topic Re: Evasion Technique - 1244315488 in Cortex XDR Discussions

Evasion Technique - 1244315488

Alexandre_Jodoin — Thu, 30 Oct 2025 14:00:48 GMT

Hi,

We are getting a few alerts for "Evasion Technique - 1244315488" - "Evasion technique using reflective loading."

While investigating I can see that a base64 encoded PE file is written in the registry by taskhosw.exe under "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UCPD\DR\000"

-The registry key is not super well documented (UserChoices Protect Driver)

-The PE, when reconstructed from the base64, is signed by an old Microsoft certificate from 2011.

-Looking on VT for this PE, there is only 1 detection, which does not say much because apparently the file was 1st seen by VT on Oct 27 2025...

I also see in VT that this file have various names which makes me think others found about this activity and submitted the PE to VT for analysis:cyberchef.bin, application.bin, decoded_payload.exe, decoded.exe, output.exe, download.dat, download.exe.malz, download_new.exe, reg-pe.exe.malz

Anyone else observed simillar activity?!

Re: Evasion Technique - 1244315488

micomi — Thu, 30 Oct 2025 15:15:16 GMT

Hi @Alexandre_Jodoin

Yes we had multiple alerts with the same alert name in the last 2-3 days. I asked TAC and for our case they confirmed a false positive. According to TAC it's a known issue which will be solved within Content Update 2010.

Hope this helps

Re: Evasion Technique - 1244315488

Alexandre_Jodoin — Thu, 30 Oct 2025 15:17:45 GMT

Yup, this help.

Thanks!

Re: Evasion Technique - 1244315488

sheriffali — Sat, 01 Nov 2025 03:56:39 GMT

Hi all.

highky advising to continue your investigation on the matter , TAC don't deal with investigating and no lighten process wod write an exactable file on the registry , PANW has other service what you can use to verify such thing like u42 or managed hunting , not TAC.

Re: Evasion Technique - 1244315488

P.Osatanon — Thu, 06 Nov 2025 08:32:31 GMT

Hello all,

I contacted Palo Alto support about this security alert, and they confirmed it was a false alarm - not a real threat.

Why this happened:
The false alert occurred because I was using an outdated security database (content version 1640-10742) with agent version 8.4.

Good news:
This issue has been fixed in the latest security update (content version 2010-25072). Once you update to this newer version, these false alerts will stop appearing.

Hope this helps.