Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 23:59
Static task
static1
Behavioral task
behavioral1
Sample
279cfe773d233038b66a08f792c37cb0f611b290476fb2d6a75de8a2143084d7_NeikiAnalytics.dll
Resource
win7-20231129-en
General
-
Target
279cfe773d233038b66a08f792c37cb0f611b290476fb2d6a75de8a2143084d7_NeikiAnalytics.dll
-
Size
120KB
-
MD5
3e30b633aafb7989860ed29c7acfc8d0
-
SHA1
9fa535db4aa870aa5c7052d3b1cb0e6846a67e55
-
SHA256
279cfe773d233038b66a08f792c37cb0f611b290476fb2d6a75de8a2143084d7
-
SHA512
1e766dac40b833934258f9f43b8c241d2688f8f23afbe9b156fc0117c7cd2b100b9b15fea07c1a5c0be4d7f79a6941c4668f085b8b2b67a22ec4dbc8fbc6dad0
-
SSDEEP
3072:rRxtcipG4DFjVu+uJNIys9FZBH8t9UKx5x:/trppjY+AN16XBHa9Ugx
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e578abb.exee575d91.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e578abb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e578abb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e578abb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575d91.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575d91.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575d91.exe -
Processes:
e575d91.exee578abb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578abb.exe -
Processes:
e575d91.exee578abb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578abb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578abb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578abb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578abb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578abb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578abb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575d91.exe -
Executes dropped EXE 3 IoCs
Processes:
e575d91.exee576040.exee578abb.exepid process 752 e575d91.exe 2288 e576040.exe 1092 e578abb.exe -
Processes:
resource yara_rule behavioral2/memory/752-6-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-8-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-14-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-11-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-12-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-20-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-21-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-22-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-13-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-10-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-9-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-36-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-37-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-38-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-39-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-40-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-53-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-54-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-55-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-57-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-58-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-60-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/752-61-0x0000000000830000-0x00000000018EA000-memory.dmp upx behavioral2/memory/1092-93-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1092-87-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1092-88-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1092-95-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1092-96-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1092-85-0x00000000007F0000-0x00000000018AA000-memory.dmp upx behavioral2/memory/1092-135-0x00000000007F0000-0x00000000018AA000-memory.dmp upx -
Processes:
e578abb.exee575d91.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e578abb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575d91.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e578abb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e578abb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e578abb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e578abb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e578abb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e578abb.exe -
Processes:
e575d91.exee578abb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578abb.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e575d91.exee578abb.exedescription ioc process File opened (read-only) \??\E: e575d91.exe File opened (read-only) \??\G: e575d91.exe File opened (read-only) \??\I: e575d91.exe File opened (read-only) \??\J: e575d91.exe File opened (read-only) \??\K: e575d91.exe File opened (read-only) \??\H: e575d91.exe File opened (read-only) \??\E: e578abb.exe File opened (read-only) \??\G: e578abb.exe File opened (read-only) \??\H: e578abb.exe -
Drops file in Windows directory 3 IoCs
Processes:
e575d91.exee578abb.exedescription ioc process File created C:\Windows\e575dfe e575d91.exe File opened for modification C:\Windows\SYSTEM.INI e575d91.exe File created C:\Windows\e57b2f4 e578abb.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e575d91.exee578abb.exepid process 752 e575d91.exe 752 e575d91.exe 752 e575d91.exe 752 e575d91.exe 1092 e578abb.exe 1092 e578abb.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e575d91.exedescription pid process Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe Token: SeDebugPrivilege 752 e575d91.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee575d91.exee578abb.exedescription pid process target process PID 1404 wrote to memory of 2524 1404 rundll32.exe rundll32.exe PID 1404 wrote to memory of 2524 1404 rundll32.exe rundll32.exe PID 1404 wrote to memory of 2524 1404 rundll32.exe rundll32.exe PID 2524 wrote to memory of 752 2524 rundll32.exe e575d91.exe PID 2524 wrote to memory of 752 2524 rundll32.exe e575d91.exe PID 2524 wrote to memory of 752 2524 rundll32.exe e575d91.exe PID 752 wrote to memory of 808 752 e575d91.exe fontdrvhost.exe PID 752 wrote to memory of 812 752 e575d91.exe fontdrvhost.exe PID 752 wrote to memory of 380 752 e575d91.exe dwm.exe PID 752 wrote to memory of 2652 752 e575d91.exe sihost.exe PID 752 wrote to memory of 2664 752 e575d91.exe svchost.exe PID 752 wrote to memory of 2868 752 e575d91.exe taskhostw.exe PID 752 wrote to memory of 3368 752 e575d91.exe Explorer.EXE PID 752 wrote to memory of 3516 752 e575d91.exe svchost.exe PID 752 wrote to memory of 3708 752 e575d91.exe DllHost.exe PID 752 wrote to memory of 3796 752 e575d91.exe StartMenuExperienceHost.exe PID 752 wrote to memory of 3868 752 e575d91.exe RuntimeBroker.exe PID 752 wrote to memory of 3992 752 e575d91.exe SearchApp.exe PID 752 wrote to memory of 3404 752 e575d91.exe RuntimeBroker.exe PID 752 wrote to memory of 2492 752 e575d91.exe RuntimeBroker.exe PID 752 wrote to memory of 2552 752 e575d91.exe TextInputHost.exe PID 752 wrote to memory of 4912 752 e575d91.exe backgroundTaskHost.exe PID 752 wrote to memory of 1088 752 e575d91.exe backgroundTaskHost.exe PID 752 wrote to memory of 1404 752 e575d91.exe rundll32.exe PID 752 wrote to memory of 2524 752 e575d91.exe rundll32.exe PID 752 wrote to memory of 2524 752 e575d91.exe rundll32.exe PID 2524 wrote to memory of 2288 2524 rundll32.exe e576040.exe PID 2524 wrote to memory of 2288 2524 rundll32.exe e576040.exe PID 2524 wrote to memory of 2288 2524 rundll32.exe e576040.exe PID 752 wrote to memory of 808 752 e575d91.exe fontdrvhost.exe PID 752 wrote to memory of 812 752 e575d91.exe fontdrvhost.exe PID 752 wrote to memory of 380 752 e575d91.exe dwm.exe PID 752 wrote to memory of 2652 752 e575d91.exe sihost.exe PID 752 wrote to memory of 2664 752 e575d91.exe svchost.exe PID 752 wrote to memory of 2868 752 e575d91.exe taskhostw.exe PID 752 wrote to memory of 3368 752 e575d91.exe Explorer.EXE PID 752 wrote to memory of 3516 752 e575d91.exe svchost.exe PID 752 wrote to memory of 3708 752 e575d91.exe DllHost.exe PID 752 wrote to memory of 3796 752 e575d91.exe StartMenuExperienceHost.exe PID 752 wrote to memory of 3868 752 e575d91.exe RuntimeBroker.exe PID 752 wrote to memory of 3992 752 e575d91.exe SearchApp.exe PID 752 wrote to memory of 3404 752 e575d91.exe RuntimeBroker.exe PID 752 wrote to memory of 2492 752 e575d91.exe RuntimeBroker.exe PID 752 wrote to memory of 2552 752 e575d91.exe TextInputHost.exe PID 752 wrote to memory of 4912 752 e575d91.exe backgroundTaskHost.exe PID 752 wrote to memory of 1088 752 e575d91.exe backgroundTaskHost.exe PID 752 wrote to memory of 1404 752 e575d91.exe rundll32.exe PID 752 wrote to memory of 2288 752 e575d91.exe e576040.exe PID 752 wrote to memory of 2288 752 e575d91.exe e576040.exe PID 752 wrote to memory of 828 752 e575d91.exe BackgroundTaskHost.exe PID 752 wrote to memory of 680 752 e575d91.exe RuntimeBroker.exe PID 752 wrote to memory of 3684 752 e575d91.exe RuntimeBroker.exe PID 2524 wrote to memory of 1092 2524 rundll32.exe e578abb.exe PID 2524 wrote to memory of 1092 2524 rundll32.exe e578abb.exe PID 2524 wrote to memory of 1092 2524 rundll32.exe e578abb.exe PID 1092 wrote to memory of 808 1092 e578abb.exe fontdrvhost.exe PID 1092 wrote to memory of 812 1092 e578abb.exe fontdrvhost.exe PID 1092 wrote to memory of 380 1092 e578abb.exe dwm.exe PID 1092 wrote to memory of 2652 1092 e578abb.exe sihost.exe PID 1092 wrote to memory of 2664 1092 e578abb.exe svchost.exe PID 1092 wrote to memory of 2868 1092 e578abb.exe taskhostw.exe PID 1092 wrote to memory of 3368 1092 e578abb.exe Explorer.EXE PID 1092 wrote to memory of 3516 1092 e578abb.exe svchost.exe PID 1092 wrote to memory of 3708 1092 e578abb.exe DllHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e575d91.exee578abb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575d91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e578abb.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:812
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2664
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2868
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3368
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\279cfe773d233038b66a08f792c37cb0f611b290476fb2d6a75de8a2143084d7_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\279cfe773d233038b66a08f792c37cb0f611b290476fb2d6a75de8a2143084d7_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\e575d91.exeC:\Users\Admin\AppData\Local\Temp\e575d91.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:752
-
-
C:\Users\Admin\AppData\Local\Temp\e576040.exeC:\Users\Admin\AppData\Local\Temp\e576040.exe4⤵
- Executes dropped EXE
PID:2288
-
-
C:\Users\Admin\AppData\Local\Temp\e578abb.exeC:\Users\Admin\AppData\Local\Temp\e578abb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1092
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3516
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3708
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3796
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3868
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3992
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3404
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2492
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2552
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4912
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1088
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:828
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:680
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3684
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5045d9561863736b5298f19e28cd596fd
SHA116ec39227db371ff5170b7b1e8ba3c9a829db030
SHA25625bb7b93da7aa1271bef2d4a2867564946d91f4bf7aa50ae1f9a69759cceed71
SHA5123fc17299e742271ad0beddcfbaf0474b4f301e47e8b62d0b0379aea361074a929c72473fbd58b52e8598a2e1f079a83844ad7fd21e59def69b6641f80bb52d07
-
Filesize
256B
MD5fa508f7bfd75daed0b0395964f9638bb
SHA1a0d97bcb374ad1d975cdc7eb229887b073712aea
SHA256f66326db71ea138cde59c1116c05411ee949977613710a1e04fbdd1238fb6e44
SHA512347d4de86f53fc6533ff4ce5e30758d280777b54079c50fef70d14e7c99ed73c1e2f15fe03f96b72df1a38a324b9059cca3130e39f29a181f6fd170b2e283a06