Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 08:53
Static task
static1
Behavioral task
behavioral1
Sample
e2e11467890191bfc68f277311b05c20_NeikiAnalytics.dll
Resource
win7-20240221-en
General
-
Target
e2e11467890191bfc68f277311b05c20_NeikiAnalytics.dll
-
Size
120KB
-
MD5
e2e11467890191bfc68f277311b05c20
-
SHA1
62c82caca124b7d81e59fc1c198e2444f26ec1e4
-
SHA256
923da3d503c245d8a7d8632b1c092e060795e34c48e6571a29f84fd3cf5ef728
-
SHA512
51e8b3d3e7f50b1c7be24cbd1a225fa3ee5cda28464973f695c6b8fecdbe32c6b36365f9b72c5bbc134cf684c88fa3421ef2a6dd0891b45d5319d216447daddd
-
SSDEEP
1536:ZxviAkkbVcbTfNXPWgb/euYj+TxW3TWNG8iUMlAaksEpX95oCNgl9Daj+bYVV9k:7lnwRPjo+T03TMGgVD/2Cw9Ds
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e580af8.exee581cba.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e580af8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e581cba.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e581cba.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e581cba.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e580af8.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e580af8.exe -
Processes:
e580af8.exee581cba.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e580af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e581cba.exe -
Processes:
e580af8.exee581cba.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e580af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e580af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e580af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e581cba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e581cba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e581cba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e580af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e580af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e580af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e581cba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e581cba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e581cba.exe -
Executes dropped EXE 3 IoCs
Processes:
e580af8.exee581ac6.exee581cba.exepid process 2180 e580af8.exe 3356 e581ac6.exe 2260 e581cba.exe -
Processes:
resource yara_rule behavioral2/memory/2180-7-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-10-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-9-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-15-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-16-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-18-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-13-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-12-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-14-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-11-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-37-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-35-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-45-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-46-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-47-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-49-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-50-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-51-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-53-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-55-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-62-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-67-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-68-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-71-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-73-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-75-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2180-77-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/2260-117-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/2260-131-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Processes:
e580af8.exee581cba.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e580af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e581cba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e580af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e581cba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e581cba.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e581cba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e580af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e580af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e580af8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e580af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e581cba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e580af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e581cba.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e581cba.exe -
Processes:
e580af8.exee581cba.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e580af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e581cba.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e580af8.exedescription ioc process File opened (read-only) \??\L: e580af8.exe File opened (read-only) \??\N: e580af8.exe File opened (read-only) \??\O: e580af8.exe File opened (read-only) \??\I: e580af8.exe File opened (read-only) \??\G: e580af8.exe File opened (read-only) \??\H: e580af8.exe File opened (read-only) \??\J: e580af8.exe File opened (read-only) \??\K: e580af8.exe File opened (read-only) \??\M: e580af8.exe File opened (read-only) \??\E: e580af8.exe -
Drops file in Windows directory 3 IoCs
Processes:
e580af8.exee581cba.exedescription ioc process File created C:\Windows\e5815e4 e580af8.exe File opened for modification C:\Windows\SYSTEM.INI e580af8.exe File created C:\Windows\e586ada e581cba.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e580af8.exee581cba.exepid process 2180 e580af8.exe 2180 e580af8.exe 2180 e580af8.exe 2180 e580af8.exe 2260 e581cba.exe 2260 e581cba.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e580af8.exedescription pid process Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe Token: SeDebugPrivilege 2180 e580af8.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee580af8.exedescription pid process target process PID 4500 wrote to memory of 2412 4500 rundll32.exe rundll32.exe PID 4500 wrote to memory of 2412 4500 rundll32.exe rundll32.exe PID 4500 wrote to memory of 2412 4500 rundll32.exe rundll32.exe PID 2412 wrote to memory of 2180 2412 rundll32.exe e580af8.exe PID 2412 wrote to memory of 2180 2412 rundll32.exe e580af8.exe PID 2412 wrote to memory of 2180 2412 rundll32.exe e580af8.exe PID 2180 wrote to memory of 808 2180 e580af8.exe fontdrvhost.exe PID 2180 wrote to memory of 816 2180 e580af8.exe fontdrvhost.exe PID 2180 wrote to memory of 376 2180 e580af8.exe dwm.exe PID 2180 wrote to memory of 2420 2180 e580af8.exe sihost.exe PID 2180 wrote to memory of 2436 2180 e580af8.exe svchost.exe PID 2180 wrote to memory of 2652 2180 e580af8.exe taskhostw.exe PID 2180 wrote to memory of 3296 2180 e580af8.exe Explorer.EXE PID 2180 wrote to memory of 3520 2180 e580af8.exe svchost.exe PID 2180 wrote to memory of 3768 2180 e580af8.exe DllHost.exe PID 2180 wrote to memory of 3856 2180 e580af8.exe StartMenuExperienceHost.exe PID 2180 wrote to memory of 3972 2180 e580af8.exe RuntimeBroker.exe PID 2180 wrote to memory of 4048 2180 e580af8.exe SearchApp.exe PID 2180 wrote to memory of 3864 2180 e580af8.exe RuntimeBroker.exe PID 2180 wrote to memory of 3188 2180 e580af8.exe RuntimeBroker.exe PID 2180 wrote to memory of 1872 2180 e580af8.exe TextInputHost.exe PID 2180 wrote to memory of 2140 2180 e580af8.exe RuntimeBroker.exe PID 2180 wrote to memory of 1756 2180 e580af8.exe msedge.exe PID 2180 wrote to memory of 824 2180 e580af8.exe msedge.exe PID 2180 wrote to memory of 3996 2180 e580af8.exe msedge.exe PID 2180 wrote to memory of 2848 2180 e580af8.exe msedge.exe PID 2180 wrote to memory of 1700 2180 e580af8.exe msedge.exe PID 2180 wrote to memory of 4260 2180 e580af8.exe msedge.exe PID 2180 wrote to memory of 5048 2180 e580af8.exe msedge.exe PID 2180 wrote to memory of 4500 2180 e580af8.exe rundll32.exe PID 2180 wrote to memory of 2412 2180 e580af8.exe rundll32.exe PID 2180 wrote to memory of 2412 2180 e580af8.exe rundll32.exe PID 2412 wrote to memory of 3356 2412 rundll32.exe e581ac6.exe PID 2412 wrote to memory of 3356 2412 rundll32.exe e581ac6.exe PID 2412 wrote to memory of 3356 2412 rundll32.exe e581ac6.exe PID 2412 wrote to memory of 2260 2412 rundll32.exe e581cba.exe PID 2412 wrote to memory of 2260 2412 rundll32.exe e581cba.exe PID 2412 wrote to memory of 2260 2412 rundll32.exe e581cba.exe PID 2180 wrote to memory of 808 2180 e580af8.exe fontdrvhost.exe PID 2180 wrote to memory of 816 2180 e580af8.exe fontdrvhost.exe PID 2180 wrote to memory of 376 2180 e580af8.exe dwm.exe PID 2180 wrote to memory of 2420 2180 e580af8.exe sihost.exe PID 2180 wrote to memory of 2436 2180 e580af8.exe svchost.exe PID 2180 wrote to memory of 2652 2180 e580af8.exe taskhostw.exe PID 2180 wrote to memory of 3296 2180 e580af8.exe Explorer.EXE PID 2180 wrote to memory of 3520 2180 e580af8.exe svchost.exe PID 2180 wrote to memory of 3768 2180 e580af8.exe DllHost.exe PID 2180 wrote to memory of 3856 2180 e580af8.exe StartMenuExperienceHost.exe PID 2180 wrote to memory of 3972 2180 e580af8.exe RuntimeBroker.exe PID 2180 wrote to memory of 4048 2180 e580af8.exe SearchApp.exe PID 2180 wrote to memory of 3864 2180 e580af8.exe RuntimeBroker.exe PID 2180 wrote to memory of 3188 2180 e580af8.exe RuntimeBroker.exe PID 2180 wrote to memory of 1872 2180 e580af8.exe TextInputHost.exe PID 2180 wrote to memory of 2140 2180 e580af8.exe RuntimeBroker.exe PID 2180 wrote to memory of 1756 2180 e580af8.exe msedge.exe PID 2180 wrote to memory of 824 2180 e580af8.exe msedge.exe PID 2180 wrote to memory of 3996 2180 e580af8.exe msedge.exe PID 2180 wrote to memory of 2848 2180 e580af8.exe msedge.exe PID 2180 wrote to memory of 1700 2180 e580af8.exe msedge.exe PID 2180 wrote to memory of 4260 2180 e580af8.exe msedge.exe PID 2180 wrote to memory of 5048 2180 e580af8.exe msedge.exe PID 2180 wrote to memory of 3356 2180 e580af8.exe e581ac6.exe PID 2180 wrote to memory of 3356 2180 e580af8.exe e581ac6.exe PID 2180 wrote to memory of 2260 2180 e580af8.exe e581cba.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e580af8.exee581cba.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e580af8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e581cba.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:816
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:376
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2420
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2436
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2652
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3296
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2e11467890191bfc68f277311b05c20_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2e11467890191bfc68f277311b05c20_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\e580af8.exeC:\Users\Admin\AppData\Local\Temp\e580af8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2180 -
C:\Users\Admin\AppData\Local\Temp\e581ac6.exeC:\Users\Admin\AppData\Local\Temp\e581ac6.exe4⤵
- Executes dropped EXE
PID:3356 -
C:\Users\Admin\AppData\Local\Temp\e581cba.exeC:\Users\Admin\AppData\Local\Temp\e581cba.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2260
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3520
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3768
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3856
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3972
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4048
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3864
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3188
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1872
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2140
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵PID:1756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7ffece862e98,0x7ffece862ea4,0x7ffece862eb02⤵PID:824
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2400 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:22⤵PID:3996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3276 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:32⤵PID:2848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3380 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:82⤵PID:1700
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5288 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:12⤵PID:4260
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5500 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:12⤵PID:5048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:82⤵PID:1164
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD5aebf96f694cb30844e3bc9f6a7e9cf38
SHA16854be4420884213309fc17eee6ddab59c1bc015
SHA256dededbbedaf21707bb5408f59f8f65ee564aa7750c4170b8f1ac316c457b8018
SHA5125f897dae5ba0dc43732ba902f440ce3aaa880c2eefcad289f617cad3ffbbe657d87b59743b66e03ea14cf50d6f1b12cdb18636f45b552777e588513454ad8ab0
-
Filesize
257B
MD5d165585bb4e6317cb3b4eff74872fc8d
SHA12ddc1fc2c57fdc9a6f6cfb268fd9b29c44f4ed04
SHA2560a9d4d5f58ac2c77cc1e48344a4eac5c70ce7ae0d0594ccc21edacb1fc782340
SHA512e187503eadc9e8aad1ee0283306d25d4c8f3f3e51c56b71255b1b05372de8dc105d51178e7ad3d3d93ab60989a1a62ae331936eeb97cee6b3915cb98546367d9