Analysis
-
max time kernel
52s -
max time network
62s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 21:07
Static task
static1
Behavioral task
behavioral1
Sample
0f55412629140071965318d315d616ede2ae8b9ba133d500614842d5f1f897fd_NeikiAnalytics.dll
Resource
win7-20240611-en
General
-
Target
0f55412629140071965318d315d616ede2ae8b9ba133d500614842d5f1f897fd_NeikiAnalytics.dll
-
Size
120KB
-
MD5
fe987c0d277d3efb98eb47859c307150
-
SHA1
54431ff662e880c4f55d54d07b162bdd4e823889
-
SHA256
0f55412629140071965318d315d616ede2ae8b9ba133d500614842d5f1f897fd
-
SHA512
649045a11f263975a07be62daf0c20c94bfcc24b9e764bd512939dad26e385932342a34492120b4a26defeb9c41b6ea0c43628c11898172fdae7bbfc4a6261f7
-
SSDEEP
3072:Jki6mC357kq7y/ca8+JCEmW4Y/Ot1KjHAA9NpaFqZgIlnQn:hns57y/cT+gl/OHAAbwqN
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e573577.exee575a36.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573577.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575a36.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575a36.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575a36.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573577.exe -
Processes:
e575a36.exee573577.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575a36.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573577.exe -
Processes:
e573577.exee575a36.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575a36.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575a36.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575a36.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575a36.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575a36.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575a36.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573577.exe -
Executes dropped EXE 3 IoCs
Processes:
e573577.exee573662.exee575a36.exepid process 3964 e573577.exe 1804 e573662.exe 1220 e575a36.exe -
Processes:
resource yara_rule behavioral2/memory/3964-9-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-6-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-11-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-12-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-26-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-35-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-33-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-27-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-25-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-10-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-8-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-37-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-36-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-38-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-39-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-40-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-58-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-59-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-60-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-61-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-63-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-65-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-67-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-70-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-77-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/3964-80-0x00000000007E0000-0x000000000189A000-memory.dmp upx behavioral2/memory/1220-113-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/1220-149-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Processes:
e575a36.exee573577.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575a36.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573577.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575a36.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575a36.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575a36.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575a36.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575a36.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575a36.exe -
Processes:
e573577.exee575a36.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575a36.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e573577.exee575a36.exedescription ioc process File opened (read-only) \??\I: e573577.exe File opened (read-only) \??\E: e575a36.exe File opened (read-only) \??\H: e575a36.exe File opened (read-only) \??\I: e575a36.exe File opened (read-only) \??\J: e573577.exe File opened (read-only) \??\N: e573577.exe File opened (read-only) \??\H: e573577.exe File opened (read-only) \??\K: e573577.exe File opened (read-only) \??\L: e573577.exe File opened (read-only) \??\M: e573577.exe File opened (read-only) \??\G: e575a36.exe File opened (read-only) \??\E: e573577.exe File opened (read-only) \??\G: e573577.exe -
Drops file in Windows directory 3 IoCs
Processes:
e573577.exee575a36.exedescription ioc process File created C:\Windows\e5735b6 e573577.exe File opened for modification C:\Windows\SYSTEM.INI e573577.exe File created C:\Windows\e5785ca e575a36.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e573577.exee575a36.exepid process 3964 e573577.exe 3964 e573577.exe 3964 e573577.exe 3964 e573577.exe 1220 e575a36.exe 1220 e575a36.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e573577.exedescription pid process Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe Token: SeDebugPrivilege 3964 e573577.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee573577.exee575a36.exedescription pid process target process PID 1508 wrote to memory of 4636 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 4636 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 4636 1508 rundll32.exe rundll32.exe PID 4636 wrote to memory of 3964 4636 rundll32.exe e573577.exe PID 4636 wrote to memory of 3964 4636 rundll32.exe e573577.exe PID 4636 wrote to memory of 3964 4636 rundll32.exe e573577.exe PID 3964 wrote to memory of 788 3964 e573577.exe fontdrvhost.exe PID 3964 wrote to memory of 796 3964 e573577.exe fontdrvhost.exe PID 3964 wrote to memory of 376 3964 e573577.exe dwm.exe PID 3964 wrote to memory of 2672 3964 e573577.exe svchost.exe PID 3964 wrote to memory of 2688 3964 e573577.exe sihost.exe PID 3964 wrote to memory of 2996 3964 e573577.exe taskhostw.exe PID 3964 wrote to memory of 3516 3964 e573577.exe Explorer.EXE PID 3964 wrote to memory of 3632 3964 e573577.exe svchost.exe PID 3964 wrote to memory of 3816 3964 e573577.exe DllHost.exe PID 3964 wrote to memory of 3908 3964 e573577.exe StartMenuExperienceHost.exe PID 3964 wrote to memory of 3972 3964 e573577.exe RuntimeBroker.exe PID 3964 wrote to memory of 4056 3964 e573577.exe SearchApp.exe PID 3964 wrote to memory of 688 3964 e573577.exe RuntimeBroker.exe PID 3964 wrote to memory of 4744 3964 e573577.exe RuntimeBroker.exe PID 3964 wrote to memory of 1624 3964 e573577.exe TextInputHost.exe PID 3964 wrote to memory of 1508 3964 e573577.exe rundll32.exe PID 3964 wrote to memory of 4636 3964 e573577.exe rundll32.exe PID 3964 wrote to memory of 4636 3964 e573577.exe rundll32.exe PID 4636 wrote to memory of 1804 4636 rundll32.exe e573662.exe PID 4636 wrote to memory of 1804 4636 rundll32.exe e573662.exe PID 4636 wrote to memory of 1804 4636 rundll32.exe e573662.exe PID 4636 wrote to memory of 1220 4636 rundll32.exe e575a36.exe PID 4636 wrote to memory of 1220 4636 rundll32.exe e575a36.exe PID 4636 wrote to memory of 1220 4636 rundll32.exe e575a36.exe PID 3964 wrote to memory of 788 3964 e573577.exe fontdrvhost.exe PID 3964 wrote to memory of 796 3964 e573577.exe fontdrvhost.exe PID 3964 wrote to memory of 376 3964 e573577.exe dwm.exe PID 3964 wrote to memory of 2672 3964 e573577.exe svchost.exe PID 3964 wrote to memory of 2688 3964 e573577.exe sihost.exe PID 3964 wrote to memory of 2996 3964 e573577.exe taskhostw.exe PID 3964 wrote to memory of 3516 3964 e573577.exe Explorer.EXE PID 3964 wrote to memory of 3632 3964 e573577.exe svchost.exe PID 3964 wrote to memory of 3816 3964 e573577.exe DllHost.exe PID 3964 wrote to memory of 3908 3964 e573577.exe StartMenuExperienceHost.exe PID 3964 wrote to memory of 3972 3964 e573577.exe RuntimeBroker.exe PID 3964 wrote to memory of 4056 3964 e573577.exe SearchApp.exe PID 3964 wrote to memory of 688 3964 e573577.exe RuntimeBroker.exe PID 3964 wrote to memory of 4744 3964 e573577.exe RuntimeBroker.exe PID 3964 wrote to memory of 1624 3964 e573577.exe TextInputHost.exe PID 3964 wrote to memory of 1804 3964 e573577.exe e573662.exe PID 3964 wrote to memory of 1804 3964 e573577.exe e573662.exe PID 3964 wrote to memory of 1220 3964 e573577.exe e575a36.exe PID 3964 wrote to memory of 1220 3964 e573577.exe e575a36.exe PID 1220 wrote to memory of 788 1220 e575a36.exe fontdrvhost.exe PID 1220 wrote to memory of 796 1220 e575a36.exe fontdrvhost.exe PID 1220 wrote to memory of 376 1220 e575a36.exe dwm.exe PID 1220 wrote to memory of 2672 1220 e575a36.exe svchost.exe PID 1220 wrote to memory of 2688 1220 e575a36.exe sihost.exe PID 1220 wrote to memory of 2996 1220 e575a36.exe taskhostw.exe PID 1220 wrote to memory of 3516 1220 e575a36.exe Explorer.EXE PID 1220 wrote to memory of 3632 1220 e575a36.exe svchost.exe PID 1220 wrote to memory of 3816 1220 e575a36.exe DllHost.exe PID 1220 wrote to memory of 3908 1220 e575a36.exe StartMenuExperienceHost.exe PID 1220 wrote to memory of 3972 1220 e575a36.exe RuntimeBroker.exe PID 1220 wrote to memory of 4056 1220 e575a36.exe SearchApp.exe PID 1220 wrote to memory of 688 1220 e575a36.exe RuntimeBroker.exe PID 1220 wrote to memory of 4744 1220 e575a36.exe RuntimeBroker.exe PID 1220 wrote to memory of 1624 1220 e575a36.exe TextInputHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e573577.exee575a36.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575a36.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2672
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2688
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2996
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3516
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f55412629140071965318d315d616ede2ae8b9ba133d500614842d5f1f897fd_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f55412629140071965318d315d616ede2ae8b9ba133d500614842d5f1f897fd_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\e573577.exeC:\Users\Admin\AppData\Local\Temp\e573577.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3964
-
-
C:\Users\Admin\AppData\Local\Temp\e573662.exeC:\Users\Admin\AppData\Local\Temp\e573662.exe4⤵
- Executes dropped EXE
PID:1804
-
-
C:\Users\Admin\AppData\Local\Temp\e575a36.exeC:\Users\Admin\AppData\Local\Temp\e575a36.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1220
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3632
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3816
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3908
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3972
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4056
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:688
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4744
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1624
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5b1856e7f233f93584e23777985a193ca
SHA184d58c7b0d0fb062664c8fd17858675154d3779e
SHA256e0f2830acc7018c2f31b404413132b726d6c0cdd07b2e5b6bf7624b391ab3cf5
SHA512ad648e379ced99bc7daaea59defdbae791092a5a114546d0cb4c2924c1687be45abc72d0a94f8c1abd0d7708ac4e1b9766d0f2b160bb3aa08d83234f53540889
-
Filesize
257B
MD5cde622691dec08180cf7e18fa30cbeac
SHA1876d837cc538265ad0bbc797bd508ef6222a2d4a
SHA256e3a264f08221ef86f291a192b813a9c2f32412edbb824a255cb42c8c514a8f03
SHA51276bbe8ef9cbdfc51b8304bbdce196d60fc8f96f7f03bd8abf5e3ba1a0377a028b4cf1b56c1954532815b7bb29912c720f9ad287270cc973a78abf1def447f068