Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14/06/2024, 09:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b52664cc2351616d712d3b7678142410_NeikiAnalytics.dll
Resource
win7-20240611-en
windows7-x64
15 signatures
150 seconds
General
-
Target
b52664cc2351616d712d3b7678142410_NeikiAnalytics.dll
-
Size
120KB
-
MD5
b52664cc2351616d712d3b7678142410
-
SHA1
64c04c1e103b454ed7422582600b0399d992cd1c
-
SHA256
cec208e0fc5ccdc4321309e4bd9e8dfc5679008d11302503221bfc01a24f858e
-
SHA512
ad81b158ec43c063bfed4fdc392b1c00250416172b4929fe9b4d68b1f5e39db0f018af6c0daf2b0f5432a1b36f5444eea62fec2d7d98ced43ac705d02bbcf397
-
SSDEEP
3072:VcpU9wkVnKJwSvjmAC06xFJtkU7Y6yI++Pg:+aVgwpAC06P4U7Y1+Pg
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575f56.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575f56.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575f56.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e574045.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e574045.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e574045.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575f56.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575f56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575f56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575f56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575f56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575f56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575f56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574045.exe -
Executes dropped EXE 3 IoCs
pid Process 4784 e574045.exe 3028 e57418d.exe 3688 e575f56.exe -
resource yara_rule behavioral2/memory/4784-6-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-7-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-9-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-11-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-28-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-18-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-31-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-33-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-34-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-10-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-35-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-37-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-36-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-38-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-40-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-39-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-50-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-51-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-61-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-62-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-63-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-65-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-67-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-70-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-71-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-72-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-73-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-75-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-79-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/4784-81-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/3688-114-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/3688-146-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574045.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e574045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575f56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575f56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575f56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575f56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575f56.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575f56.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575f56.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575f56.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: e574045.exe File opened (read-only) \??\J: e574045.exe File opened (read-only) \??\K: e574045.exe File opened (read-only) \??\P: e574045.exe File opened (read-only) \??\E: e574045.exe File opened (read-only) \??\I: e574045.exe File opened (read-only) \??\M: e574045.exe File opened (read-only) \??\N: e574045.exe File opened (read-only) \??\O: e574045.exe File opened (read-only) \??\G: e574045.exe File opened (read-only) \??\H: e574045.exe File opened (read-only) \??\L: e574045.exe File opened (read-only) \??\E: e575f56.exe File opened (read-only) \??\G: e575f56.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e574045.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e574045.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e574045.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e574045.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5740a3 e574045.exe File opened for modification C:\Windows\SYSTEM.INI e574045.exe File created C:\Windows\e5791b1 e575f56.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4784 e574045.exe 4784 e574045.exe 4784 e574045.exe 4784 e574045.exe 3688 e575f56.exe 3688 e575f56.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe Token: SeDebugPrivilege 4784 e574045.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 940 wrote to memory of 1708 940 rundll32.exe 82 PID 940 wrote to memory of 1708 940 rundll32.exe 82 PID 940 wrote to memory of 1708 940 rundll32.exe 82 PID 1708 wrote to memory of 4784 1708 rundll32.exe 83 PID 1708 wrote to memory of 4784 1708 rundll32.exe 83 PID 1708 wrote to memory of 4784 1708 rundll32.exe 83 PID 4784 wrote to memory of 792 4784 e574045.exe 8 PID 4784 wrote to memory of 784 4784 e574045.exe 9 PID 4784 wrote to memory of 336 4784 e574045.exe 13 PID 4784 wrote to memory of 2544 4784 e574045.exe 42 PID 4784 wrote to memory of 2564 4784 e574045.exe 43 PID 4784 wrote to memory of 2776 4784 e574045.exe 47 PID 4784 wrote to memory of 3528 4784 e574045.exe 56 PID 4784 wrote to memory of 3660 4784 e574045.exe 57 PID 4784 wrote to memory of 3840 4784 e574045.exe 58 PID 4784 wrote to memory of 3932 4784 e574045.exe 59 PID 4784 wrote to memory of 3996 4784 e574045.exe 60 PID 4784 wrote to memory of 1004 4784 e574045.exe 61 PID 4784 wrote to memory of 3704 4784 e574045.exe 62 PID 4784 wrote to memory of 1940 4784 e574045.exe 74 PID 4784 wrote to memory of 4440 4784 e574045.exe 75 PID 4784 wrote to memory of 396 4784 e574045.exe 79 PID 4784 wrote to memory of 4380 4784 e574045.exe 80 PID 4784 wrote to memory of 940 4784 e574045.exe 81 PID 4784 wrote to memory of 1708 4784 e574045.exe 82 PID 4784 wrote to memory of 1708 4784 e574045.exe 82 PID 1708 wrote to memory of 3028 1708 rundll32.exe 84 PID 1708 wrote to memory of 3028 1708 rundll32.exe 84 PID 1708 wrote to memory of 3028 1708 rundll32.exe 84 PID 1708 wrote to memory of 3688 1708 rundll32.exe 88 PID 1708 wrote to memory of 3688 1708 rundll32.exe 88 PID 1708 wrote to memory of 3688 1708 rundll32.exe 88 PID 4784 wrote to memory of 792 4784 e574045.exe 8 PID 4784 wrote to memory of 784 4784 e574045.exe 9 PID 4784 wrote to memory of 336 4784 e574045.exe 13 PID 4784 wrote to memory of 2544 4784 e574045.exe 42 PID 4784 wrote to memory of 2564 4784 e574045.exe 43 PID 4784 wrote to memory of 2776 4784 e574045.exe 47 PID 4784 wrote to memory of 3528 4784 e574045.exe 56 PID 4784 wrote to memory of 3660 4784 e574045.exe 57 PID 4784 wrote to memory of 3840 4784 e574045.exe 58 PID 4784 wrote to memory of 3932 4784 e574045.exe 59 PID 4784 wrote to memory of 3996 4784 e574045.exe 60 PID 4784 wrote to memory of 1004 4784 e574045.exe 61 PID 4784 wrote to memory of 3704 4784 e574045.exe 62 PID 4784 wrote to memory of 1940 4784 e574045.exe 74 PID 4784 wrote to memory of 4440 4784 e574045.exe 75 PID 4784 wrote to memory of 396 4784 e574045.exe 79 PID 4784 wrote to memory of 3028 4784 e574045.exe 84 PID 4784 wrote to memory of 3028 4784 e574045.exe 84 PID 4784 wrote to memory of 1808 4784 e574045.exe 86 PID 4784 wrote to memory of 3524 4784 e574045.exe 87 PID 4784 wrote to memory of 3688 4784 e574045.exe 88 PID 4784 wrote to memory of 3688 4784 e574045.exe 88 PID 3688 wrote to memory of 792 3688 e575f56.exe 8 PID 3688 wrote to memory of 784 3688 e575f56.exe 9 PID 3688 wrote to memory of 336 3688 e575f56.exe 13 PID 3688 wrote to memory of 2544 3688 e575f56.exe 42 PID 3688 wrote to memory of 2564 3688 e575f56.exe 43 PID 3688 wrote to memory of 2776 3688 e575f56.exe 47 PID 3688 wrote to memory of 3528 3688 e575f56.exe 56 PID 3688 wrote to memory of 3660 3688 e575f56.exe 57 PID 3688 wrote to memory of 3840 3688 e575f56.exe 58 PID 3688 wrote to memory of 3932 3688 e575f56.exe 59 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574045.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575f56.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2564
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2776
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3528
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b52664cc2351616d712d3b7678142410_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b52664cc2351616d712d3b7678142410_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\e574045.exeC:\Users\Admin\AppData\Local\Temp\e574045.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4784
-
-
C:\Users\Admin\AppData\Local\Temp\e57418d.exeC:\Users\Admin\AppData\Local\Temp\e57418d.exe4⤵
- Executes dropped EXE
PID:3028
-
-
C:\Users\Admin\AppData\Local\Temp\e575f56.exeC:\Users\Admin\AppData\Local\Temp\e575f56.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3688
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3660
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3840
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3932
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3996
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1004
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3704
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4440
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:396
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4380
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1808
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3524
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD58d5a5b989023945f07cac2e24d53841b
SHA1cfec0fa00ca1da751b750172ba5ccffafb074988
SHA256210ef01d6992081eb11cd20334dbcb83f41831bbdae46402626c15cd16e93bb4
SHA51232fe5ca36334d620e9b9bcb28fdec283d10956d5e4ed5cefec928966e98bafb3f6f6f3e1a2237ebbb028da8f1743da1db235aafa0f48da95a47e4d64f6729317
-
Filesize
257B
MD58c86cbc4e4d6e0f15922d118727db49f
SHA177cacbea5fb0f436c448fccfe527c37aa10e0818
SHA2561495ddf536172771e985e80227189e005ac01454582612be24fb648585db6734
SHA512dc68daf08a0b23f7d36aa2317ce38f62d12f787ab6d447ec9ed42cc500a24e7dcf286e56c6688f46d77709df856a754466430c1b1635a5694c191bd740ba4159