Analysis
-
max time kernel
136s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 10:27
Static task
static1
Behavioral task
behavioral1
Sample
e94ae2634735e53e0061ec4914335c40_NeikiAnalytics.dll
Resource
win7-20240220-en
General
-
Target
e94ae2634735e53e0061ec4914335c40_NeikiAnalytics.dll
-
Size
120KB
-
MD5
e94ae2634735e53e0061ec4914335c40
-
SHA1
30b679c82db162af47c7ab38087fd8d2f9af927f
-
SHA256
499f09ee9cee02dceb06e6127251b0099b374881eab20e9442aa782189fe1ea6
-
SHA512
0c5f8672e3fbe2c6748d3f845ba7f7c9b609a6b620444065564395f8e5ad5fbfc6657e0160b4435e3c4ae0c148460cd7ac4e0ffb2245af00c0c6f6e912a0c92f
-
SSDEEP
3072:B39I6MMt/7vACLJ6eubqT1YJQmoSv8oSknXKjS7cv:p9dpfYDboYJsSv8hkn6e
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e573a88.exee57565d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e573a88.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57565d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57565d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57565d.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e573a88.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e573a88.exe -
Processes:
e573a88.exee57565d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573a88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57565d.exe -
Processes:
e573a88.exee57565d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573a88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573a88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573a88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57565d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57565d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57565d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57565d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573a88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573a88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57565d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57565d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573a88.exe -
Executes dropped EXE 3 IoCs
Processes:
e573a88.exee573b73.exee57565d.exepid process 1308 e573a88.exe 5072 e573b73.exe 1468 e57565d.exe -
Processes:
resource yara_rule behavioral2/memory/1308-6-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-9-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-21-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-34-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-27-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-20-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-12-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-11-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-10-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-8-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-35-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-36-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-37-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-39-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-38-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-41-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-42-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-50-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-52-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-53-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-63-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-65-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-68-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-70-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-71-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-72-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-74-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-76-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-78-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-79-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1308-100-0x0000000000840000-0x00000000018FA000-memory.dmp upx behavioral2/memory/1468-130-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Processes:
e573a88.exee57565d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e573a88.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e573a88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57565d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57565d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e573a88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57565d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57565d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e573a88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e573a88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e573a88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57565d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57565d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e573a88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57565d.exe -
Processes:
e573a88.exee57565d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573a88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57565d.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e573a88.exedescription ioc process File opened (read-only) \??\L: e573a88.exe File opened (read-only) \??\I: e573a88.exe File opened (read-only) \??\K: e573a88.exe File opened (read-only) \??\H: e573a88.exe File opened (read-only) \??\J: e573a88.exe File opened (read-only) \??\P: e573a88.exe File opened (read-only) \??\Q: e573a88.exe File opened (read-only) \??\R: e573a88.exe File opened (read-only) \??\S: e573a88.exe File opened (read-only) \??\G: e573a88.exe File opened (read-only) \??\M: e573a88.exe File opened (read-only) \??\N: e573a88.exe File opened (read-only) \??\O: e573a88.exe File opened (read-only) \??\E: e573a88.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e573a88.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7zFM.exe e573a88.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e573a88.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e573a88.exe File opened for modification C:\Program Files\7-Zip\7z.exe e573a88.exe -
Drops file in Windows directory 3 IoCs
Processes:
e573a88.exee57565d.exedescription ioc process File created C:\Windows\e573ad6 e573a88.exe File opened for modification C:\Windows\SYSTEM.INI e573a88.exe File created C:\Windows\e57a4db e57565d.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e573a88.exepid process 1308 e573a88.exe 1308 e573a88.exe 1308 e573a88.exe 1308 e573a88.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e573a88.exedescription pid process Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe Token: SeDebugPrivilege 1308 e573a88.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
rundll32.exerundll32.exee573a88.exedescription pid process target process PID 1608 wrote to memory of 644 1608 rundll32.exe rundll32.exe PID 1608 wrote to memory of 644 1608 rundll32.exe rundll32.exe PID 1608 wrote to memory of 644 1608 rundll32.exe rundll32.exe PID 644 wrote to memory of 1308 644 rundll32.exe e573a88.exe PID 644 wrote to memory of 1308 644 rundll32.exe e573a88.exe PID 644 wrote to memory of 1308 644 rundll32.exe e573a88.exe PID 1308 wrote to memory of 776 1308 e573a88.exe fontdrvhost.exe PID 1308 wrote to memory of 780 1308 e573a88.exe fontdrvhost.exe PID 1308 wrote to memory of 380 1308 e573a88.exe dwm.exe PID 1308 wrote to memory of 2652 1308 e573a88.exe sihost.exe PID 1308 wrote to memory of 2664 1308 e573a88.exe svchost.exe PID 1308 wrote to memory of 2820 1308 e573a88.exe taskhostw.exe PID 1308 wrote to memory of 3516 1308 e573a88.exe Explorer.EXE PID 1308 wrote to memory of 3652 1308 e573a88.exe svchost.exe PID 1308 wrote to memory of 3840 1308 e573a88.exe DllHost.exe PID 1308 wrote to memory of 3936 1308 e573a88.exe StartMenuExperienceHost.exe PID 1308 wrote to memory of 3996 1308 e573a88.exe RuntimeBroker.exe PID 1308 wrote to memory of 4080 1308 e573a88.exe SearchApp.exe PID 1308 wrote to memory of 4200 1308 e573a88.exe RuntimeBroker.exe PID 1308 wrote to memory of 4816 1308 e573a88.exe TextInputHost.exe PID 1308 wrote to memory of 2428 1308 e573a88.exe RuntimeBroker.exe PID 1308 wrote to memory of 640 1308 e573a88.exe backgroundTaskHost.exe PID 1308 wrote to memory of 4624 1308 e573a88.exe backgroundTaskHost.exe PID 1308 wrote to memory of 1608 1308 e573a88.exe rundll32.exe PID 1308 wrote to memory of 644 1308 e573a88.exe rundll32.exe PID 1308 wrote to memory of 644 1308 e573a88.exe rundll32.exe PID 644 wrote to memory of 5072 644 rundll32.exe e573b73.exe PID 644 wrote to memory of 5072 644 rundll32.exe e573b73.exe PID 644 wrote to memory of 5072 644 rundll32.exe e573b73.exe PID 644 wrote to memory of 1468 644 rundll32.exe e57565d.exe PID 644 wrote to memory of 1468 644 rundll32.exe e57565d.exe PID 644 wrote to memory of 1468 644 rundll32.exe e57565d.exe PID 1308 wrote to memory of 776 1308 e573a88.exe fontdrvhost.exe PID 1308 wrote to memory of 780 1308 e573a88.exe fontdrvhost.exe PID 1308 wrote to memory of 380 1308 e573a88.exe dwm.exe PID 1308 wrote to memory of 2652 1308 e573a88.exe sihost.exe PID 1308 wrote to memory of 2664 1308 e573a88.exe svchost.exe PID 1308 wrote to memory of 2820 1308 e573a88.exe taskhostw.exe PID 1308 wrote to memory of 3516 1308 e573a88.exe Explorer.EXE PID 1308 wrote to memory of 3652 1308 e573a88.exe svchost.exe PID 1308 wrote to memory of 3840 1308 e573a88.exe DllHost.exe PID 1308 wrote to memory of 3936 1308 e573a88.exe StartMenuExperienceHost.exe PID 1308 wrote to memory of 3996 1308 e573a88.exe RuntimeBroker.exe PID 1308 wrote to memory of 4080 1308 e573a88.exe SearchApp.exe PID 1308 wrote to memory of 4200 1308 e573a88.exe RuntimeBroker.exe PID 1308 wrote to memory of 4816 1308 e573a88.exe TextInputHost.exe PID 1308 wrote to memory of 2428 1308 e573a88.exe RuntimeBroker.exe PID 1308 wrote to memory of 640 1308 e573a88.exe backgroundTaskHost.exe PID 1308 wrote to memory of 5072 1308 e573a88.exe e573b73.exe PID 1308 wrote to memory of 5072 1308 e573a88.exe e573b73.exe PID 1308 wrote to memory of 3756 1308 e573a88.exe RuntimeBroker.exe PID 1308 wrote to memory of 4532 1308 e573a88.exe RuntimeBroker.exe PID 1308 wrote to memory of 1468 1308 e573a88.exe e57565d.exe PID 1308 wrote to memory of 1468 1308 e573a88.exe e57565d.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e573a88.exee57565d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e573a88.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57565d.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2664
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2820
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3516
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e94ae2634735e53e0061ec4914335c40_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e94ae2634735e53e0061ec4914335c40_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\e573a88.exeC:\Users\Admin\AppData\Local\Temp\e573a88.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\e573b73.exeC:\Users\Admin\AppData\Local\Temp\e573b73.exe4⤵
- Executes dropped EXE
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\e57565d.exeC:\Users\Admin\AppData\Local\Temp\e57565d.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
PID:1468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3652
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3840
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3936
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3996
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4080
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4200
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4816
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2428
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:640
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4624
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3756
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4532
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e573a88.exeFilesize
97KB
MD53260d6fc1ebbed4cbbd6e5f03ef8c2ec
SHA1df288f3b0532b500ae522e7698f17c5542addb1b
SHA256c2e92eec7c560ddd0af2bb681f5669a00b79b98a8d93cdf7d98b874f41e66229
SHA512d9d91331bab0ff88404827a3f32716b15fe1ce514fe45364171dd6bed71056a58eee77ec98a1017c3c1639ccc89e115348de800484115cdc8a93a314b96181e1
-
C:\Windows\SYSTEM.INIFilesize
257B
MD526c8adbec25f8151345badfb61a69c71
SHA16eebcb85bae9b7242b3996af1eec4dcbbe48e6b0
SHA25698178a7031d2b6dae05cd109f30b9a2057e98ca921e22eb6602c2f1faf04e227
SHA51257e90d87623f580868b013bf89a6b650f5f47e7c6973640d46b3c038b6e5f9a47a68c73990981f7644e76f94d53810e4a4e19c51fb0754a7b83c03d9f33e7ad8
-
memory/644-13-0x0000000000940000-0x0000000000942000-memory.dmpFilesize
8KB
-
memory/644-3-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/644-25-0x0000000000940000-0x0000000000942000-memory.dmpFilesize
8KB
-
memory/644-16-0x0000000000940000-0x0000000000942000-memory.dmpFilesize
8KB
-
memory/644-14-0x0000000003950000-0x0000000003951000-memory.dmpFilesize
4KB
-
memory/1308-42-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-71-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-26-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/1308-33-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/1308-21-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-34-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-27-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-9-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-20-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-12-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-11-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-10-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-8-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-35-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-36-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-37-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-39-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-38-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-41-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-6-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-50-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-52-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-53-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1308-100-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-105-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1308-93-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/1308-79-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-78-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-76-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-63-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-65-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-68-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-70-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-17-0x0000000001B80000-0x0000000001B81000-memory.dmpFilesize
4KB
-
memory/1308-72-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1308-74-0x0000000000840000-0x00000000018FA000-memory.dmpFilesize
16.7MB
-
memory/1468-59-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1468-60-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1468-62-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1468-130-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/1468-132-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5072-56-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/5072-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/5072-61-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/5072-109-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/5072-24-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB