Analysis
-
max time kernel
143s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
3efa4ca4720c0da820ee6a50438e5010_NeikiAnalytics.dll
Resource
win7-20240221-en
General
-
Target
3efa4ca4720c0da820ee6a50438e5010_NeikiAnalytics.dll
-
Size
120KB
-
MD5
3efa4ca4720c0da820ee6a50438e5010
-
SHA1
64e144eb762bb8d6d45c69f4006efd31b105c687
-
SHA256
e2010219610aedfa8d24edfd72a4c0675ac4d63088dc190e0d3f7bedb8ca57f2
-
SHA512
3c7408302e4020765f2b064634bc63c245fe02116b91de325d5eddb510e353dbce2a50909ac0e235d96449c23d6b0c05c86a0655c2c7c8e6f66d09ce47c3573f
-
SSDEEP
1536:3+2hbYEyuHC5K/GvO8Qq5KtlNQ4BrGIRlxKxPWzRJK9NreATm:CEy2+28QukNQ4RGIRlDRJK9N8
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e5756ea.exee575554.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e5756ea.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e575554.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e575554.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e575554.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e5756ea.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e5756ea.exe -
Processes:
e575554.exee5756ea.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5756ea.exe -
Processes:
e5756ea.exee575554.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5756ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5756ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5756ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5756ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5756ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5756ea.exe -
Executes dropped EXE 3 IoCs
Processes:
e575554.exee5756ea.exee578a8d.exepid process 3008 e575554.exe 4764 e5756ea.exe 3632 e578a8d.exe -
Processes:
resource yara_rule behavioral2/memory/3008-6-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-9-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-10-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-18-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-32-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-28-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-27-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-14-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-26-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-11-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-36-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-37-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-38-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-39-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-40-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-54-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-55-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-56-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-58-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-60-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-62-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3008-67-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4764-89-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4764-87-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4764-83-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4764-88-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4764-86-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4764-85-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4764-99-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx behavioral2/memory/4764-116-0x0000000000B20000-0x0000000001BDA000-memory.dmp upx -
Processes:
e5756ea.exee575554.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e5756ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e575554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e5756ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e575554.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e5756ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e575554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e5756ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e5756ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e575554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e575554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e5756ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e5756ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e575554.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e575554.exe -
Processes:
e575554.exee5756ea.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575554.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5756ea.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e575554.exedescription ioc process File opened (read-only) \??\J: e575554.exe File opened (read-only) \??\K: e575554.exe File opened (read-only) \??\E: e575554.exe File opened (read-only) \??\G: e575554.exe File opened (read-only) \??\H: e575554.exe File opened (read-only) \??\I: e575554.exe -
Drops file in Windows directory 3 IoCs
Processes:
e575554.exee5756ea.exedescription ioc process File created C:\Windows\e5755e0 e575554.exe File opened for modification C:\Windows\SYSTEM.INI e575554.exe File created C:\Windows\e57b1ac e5756ea.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e575554.exee5756ea.exepid process 3008 e575554.exe 3008 e575554.exe 3008 e575554.exe 3008 e575554.exe 4764 e5756ea.exe 4764 e5756ea.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e575554.exedescription pid process Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe Token: SeDebugPrivilege 3008 e575554.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee575554.exee5756ea.exedescription pid process target process PID 1480 wrote to memory of 4948 1480 rundll32.exe rundll32.exe PID 1480 wrote to memory of 4948 1480 rundll32.exe rundll32.exe PID 1480 wrote to memory of 4948 1480 rundll32.exe rundll32.exe PID 4948 wrote to memory of 3008 4948 rundll32.exe e575554.exe PID 4948 wrote to memory of 3008 4948 rundll32.exe e575554.exe PID 4948 wrote to memory of 3008 4948 rundll32.exe e575554.exe PID 3008 wrote to memory of 772 3008 e575554.exe fontdrvhost.exe PID 3008 wrote to memory of 776 3008 e575554.exe fontdrvhost.exe PID 3008 wrote to memory of 336 3008 e575554.exe dwm.exe PID 3008 wrote to memory of 1080 3008 e575554.exe sihost.exe PID 3008 wrote to memory of 2476 3008 e575554.exe svchost.exe PID 3008 wrote to memory of 3108 3008 e575554.exe taskhostw.exe PID 3008 wrote to memory of 3424 3008 e575554.exe Explorer.EXE PID 3008 wrote to memory of 3568 3008 e575554.exe svchost.exe PID 3008 wrote to memory of 3776 3008 e575554.exe DllHost.exe PID 3008 wrote to memory of 3924 3008 e575554.exe StartMenuExperienceHost.exe PID 3008 wrote to memory of 3984 3008 e575554.exe RuntimeBroker.exe PID 3008 wrote to memory of 4076 3008 e575554.exe SearchApp.exe PID 3008 wrote to memory of 4168 3008 e575554.exe RuntimeBroker.exe PID 3008 wrote to memory of 4468 3008 e575554.exe RuntimeBroker.exe PID 3008 wrote to memory of 4052 3008 e575554.exe TextInputHost.exe PID 3008 wrote to memory of 3784 3008 e575554.exe backgroundTaskHost.exe PID 3008 wrote to memory of 1916 3008 e575554.exe backgroundTaskHost.exe PID 3008 wrote to memory of 1480 3008 e575554.exe rundll32.exe PID 3008 wrote to memory of 4948 3008 e575554.exe rundll32.exe PID 3008 wrote to memory of 4948 3008 e575554.exe rundll32.exe PID 4948 wrote to memory of 4764 4948 rundll32.exe e5756ea.exe PID 4948 wrote to memory of 4764 4948 rundll32.exe e5756ea.exe PID 4948 wrote to memory of 4764 4948 rundll32.exe e5756ea.exe PID 3008 wrote to memory of 772 3008 e575554.exe fontdrvhost.exe PID 3008 wrote to memory of 776 3008 e575554.exe fontdrvhost.exe PID 3008 wrote to memory of 336 3008 e575554.exe dwm.exe PID 3008 wrote to memory of 1080 3008 e575554.exe sihost.exe PID 3008 wrote to memory of 2476 3008 e575554.exe svchost.exe PID 3008 wrote to memory of 3108 3008 e575554.exe taskhostw.exe PID 3008 wrote to memory of 3424 3008 e575554.exe Explorer.EXE PID 3008 wrote to memory of 3568 3008 e575554.exe svchost.exe PID 3008 wrote to memory of 3776 3008 e575554.exe DllHost.exe PID 3008 wrote to memory of 3924 3008 e575554.exe StartMenuExperienceHost.exe PID 3008 wrote to memory of 3984 3008 e575554.exe RuntimeBroker.exe PID 3008 wrote to memory of 4076 3008 e575554.exe SearchApp.exe PID 3008 wrote to memory of 4168 3008 e575554.exe RuntimeBroker.exe PID 3008 wrote to memory of 4468 3008 e575554.exe RuntimeBroker.exe PID 3008 wrote to memory of 4052 3008 e575554.exe TextInputHost.exe PID 3008 wrote to memory of 3784 3008 e575554.exe backgroundTaskHost.exe PID 3008 wrote to memory of 1916 3008 e575554.exe backgroundTaskHost.exe PID 3008 wrote to memory of 1480 3008 e575554.exe rundll32.exe PID 3008 wrote to memory of 4764 3008 e575554.exe e5756ea.exe PID 3008 wrote to memory of 4764 3008 e575554.exe e5756ea.exe PID 3008 wrote to memory of 2760 3008 e575554.exe RuntimeBroker.exe PID 3008 wrote to memory of 4700 3008 e575554.exe RuntimeBroker.exe PID 4948 wrote to memory of 3632 4948 rundll32.exe e578a8d.exe PID 4948 wrote to memory of 3632 4948 rundll32.exe e578a8d.exe PID 4948 wrote to memory of 3632 4948 rundll32.exe e578a8d.exe PID 4764 wrote to memory of 772 4764 e5756ea.exe fontdrvhost.exe PID 4764 wrote to memory of 776 4764 e5756ea.exe fontdrvhost.exe PID 4764 wrote to memory of 336 4764 e5756ea.exe dwm.exe PID 4764 wrote to memory of 1080 4764 e5756ea.exe sihost.exe PID 4764 wrote to memory of 2476 4764 e5756ea.exe svchost.exe PID 4764 wrote to memory of 3108 4764 e5756ea.exe taskhostw.exe PID 4764 wrote to memory of 3424 4764 e5756ea.exe Explorer.EXE PID 4764 wrote to memory of 3568 4764 e5756ea.exe svchost.exe PID 4764 wrote to memory of 3776 4764 e5756ea.exe DllHost.exe PID 4764 wrote to memory of 3924 4764 e5756ea.exe StartMenuExperienceHost.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e5756ea.exee575554.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e5756ea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e575554.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2476
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3108
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3424
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3efa4ca4720c0da820ee6a50438e5010_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3efa4ca4720c0da820ee6a50438e5010_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\e575554.exeC:\Users\Admin\AppData\Local\Temp\e575554.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\e5756ea.exeC:\Users\Admin\AppData\Local\Temp\e5756ea.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\e578a8d.exeC:\Users\Admin\AppData\Local\Temp\e578a8d.exe4⤵
- Executes dropped EXE
PID:3632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3776
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3924
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3984
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4168
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4468
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4052
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3784
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2760
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4700
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e575554.exeFilesize
97KB
MD5480ab7ea9f490214d7669ae78b81fef4
SHA15c60425bcb60570e89878f27dcc5e0e712a321e7
SHA2565f7040fe2bc08636fe0cdc0e39ca434023f67231ec0240ca5b65b1531cfa99f2
SHA512c034a800d27d1b36ca80dc0b0c0518b3a3ae22260ece6ac276f11cb11f66e9fc531fdba312865be3a24509a5b87a7736eeb3273a25f6af672f931563be77b31f
-
C:\Windows\SYSTEM.INIFilesize
257B
MD547bc113843b1ec97e5532eb95bf90cad
SHA1b65b9ceb497ecee22d7729658490a6bb6a6da848
SHA256903c7bc650b0340c48721cb5f651b5b430b007a88f921168ae3f94685f9d9761
SHA51260ed0231ae1baed048a96932c47d3df9a5b56828315add845c08df2acaa46c9e83504024f4a3c1eac296650c59f9f7082786af24728857de447a33e81beb132b
-
memory/3008-40-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-34-0x00000000006F0000-0x00000000006F2000-memory.dmpFilesize
8KB
-
memory/3008-9-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-10-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-4-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3008-18-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-71-0x00000000006F0000-0x00000000006F2000-memory.dmpFilesize
8KB
-
memory/3008-32-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-28-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-27-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-82-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3008-67-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-26-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-11-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-62-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-22-0x0000000003FB0000-0x0000000003FB1000-memory.dmpFilesize
4KB
-
memory/3008-31-0x00000000006F0000-0x00000000006F2000-memory.dmpFilesize
8KB
-
memory/3008-60-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-36-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-37-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-58-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-39-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-56-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-55-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-38-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-6-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-14-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3008-54-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3632-53-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3632-101-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3632-120-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4764-85-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4764-99-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4764-116-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4764-50-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4764-87-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4764-115-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4764-89-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4764-44-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4764-46-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4764-83-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4764-88-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4764-86-0x0000000000B20000-0x0000000001BDA000-memory.dmpFilesize
16.7MB
-
memory/4948-29-0x0000000000C60000-0x0000000000C61000-memory.dmpFilesize
4KB
-
memory/4948-19-0x0000000000C50000-0x0000000000C52000-memory.dmpFilesize
8KB
-
memory/4948-3-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4948-48-0x0000000000C50000-0x0000000000C52000-memory.dmpFilesize
8KB
-
memory/4948-23-0x0000000000C50000-0x0000000000C52000-memory.dmpFilesize
8KB
-
memory/4948-30-0x0000000000C50000-0x0000000000C52000-memory.dmpFilesize
8KB