Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 03:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
575bdace06ed5398d9c53438dbfc920299feb530e8ec4ff051620189f8193634_NeikiAnalytics.dll
Resource
win7-20231129-en
windows7-x64
15 signatures
150 seconds
General
-
Target
575bdace06ed5398d9c53438dbfc920299feb530e8ec4ff051620189f8193634_NeikiAnalytics.dll
-
Size
120KB
-
MD5
5ed92b7849978ff3dd44fd63aba545a0
-
SHA1
ece1536f437bd76a11a23d4a1aba6c4c9416d6c2
-
SHA256
575bdace06ed5398d9c53438dbfc920299feb530e8ec4ff051620189f8193634
-
SHA512
58ea3b1ca95f43c357f577a9f0b12422ea5ea850053ea3a83b084a2d68b06cdca0cd8d145566421dfa293ed9cd4c193f98c2fa169fc3a4ff41110f41ac379976
-
SSDEEP
1536:ztMHvrWZaCM4tQbB7V5uZnsgQt/rxkfbSeZ4+SNb4GB/:z6CRFQ17V5AArxubSeZaNf
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573e51.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573e51.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575b8d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575b8d.exe -
Executes dropped EXE 3 IoCs
pid Process 4892 e573e51.exe 864 e573f2c.exe 2960 e575b8d.exe -
resource yara_rule behavioral2/memory/4892-6-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-8-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-10-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-26-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-32-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-27-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-25-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-12-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-29-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-11-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-37-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-36-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-38-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-39-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-40-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-49-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-50-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-59-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-60-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-62-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-64-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-66-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-69-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-70-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-72-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-73-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-74-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/4892-78-0x0000000000860000-0x000000000191A000-memory.dmp upx behavioral2/memory/2960-111-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx behavioral2/memory/2960-125-0x0000000000B40000-0x0000000001BFA000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575b8d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575b8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575b8d.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575b8d.exe -
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: e573e51.exe File opened (read-only) \??\N: e573e51.exe File opened (read-only) \??\O: e573e51.exe File opened (read-only) \??\P: e573e51.exe File opened (read-only) \??\H: e573e51.exe File opened (read-only) \??\G: e573e51.exe File opened (read-only) \??\J: e573e51.exe File opened (read-only) \??\K: e573e51.exe File opened (read-only) \??\L: e573e51.exe File opened (read-only) \??\M: e573e51.exe File opened (read-only) \??\E: e573e51.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe e573e51.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e573e51.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e573e51.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI e573e51.exe File created C:\Windows\e57ab24 e575b8d.exe File created C:\Windows\e573e9f e573e51.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4892 e573e51.exe 4892 e573e51.exe 4892 e573e51.exe 4892 e573e51.exe 2960 e575b8d.exe 2960 e575b8d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe Token: SeDebugPrivilege 4892 e573e51.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4936 wrote to memory of 3588 4936 rundll32.exe 83 PID 4936 wrote to memory of 3588 4936 rundll32.exe 83 PID 4936 wrote to memory of 3588 4936 rundll32.exe 83 PID 3588 wrote to memory of 4892 3588 rundll32.exe 84 PID 3588 wrote to memory of 4892 3588 rundll32.exe 84 PID 3588 wrote to memory of 4892 3588 rundll32.exe 84 PID 4892 wrote to memory of 784 4892 e573e51.exe 8 PID 4892 wrote to memory of 792 4892 e573e51.exe 9 PID 4892 wrote to memory of 332 4892 e573e51.exe 13 PID 4892 wrote to memory of 3116 4892 e573e51.exe 51 PID 4892 wrote to memory of 3128 4892 e573e51.exe 52 PID 4892 wrote to memory of 3188 4892 e573e51.exe 53 PID 4892 wrote to memory of 3472 4892 e573e51.exe 56 PID 4892 wrote to memory of 3592 4892 e573e51.exe 57 PID 4892 wrote to memory of 3780 4892 e573e51.exe 58 PID 4892 wrote to memory of 3892 4892 e573e51.exe 59 PID 4892 wrote to memory of 3952 4892 e573e51.exe 60 PID 4892 wrote to memory of 4044 4892 e573e51.exe 61 PID 4892 wrote to memory of 4164 4892 e573e51.exe 62 PID 4892 wrote to memory of 2036 4892 e573e51.exe 74 PID 4892 wrote to memory of 4592 4892 e573e51.exe 75 PID 4892 wrote to memory of 1196 4892 e573e51.exe 80 PID 4892 wrote to memory of 4832 4892 e573e51.exe 81 PID 4892 wrote to memory of 4936 4892 e573e51.exe 82 PID 4892 wrote to memory of 3588 4892 e573e51.exe 83 PID 4892 wrote to memory of 3588 4892 e573e51.exe 83 PID 3588 wrote to memory of 864 3588 rundll32.exe 85 PID 3588 wrote to memory of 864 3588 rundll32.exe 85 PID 3588 wrote to memory of 864 3588 rundll32.exe 85 PID 3588 wrote to memory of 2960 3588 rundll32.exe 89 PID 3588 wrote to memory of 2960 3588 rundll32.exe 89 PID 3588 wrote to memory of 2960 3588 rundll32.exe 89 PID 4892 wrote to memory of 784 4892 e573e51.exe 8 PID 4892 wrote to memory of 792 4892 e573e51.exe 9 PID 4892 wrote to memory of 332 4892 e573e51.exe 13 PID 4892 wrote to memory of 3116 4892 e573e51.exe 51 PID 4892 wrote to memory of 3128 4892 e573e51.exe 52 PID 4892 wrote to memory of 3188 4892 e573e51.exe 53 PID 4892 wrote to memory of 3472 4892 e573e51.exe 56 PID 4892 wrote to memory of 3592 4892 e573e51.exe 57 PID 4892 wrote to memory of 3780 4892 e573e51.exe 58 PID 4892 wrote to memory of 3892 4892 e573e51.exe 59 PID 4892 wrote to memory of 3952 4892 e573e51.exe 60 PID 4892 wrote to memory of 4044 4892 e573e51.exe 61 PID 4892 wrote to memory of 4164 4892 e573e51.exe 62 PID 4892 wrote to memory of 2036 4892 e573e51.exe 74 PID 4892 wrote to memory of 4592 4892 e573e51.exe 75 PID 4892 wrote to memory of 1196 4892 e573e51.exe 80 PID 4892 wrote to memory of 864 4892 e573e51.exe 85 PID 4892 wrote to memory of 864 4892 e573e51.exe 85 PID 4892 wrote to memory of 5052 4892 e573e51.exe 87 PID 4892 wrote to memory of 1516 4892 e573e51.exe 88 PID 4892 wrote to memory of 2960 4892 e573e51.exe 89 PID 4892 wrote to memory of 2960 4892 e573e51.exe 89 PID 4892 wrote to memory of 4520 4892 e573e51.exe 90 PID 2960 wrote to memory of 784 2960 e575b8d.exe 8 PID 2960 wrote to memory of 792 2960 e575b8d.exe 9 PID 2960 wrote to memory of 332 2960 e575b8d.exe 13 PID 2960 wrote to memory of 3116 2960 e575b8d.exe 51 PID 2960 wrote to memory of 3128 2960 e575b8d.exe 52 PID 2960 wrote to memory of 3188 2960 e575b8d.exe 53 PID 2960 wrote to memory of 3472 2960 e575b8d.exe 56 PID 2960 wrote to memory of 3592 2960 e575b8d.exe 57 PID 2960 wrote to memory of 3780 2960 e575b8d.exe 58 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573e51.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575b8d.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3128
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3188
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3472
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\575bdace06ed5398d9c53438dbfc920299feb530e8ec4ff051620189f8193634_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\575bdace06ed5398d9c53438dbfc920299feb530e8ec4ff051620189f8193634_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\e573e51.exeC:\Users\Admin\AppData\Local\Temp\e573e51.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4892
-
-
C:\Users\Admin\AppData\Local\Temp\e573f2c.exeC:\Users\Admin\AppData\Local\Temp\e573f2c.exe4⤵
- Executes dropped EXE
PID:864
-
-
C:\Users\Admin\AppData\Local\Temp\e575b8d.exeC:\Users\Admin\AppData\Local\Temp\e575b8d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2960
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3592
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3780
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3892
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3952
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4044
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4164
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2036
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4592
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1196
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4832
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1516
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4520
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5745998fddf5ffcd591d8945f33f48c5a
SHA1db2cb77689dc8f3493b0030e327b44faa21c7482
SHA2562e750a898eef427bc04a4aac23e882aa702fe32d4ba9482b6d0d5e36eafe2766
SHA51202d1208bd1f832553f2a390e1b2afe4c365fb04339e08a0a34d5ac86e893eac1e917c9d8cdb6f6c34b34da0a3814861c91d42049056b60b95d467405aa85fafa
-
Filesize
257B
MD5ff90a542ea8679b31cf2885dde3c62a3
SHA155526cc8c80ee27ae32655548b110173658ff9bd
SHA25685c3e0d6638d9e62ddcfbc101414a3c3842915b77aac4cf3e5541cb0d8d582f8
SHA512e94b3896f83dd9b8ca99642514f24ebdd09750ee66ef15d3ae9001516f5ef462f36ac3f7ca4ce856245f88562551749c38ca42db5f772c3d0057ee6c9e160c8a