 PID 4424 wrote to memory of 4056 4424 rundll32.exe 92 PID 4424 wrote to memory of 4056 4424 rundll32.exe 92 PID 4056 wrote to memory of 800 4056 e579337.exe 9 PID 4056 wrote to memory of 804 4056 e579337.exe 10 PID 4056 wrote to memory of 380 4056 e579337.exe 13 PID 4056 wrote to memory of 2876 4056 e579337.exe 49 PID 4056 wrote to memory of 2968 4056 e579337.exe 50 PID 4056 wrote to memory of 3068 4056 e579337.exe 51 PID 4056 wrote to memory of 3436 4056 e579337.exe 56 PID 4056 wrote to memory of 3584 4056 e579337.exe 57 PID 4056 wrote to memory of 3792 4056 e579337.exe 58 PID 4056 wrote to memory of 3892 4056 e579337.exe 59 PID 4056 wrote to memory of 3960 4056 e579337.exe 60 PID 4056 wrote to memory of 4040 4056 e579337.exe 61 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575fd3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e579337.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2876
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2968
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3068
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a368900d694dcd3c16af66f1116529a0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a368900d694dcd3c16af66f1116529a0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\e575fd3.exeC:\Users\Admin\AppData\Local\Temp\e575fd3.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2824
-
-
C:\Users\Admin\AppData\Local\Temp\e576225.exeC:\Users\Admin\AppData\Local\Temp\e576225.exe4⤵
- Executes dropped EXE
PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\e579337.exeC:\Users\Admin\AppData\Local\Temp\e579337.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4056
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3584
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3792
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3892
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3960
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4040
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4188
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4616
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4052
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2716
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3336
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2636
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4628
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD58a56ee5cc123abd83f540883eb24b546
SHA1878563bec5b91e226f618938559bc49e72bfd8be
SHA256125d82017d3e052e43c8e7f84258f671b62898700acb2a9d71765badc0109fd1
SHA512477ccf5af003acbf2220b707dc6fb8f54aa1715caa8ea74023c65b79daf31210ad9abf0ed4f396deca789038ab59e1c45e5d93121ce6a44f4447f3627d5e7afb
-
Filesize
257B
MD56f6e4d3893ff8ce6677276bf4d755418
SHA160190a0cbd9eef63faab0a7f66eb14362e17e8e2
SHA2565125d5c40c388eb11c1b91d49a2fca876fc4f6573bf0f28220aa23724ac5551d
SHA51202f1889946bb2f21c2805f3713d32948f9879a2f4742f286f919f74dbe56b81b125b7a1106dd43a7d0f87e2770f7134ffaf062f3242a9f7f98a392e78c27d93a