Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 14:27
Static task
static1
Behavioral task
behavioral1
Sample
d7482856356ba5eaa99a9b31e27b1da0_NeikiAnalytics.dll
Resource
win7-20240221-en
General
-
Target
d7482856356ba5eaa99a9b31e27b1da0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
d7482856356ba5eaa99a9b31e27b1da0
-
SHA1
d1e5c06a21f85753335134fb769d5af1f2b2f960
-
SHA256
ec0398121807170f8d46b94adc67331ebd4d7ae0654e60d9b2cc797f017f0606
-
SHA512
0bb279c031f484a00c24332412f64b4bb621eca1eda5c512a6b1a1305830b2fd1ddcf941967be9933c78baae9061cbd158f590c5d118b56a9d66fbb09bd05c76
-
SSDEEP
1536:NM7KWetpU3dlJeG6x91fBSpBR4a9+RluX1/3GuZrvRLs3WOnAFaVP3O0gC:67KVDUtlJeGONSp7P+buX1uuZyP3pgC
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e57466f.exee577733.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57466f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57466f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577733.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577733.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577733.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57466f.exe -
Processes:
e57466f.exee577733.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57466f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577733.exe -
Processes:
e57466f.exee577733.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57466f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57466f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57466f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57466f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577733.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577733.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577733.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57466f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577733.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577733.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577733.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57466f.exe -
Executes dropped EXE 3 IoCs
Processes:
e57466f.exee5747e6.exee577733.exepid process 2896 e57466f.exe 4032 e5747e6.exe 3472 e577733.exe -
Processes:
resource yara_rule behavioral2/memory/2896-19-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-18-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-27-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-33-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-35-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-11-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-14-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-10-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-9-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-8-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-36-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-37-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-38-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-39-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-40-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-46-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-54-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-56-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-57-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-58-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-61-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-63-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-64-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/2896-71-0x0000000000780000-0x000000000183A000-memory.dmp upx behavioral2/memory/3472-97-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3472-107-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3472-149-0x0000000000800000-0x00000000018BA000-memory.dmp upx -
Processes:
e57466f.exee577733.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57466f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57466f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577733.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577733.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57466f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577733.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577733.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577733.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57466f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57466f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57466f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57466f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577733.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577733.exe -
Processes:
e57466f.exee577733.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57466f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577733.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e57466f.exee577733.exedescription ioc process File opened (read-only) \??\K: e57466f.exe File opened (read-only) \??\E: e577733.exe File opened (read-only) \??\L: e57466f.exe File opened (read-only) \??\I: e577733.exe File opened (read-only) \??\J: e577733.exe File opened (read-only) \??\E: e57466f.exe File opened (read-only) \??\G: e57466f.exe File opened (read-only) \??\H: e57466f.exe File opened (read-only) \??\I: e57466f.exe File opened (read-only) \??\H: e577733.exe File opened (read-only) \??\J: e57466f.exe File opened (read-only) \??\M: e57466f.exe File opened (read-only) \??\G: e577733.exe -
Drops file in Windows directory 3 IoCs
Processes:
e57466f.exee577733.exedescription ioc process File created C:\Windows\e5746cd e57466f.exe File opened for modification C:\Windows\SYSTEM.INI e57466f.exe File created C:\Windows\e579eef e577733.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e57466f.exee577733.exepid process 2896 e57466f.exe 2896 e57466f.exe 2896 e57466f.exe 2896 e57466f.exe 3472 e577733.exe 3472 e577733.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e57466f.exedescription pid process Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe Token: SeDebugPrivilege 2896 e57466f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee57466f.exee577733.exedescription pid process target process PID 568 wrote to memory of 1412 568 rundll32.exe rundll32.exe PID 568 wrote to memory of 1412 568 rundll32.exe rundll32.exe PID 568 wrote to memory of 1412 568 rundll32.exe rundll32.exe PID 1412 wrote to memory of 2896 1412 rundll32.exe e57466f.exe PID 1412 wrote to memory of 2896 1412 rundll32.exe e57466f.exe PID 1412 wrote to memory of 2896 1412 rundll32.exe e57466f.exe PID 2896 wrote to memory of 792 2896 e57466f.exe fontdrvhost.exe PID 2896 wrote to memory of 800 2896 e57466f.exe fontdrvhost.exe PID 2896 wrote to memory of 340 2896 e57466f.exe dwm.exe PID 2896 wrote to memory of 2616 2896 e57466f.exe sihost.exe PID 2896 wrote to memory of 2640 2896 e57466f.exe svchost.exe PID 2896 wrote to memory of 2740 2896 e57466f.exe taskhostw.exe PID 2896 wrote to memory of 3532 2896 e57466f.exe Explorer.EXE PID 2896 wrote to memory of 3640 2896 e57466f.exe svchost.exe PID 2896 wrote to memory of 3824 2896 e57466f.exe DllHost.exe PID 2896 wrote to memory of 3912 2896 e57466f.exe StartMenuExperienceHost.exe PID 2896 wrote to memory of 3976 2896 e57466f.exe RuntimeBroker.exe PID 2896 wrote to memory of 4060 2896 e57466f.exe SearchApp.exe PID 2896 wrote to memory of 4144 2896 e57466f.exe RuntimeBroker.exe PID 2896 wrote to memory of 3920 2896 e57466f.exe TextInputHost.exe PID 2896 wrote to memory of 2976 2896 e57466f.exe RuntimeBroker.exe PID 2896 wrote to memory of 1188 2896 e57466f.exe backgroundTaskHost.exe PID 2896 wrote to memory of 2072 2896 e57466f.exe backgroundTaskHost.exe PID 2896 wrote to memory of 568 2896 e57466f.exe rundll32.exe PID 2896 wrote to memory of 1412 2896 e57466f.exe rundll32.exe PID 2896 wrote to memory of 1412 2896 e57466f.exe rundll32.exe PID 1412 wrote to memory of 4032 1412 rundll32.exe e5747e6.exe PID 1412 wrote to memory of 4032 1412 rundll32.exe e5747e6.exe PID 1412 wrote to memory of 4032 1412 rundll32.exe e5747e6.exe PID 2896 wrote to memory of 792 2896 e57466f.exe fontdrvhost.exe PID 2896 wrote to memory of 800 2896 e57466f.exe fontdrvhost.exe PID 2896 wrote to memory of 340 2896 e57466f.exe dwm.exe PID 2896 wrote to memory of 2616 2896 e57466f.exe sihost.exe PID 2896 wrote to memory of 2640 2896 e57466f.exe svchost.exe PID 2896 wrote to memory of 2740 2896 e57466f.exe taskhostw.exe PID 2896 wrote to memory of 3532 2896 e57466f.exe Explorer.EXE PID 2896 wrote to memory of 3640 2896 e57466f.exe svchost.exe PID 2896 wrote to memory of 3824 2896 e57466f.exe DllHost.exe PID 2896 wrote to memory of 3912 2896 e57466f.exe StartMenuExperienceHost.exe PID 2896 wrote to memory of 3976 2896 e57466f.exe RuntimeBroker.exe PID 2896 wrote to memory of 4060 2896 e57466f.exe SearchApp.exe PID 2896 wrote to memory of 4144 2896 e57466f.exe RuntimeBroker.exe PID 2896 wrote to memory of 3920 2896 e57466f.exe TextInputHost.exe PID 2896 wrote to memory of 2976 2896 e57466f.exe RuntimeBroker.exe PID 2896 wrote to memory of 1188 2896 e57466f.exe backgroundTaskHost.exe PID 2896 wrote to memory of 2072 2896 e57466f.exe backgroundTaskHost.exe PID 2896 wrote to memory of 568 2896 e57466f.exe rundll32.exe PID 2896 wrote to memory of 4032 2896 e57466f.exe e5747e6.exe PID 2896 wrote to memory of 4032 2896 e57466f.exe e5747e6.exe PID 2896 wrote to memory of 2804 2896 e57466f.exe RuntimeBroker.exe PID 2896 wrote to memory of 440 2896 e57466f.exe RuntimeBroker.exe PID 1412 wrote to memory of 3472 1412 rundll32.exe e577733.exe PID 1412 wrote to memory of 3472 1412 rundll32.exe e577733.exe PID 1412 wrote to memory of 3472 1412 rundll32.exe e577733.exe PID 3472 wrote to memory of 792 3472 e577733.exe fontdrvhost.exe PID 3472 wrote to memory of 800 3472 e577733.exe fontdrvhost.exe PID 3472 wrote to memory of 340 3472 e577733.exe dwm.exe PID 3472 wrote to memory of 2616 3472 e577733.exe sihost.exe PID 3472 wrote to memory of 2640 3472 e577733.exe svchost.exe PID 3472 wrote to memory of 2740 3472 e577733.exe taskhostw.exe PID 3472 wrote to memory of 3532 3472 e577733.exe Explorer.EXE PID 3472 wrote to memory of 3640 3472 e577733.exe svchost.exe PID 3472 wrote to memory of 3824 3472 e577733.exe DllHost.exe PID 3472 wrote to memory of 3912 3472 e577733.exe StartMenuExperienceHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e57466f.exee577733.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57466f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577733.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:340
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2640
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2740
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3532
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d7482856356ba5eaa99a9b31e27b1da0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d7482856356ba5eaa99a9b31e27b1da0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\e57466f.exeC:\Users\Admin\AppData\Local\Temp\e57466f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\e5747e6.exeC:\Users\Admin\AppData\Local\Temp\e5747e6.exe4⤵
- Executes dropped EXE
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\e577733.exeC:\Users\Admin\AppData\Local\Temp\e577733.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3640
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3824
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3912
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3976
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4060
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4144
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3920
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2976
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1188
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2072
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2804
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:440
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57466f.exeFilesize
97KB
MD510155e9649226fd5f4fdafd0694cf7b2
SHA13738e32f62c4be523233c303ab56edbe631cd7a9
SHA256ff98d4e25d02fcd822b9acd48f4a74559d328e0ecc9273d3e9ee0ab368d3b265
SHA512421e34f56752970ebc8f44ecc152e8da2f792695201167e069fcbd633e4502afbb801f333b65e15aed3d03cf6627d440d9458b1dd1d6d0f9223f64b08106bb16
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5f1976d5296cf8a51a70a1a6ebc1b221b
SHA1898079b0726352269d52d3ece52bb1791d6026a8
SHA25612ae3152f6b73e6362e4901f5ae8871068f1b88c93bb1adc9bce16ba296bbc05
SHA51214e943f97b0a7e811a52e42d98ddeb78a27dca2c9c34dc9e441a96ae3c84dcbe026d8c9cd51a91137eb55e709006c1a561a1da04548b36f3505a88a99a83b3b6
-
memory/1412-29-0x00000000012F0000-0x00000000012F2000-memory.dmpFilesize
8KB
-
memory/1412-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1412-20-0x00000000012F0000-0x00000000012F2000-memory.dmpFilesize
8KB
-
memory/1412-21-0x0000000001300000-0x0000000001301000-memory.dmpFilesize
4KB
-
memory/1412-24-0x00000000012F0000-0x00000000012F2000-memory.dmpFilesize
8KB
-
memory/2896-37-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-63-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-33-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-35-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2896-11-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-14-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-18-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-23-0x0000000001A00000-0x0000000001A01000-memory.dmpFilesize
4KB
-
memory/2896-30-0x0000000000550000-0x0000000000552000-memory.dmpFilesize
8KB
-
memory/2896-28-0x0000000000550000-0x0000000000552000-memory.dmpFilesize
8KB
-
memory/2896-10-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-9-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-8-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-36-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-19-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-38-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-39-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-40-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-90-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2896-80-0x0000000000550000-0x0000000000552000-memory.dmpFilesize
8KB
-
memory/2896-71-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-46-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-54-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-56-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-57-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-58-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-61-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-27-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/2896-64-0x0000000000780000-0x000000000183A000-memory.dmpFilesize
16.7MB
-
memory/3472-97-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3472-107-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/3472-115-0x0000000001BC0000-0x0000000001BC1000-memory.dmpFilesize
4KB
-
memory/3472-114-0x00000000005F0000-0x00000000005F2000-memory.dmpFilesize
8KB
-
memory/3472-148-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3472-149-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/4032-44-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4032-43-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4032-42-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4032-34-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB