Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 23:03
Static task
static1
Behavioral task
behavioral1
Sample
1f96be3828155be292ddc51debb544d5b0bfa4e79083a419a14b3f4cf6b5dd1f_NeikiAnalytics.dll
Resource
win7-20240611-en
General
-
Target
1f96be3828155be292ddc51debb544d5b0bfa4e79083a419a14b3f4cf6b5dd1f_NeikiAnalytics.dll
-
Size
120KB
-
MD5
05ab5b3fd4333b13941ee07d68c580e0
-
SHA1
f9cbdd44eb5c76b72af55e02692b2bc0fd6c4427
-
SHA256
1f96be3828155be292ddc51debb544d5b0bfa4e79083a419a14b3f4cf6b5dd1f
-
SHA512
5201acb57387422a3a92c82be227a2dde1519d07f31061814e8a423072d52e4c11d917c5c97f4044b067e7d5bfeaaee58e8cc7d04c27a2fce281e4abce768f6e
-
SSDEEP
1536:8KhHwlmKQCG86mMcDmr+OULW6Dmau6aZJn1Ge4vRbb1U22wW3BpCFL0S7:kfJDmrWJ7u6aXn1ivRbb+qFQS7
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
e573d86.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573d86.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573d86.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573d86.exe -
Processes:
e573d86.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573d86.exe -
Processes:
e573ede.exee573d86.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573ede.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573ede.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573ede.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573d86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573d86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573ede.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573d86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573ede.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573ede.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573d86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573d86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573d86.exe -
Executes dropped EXE 3 IoCs
Processes:
e573d86.exee573ede.exee57606f.exepid process 1188 e573d86.exe 1784 e573ede.exe 780 e57606f.exe -
Processes:
resource yara_rule behavioral2/memory/1188-13-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-11-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-8-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-9-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-10-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-27-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-23-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-32-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-12-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-6-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-35-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-37-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-36-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-38-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-40-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-39-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-59-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-60-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-62-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-64-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-65-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-66-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-69-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-72-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-74-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-76-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1188-79-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/1784-102-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Processes:
e573ede.exee573d86.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573ede.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573ede.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573ede.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573d86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573d86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573ede.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573d86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573ede.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573ede.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573d86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573d86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573d86.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573d86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573ede.exe -
Processes:
e573d86.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573d86.exe -
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e573d86.exedescription ioc process File opened (read-only) \??\M: e573d86.exe File opened (read-only) \??\N: e573d86.exe File opened (read-only) \??\O: e573d86.exe File opened (read-only) \??\P: e573d86.exe File opened (read-only) \??\H: e573d86.exe File opened (read-only) \??\I: e573d86.exe File opened (read-only) \??\J: e573d86.exe File opened (read-only) \??\K: e573d86.exe File opened (read-only) \??\L: e573d86.exe File opened (read-only) \??\E: e573d86.exe File opened (read-only) \??\G: e573d86.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e573d86.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e573d86.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e573d86.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e573d86.exe -
Drops file in Windows directory 2 IoCs
Processes:
e573d86.exedescription ioc process File created C:\Windows\e573dd4 e573d86.exe File opened for modification C:\Windows\SYSTEM.INI e573d86.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e573d86.exepid process 1188 e573d86.exe 1188 e573d86.exe 1188 e573d86.exe 1188 e573d86.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e573d86.exedescription pid process Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe Token: SeDebugPrivilege 1188 e573d86.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
rundll32.exerundll32.exee573d86.exedescription pid process target process PID 4336 wrote to memory of 3420 4336 rundll32.exe rundll32.exe PID 4336 wrote to memory of 3420 4336 rundll32.exe rundll32.exe PID 4336 wrote to memory of 3420 4336 rundll32.exe rundll32.exe PID 3420 wrote to memory of 1188 3420 rundll32.exe e573d86.exe PID 3420 wrote to memory of 1188 3420 rundll32.exe e573d86.exe PID 3420 wrote to memory of 1188 3420 rundll32.exe e573d86.exe PID 1188 wrote to memory of 788 1188 e573d86.exe fontdrvhost.exe PID 1188 wrote to memory of 796 1188 e573d86.exe fontdrvhost.exe PID 1188 wrote to memory of 380 1188 e573d86.exe dwm.exe PID 1188 wrote to memory of 3060 1188 e573d86.exe sihost.exe PID 1188 wrote to memory of 2432 1188 e573d86.exe svchost.exe PID 1188 wrote to memory of 3124 1188 e573d86.exe taskhostw.exe PID 1188 wrote to memory of 3456 1188 e573d86.exe Explorer.EXE PID 1188 wrote to memory of 3572 1188 e573d86.exe svchost.exe PID 1188 wrote to memory of 3756 1188 e573d86.exe DllHost.exe PID 1188 wrote to memory of 3844 1188 e573d86.exe StartMenuExperienceHost.exe PID 1188 wrote to memory of 3916 1188 e573d86.exe RuntimeBroker.exe PID 1188 wrote to memory of 3992 1188 e573d86.exe SearchApp.exe PID 1188 wrote to memory of 3468 1188 e573d86.exe RuntimeBroker.exe PID 1188 wrote to memory of 1484 1188 e573d86.exe TextInputHost.exe PID 1188 wrote to memory of 3772 1188 e573d86.exe RuntimeBroker.exe PID 1188 wrote to memory of 4980 1188 e573d86.exe backgroundTaskHost.exe PID 1188 wrote to memory of 2076 1188 e573d86.exe backgroundTaskHost.exe PID 1188 wrote to memory of 4336 1188 e573d86.exe rundll32.exe PID 1188 wrote to memory of 3420 1188 e573d86.exe rundll32.exe PID 1188 wrote to memory of 3420 1188 e573d86.exe rundll32.exe PID 3420 wrote to memory of 1784 3420 rundll32.exe e573ede.exe PID 3420 wrote to memory of 1784 3420 rundll32.exe e573ede.exe PID 3420 wrote to memory of 1784 3420 rundll32.exe e573ede.exe PID 3420 wrote to memory of 780 3420 rundll32.exe e57606f.exe PID 3420 wrote to memory of 780 3420 rundll32.exe e57606f.exe PID 3420 wrote to memory of 780 3420 rundll32.exe e57606f.exe PID 1188 wrote to memory of 788 1188 e573d86.exe fontdrvhost.exe PID 1188 wrote to memory of 796 1188 e573d86.exe fontdrvhost.exe PID 1188 wrote to memory of 380 1188 e573d86.exe dwm.exe PID 1188 wrote to memory of 3060 1188 e573d86.exe sihost.exe PID 1188 wrote to memory of 2432 1188 e573d86.exe svchost.exe PID 1188 wrote to memory of 3124 1188 e573d86.exe taskhostw.exe PID 1188 wrote to memory of 3456 1188 e573d86.exe Explorer.EXE PID 1188 wrote to memory of 3572 1188 e573d86.exe svchost.exe PID 1188 wrote to memory of 3756 1188 e573d86.exe DllHost.exe PID 1188 wrote to memory of 3844 1188 e573d86.exe StartMenuExperienceHost.exe PID 1188 wrote to memory of 3916 1188 e573d86.exe RuntimeBroker.exe PID 1188 wrote to memory of 3992 1188 e573d86.exe SearchApp.exe PID 1188 wrote to memory of 3468 1188 e573d86.exe RuntimeBroker.exe PID 1188 wrote to memory of 1484 1188 e573d86.exe TextInputHost.exe PID 1188 wrote to memory of 3772 1188 e573d86.exe RuntimeBroker.exe PID 1188 wrote to memory of 4980 1188 e573d86.exe backgroundTaskHost.exe PID 1188 wrote to memory of 2076 1188 e573d86.exe backgroundTaskHost.exe PID 1188 wrote to memory of 1784 1188 e573d86.exe e573ede.exe PID 1188 wrote to memory of 1784 1188 e573d86.exe e573ede.exe PID 1188 wrote to memory of 4492 1188 e573d86.exe RuntimeBroker.exe PID 1188 wrote to memory of 4936 1188 e573d86.exe RuntimeBroker.exe PID 1188 wrote to memory of 780 1188 e573d86.exe e57606f.exe PID 1188 wrote to memory of 780 1188 e573d86.exe e57606f.exe PID 1188 wrote to memory of 1168 1188 e573d86.exe DllHost.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
e573d86.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573d86.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2432
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3124
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3456
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f96be3828155be292ddc51debb544d5b0bfa4e79083a419a14b3f4cf6b5dd1f_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f96be3828155be292ddc51debb544d5b0bfa4e79083a419a14b3f4cf6b5dd1f_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\e573d86.exeC:\Users\Admin\AppData\Local\Temp\e573d86.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1188
-
-
C:\Users\Admin\AppData\Local\Temp\e573ede.exeC:\Users\Admin\AppData\Local\Temp\e573ede.exe4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:1784
-
-
C:\Users\Admin\AppData\Local\Temp\e57606f.exeC:\Users\Admin\AppData\Local\Temp\e57606f.exe4⤵
- Executes dropped EXE
PID:780
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3572
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3756
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3916
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3468
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1484
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3772
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4980
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4492
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4936
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1168
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5b885ad04108c446862172083d185de65
SHA1220281a524e0eb35af9ac178b9bd9b8e4c7e4dac
SHA256a4722b00a7b21fe0ce6c93f597d05afec371cba345774c2c68ca66a106ec0956
SHA512b4a1266e1a6945fd143ded6845cea9983de9e251b45b1e4cbe69a7dcb9a884d089ef42d248616692d74bbac67d5538b31597ac8c931421375adb9c8b07403db5