Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 20:33
Static task
static1
Behavioral task
behavioral1
Sample
48de47b466d13b494716389ed860ec30_NeikiAnalytics.dll
Resource
win7-20240508-en
General
-
Target
48de47b466d13b494716389ed860ec30_NeikiAnalytics.dll
-
Size
120KB
-
MD5
48de47b466d13b494716389ed860ec30
-
SHA1
958fd877c96843efaef3e6881eb18f63411a2ae0
-
SHA256
610eb98abec78e784ec1d07aac77af7438ba6c290c1f09d256c3f360e20aed3a
-
SHA512
e8f71e4d21bac9ddd038f5c9e7ea6fcba6f0b8839b203f79763679f57049f2a3fe831d7cb30daa17912bd8c156ee2f5bd3a3bc47d8a2ea7302f87e1ea3870846
-
SSDEEP
3072:3ve1fZjr7BeZ55IsQ+9FMm5RDbXlBeU5:3vsRjr7B8b6a1BeU5
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e577f13.exee574b61.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e577f13.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e574b61.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e574b61.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e574b61.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e577f13.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e577f13.exe -
Processes:
e574b61.exee577f13.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574b61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577f13.exe -
Processes:
e574b61.exee577f13.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574b61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574b61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574b61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574b61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577f13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577f13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574b61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574b61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577f13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577f13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577f13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577f13.exe -
Executes dropped EXE 3 IoCs
Processes:
e574b61.exee574dd2.exee577f13.exepid process 3336 e574b61.exe 1292 e574dd2.exe 4196 e577f13.exe -
Processes:
resource yara_rule behavioral2/memory/3336-6-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-9-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-11-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-10-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-13-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-29-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-32-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-36-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-19-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-12-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-37-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-38-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-39-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-40-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-41-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-47-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-56-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-58-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-59-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-61-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-62-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-63-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/3336-66-0x0000000000810000-0x00000000018CA000-memory.dmp upx behavioral2/memory/4196-94-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4196-90-0x0000000000740000-0x00000000017FA000-memory.dmp upx behavioral2/memory/4196-142-0x0000000000740000-0x00000000017FA000-memory.dmp upx -
Processes:
e577f13.exee574b61.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e577f13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e577f13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e577f13.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e577f13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574b61.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e574b61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e577f13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574b61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574b61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574b61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574b61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e577f13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e577f13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574b61.exe -
Processes:
e574b61.exee577f13.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574b61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577f13.exe -
Enumerates connected drives 3 TTPs 12 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e574b61.exee577f13.exedescription ioc process File opened (read-only) \??\E: e574b61.exe File opened (read-only) \??\G: e574b61.exe File opened (read-only) \??\J: e574b61.exe File opened (read-only) \??\K: e574b61.exe File opened (read-only) \??\E: e577f13.exe File opened (read-only) \??\J: e577f13.exe File opened (read-only) \??\H: e574b61.exe File opened (read-only) \??\I: e574b61.exe File opened (read-only) \??\L: e574b61.exe File opened (read-only) \??\G: e577f13.exe File opened (read-only) \??\H: e577f13.exe File opened (read-only) \??\I: e577f13.exe -
Drops file in Windows directory 3 IoCs
Processes:
e574b61.exee577f13.exedescription ioc process File created C:\Windows\e574bbe e574b61.exe File opened for modification C:\Windows\SYSTEM.INI e574b61.exe File created C:\Windows\e57a681 e577f13.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e574b61.exee577f13.exepid process 3336 e574b61.exe 3336 e574b61.exe 3336 e574b61.exe 3336 e574b61.exe 4196 e577f13.exe 4196 e577f13.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e574b61.exedescription pid process Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe Token: SeDebugPrivilege 3336 e574b61.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee574b61.exee577f13.exedescription pid process target process PID 4036 wrote to memory of 2692 4036 rundll32.exe rundll32.exe PID 4036 wrote to memory of 2692 4036 rundll32.exe rundll32.exe PID 4036 wrote to memory of 2692 4036 rundll32.exe rundll32.exe PID 2692 wrote to memory of 3336 2692 rundll32.exe e574b61.exe PID 2692 wrote to memory of 3336 2692 rundll32.exe e574b61.exe PID 2692 wrote to memory of 3336 2692 rundll32.exe e574b61.exe PID 3336 wrote to memory of 792 3336 e574b61.exe fontdrvhost.exe PID 3336 wrote to memory of 800 3336 e574b61.exe fontdrvhost.exe PID 3336 wrote to memory of 380 3336 e574b61.exe dwm.exe PID 3336 wrote to memory of 3068 3336 e574b61.exe sihost.exe PID 3336 wrote to memory of 1120 3336 e574b61.exe svchost.exe PID 3336 wrote to memory of 3188 3336 e574b61.exe taskhostw.exe PID 3336 wrote to memory of 3504 3336 e574b61.exe Explorer.EXE PID 3336 wrote to memory of 3624 3336 e574b61.exe svchost.exe PID 3336 wrote to memory of 3812 3336 e574b61.exe DllHost.exe PID 3336 wrote to memory of 3904 3336 e574b61.exe StartMenuExperienceHost.exe PID 3336 wrote to memory of 3968 3336 e574b61.exe RuntimeBroker.exe PID 3336 wrote to memory of 4056 3336 e574b61.exe SearchApp.exe PID 3336 wrote to memory of 4128 3336 e574b61.exe RuntimeBroker.exe PID 3336 wrote to memory of 2636 3336 e574b61.exe RuntimeBroker.exe PID 3336 wrote to memory of 4564 3336 e574b61.exe TextInputHost.exe PID 3336 wrote to memory of 3108 3336 e574b61.exe backgroundTaskHost.exe PID 3336 wrote to memory of 4036 3336 e574b61.exe rundll32.exe PID 3336 wrote to memory of 2692 3336 e574b61.exe rundll32.exe PID 3336 wrote to memory of 2692 3336 e574b61.exe rundll32.exe PID 2692 wrote to memory of 1292 2692 rundll32.exe e574dd2.exe PID 2692 wrote to memory of 1292 2692 rundll32.exe e574dd2.exe PID 2692 wrote to memory of 1292 2692 rundll32.exe e574dd2.exe PID 3336 wrote to memory of 792 3336 e574b61.exe fontdrvhost.exe PID 3336 wrote to memory of 800 3336 e574b61.exe fontdrvhost.exe PID 3336 wrote to memory of 380 3336 e574b61.exe dwm.exe PID 3336 wrote to memory of 3068 3336 e574b61.exe sihost.exe PID 3336 wrote to memory of 1120 3336 e574b61.exe svchost.exe PID 3336 wrote to memory of 3188 3336 e574b61.exe taskhostw.exe PID 3336 wrote to memory of 3504 3336 e574b61.exe Explorer.EXE PID 3336 wrote to memory of 3624 3336 e574b61.exe svchost.exe PID 3336 wrote to memory of 3812 3336 e574b61.exe DllHost.exe PID 3336 wrote to memory of 3904 3336 e574b61.exe StartMenuExperienceHost.exe PID 3336 wrote to memory of 3968 3336 e574b61.exe RuntimeBroker.exe PID 3336 wrote to memory of 4056 3336 e574b61.exe SearchApp.exe PID 3336 wrote to memory of 4128 3336 e574b61.exe RuntimeBroker.exe PID 3336 wrote to memory of 2636 3336 e574b61.exe RuntimeBroker.exe PID 3336 wrote to memory of 4564 3336 e574b61.exe TextInputHost.exe PID 3336 wrote to memory of 3108 3336 e574b61.exe backgroundTaskHost.exe PID 3336 wrote to memory of 4036 3336 e574b61.exe rundll32.exe PID 3336 wrote to memory of 1292 3336 e574b61.exe e574dd2.exe PID 3336 wrote to memory of 1292 3336 e574b61.exe e574dd2.exe PID 2692 wrote to memory of 4196 2692 rundll32.exe e577f13.exe PID 2692 wrote to memory of 4196 2692 rundll32.exe e577f13.exe PID 2692 wrote to memory of 4196 2692 rundll32.exe e577f13.exe PID 4196 wrote to memory of 792 4196 e577f13.exe fontdrvhost.exe PID 4196 wrote to memory of 800 4196 e577f13.exe fontdrvhost.exe PID 4196 wrote to memory of 380 4196 e577f13.exe dwm.exe PID 4196 wrote to memory of 3068 4196 e577f13.exe sihost.exe PID 4196 wrote to memory of 1120 4196 e577f13.exe svchost.exe PID 4196 wrote to memory of 3188 4196 e577f13.exe taskhostw.exe PID 4196 wrote to memory of 3504 4196 e577f13.exe Explorer.EXE PID 4196 wrote to memory of 3624 4196 e577f13.exe svchost.exe PID 4196 wrote to memory of 3812 4196 e577f13.exe DllHost.exe PID 4196 wrote to memory of 3904 4196 e577f13.exe StartMenuExperienceHost.exe PID 4196 wrote to memory of 3968 4196 e577f13.exe RuntimeBroker.exe PID 4196 wrote to memory of 4056 4196 e577f13.exe SearchApp.exe PID 4196 wrote to memory of 4128 4196 e577f13.exe RuntimeBroker.exe PID 4196 wrote to memory of 2636 4196 e577f13.exe RuntimeBroker.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e574b61.exee577f13.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574b61.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e577f13.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:1120
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3188
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3504
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\48de47b466d13b494716389ed860ec30_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\48de47b466d13b494716389ed860ec30_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\e574b61.exeC:\Users\Admin\AppData\Local\Temp\e574b61.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3336 -
C:\Users\Admin\AppData\Local\Temp\e574dd2.exeC:\Users\Admin\AppData\Local\Temp\e574dd2.exe4⤵
- Executes dropped EXE
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\e577f13.exeC:\Users\Admin\AppData\Local\Temp\e577f13.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3624
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3812
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3904
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3968
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4056
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4128
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2636
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4564
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3108
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e574b61.exeFilesize
97KB
MD5bb23844c21aff9e48c2ae2a11fd325c5
SHA1972724c994d7e3750f57fa0cb8b93e038aba08e8
SHA256b384c4b405a31e72385c056e0491f40a1d4daf28cc4b5cb7a9a53f2a5174c9bd
SHA512d2c77708614cdfd617e041e396d9572a6d9a10e1ac2b21224f03aa6f26a6eedd4fcfc3a39cfb18bdad036996129c3faece741f2fa929d5e4176e3fd414fabac1
-
C:\Windows\SYSTEM.INIFilesize
257B
MD524fed1b3eacb8cf6bb5a7ac78f89878a
SHA158361a8a649db859e774a046f466f588ee21f11b
SHA25612c26363be15fbdbfd5618679fb4e00dec973148061f4d2267a41b3094388868
SHA512348e477696e1c0321c199982df3e802fc652d9f2f3735e272a1f6f5cde56a6648b1b4534808b1ef743a76d5f7a0fccc717751d4f81a1a637fc4caf18da2a2ad7
-
memory/1292-46-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1292-89-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1292-45-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1292-35-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1292-44-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2692-54-0x00000000047E0000-0x00000000047E2000-memory.dmpFilesize
8KB
-
memory/2692-28-0x00000000047E0000-0x00000000047E2000-memory.dmpFilesize
8KB
-
memory/2692-27-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/2692-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2692-21-0x00000000047E0000-0x00000000047E2000-memory.dmpFilesize
8KB
-
memory/2692-20-0x00000000047E0000-0x00000000047E2000-memory.dmpFilesize
8KB
-
memory/3336-38-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-66-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-32-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-36-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-31-0x00000000006F0000-0x00000000006F2000-memory.dmpFilesize
8KB
-
memory/3336-19-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-30-0x00000000006F0000-0x00000000006F2000-memory.dmpFilesize
8KB
-
memory/3336-12-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-37-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-13-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-39-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-40-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-41-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-10-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-11-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-25-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/3336-47-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3336-9-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-56-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-58-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-59-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-61-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-62-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-63-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-29-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/3336-68-0x00000000006F0000-0x00000000006F2000-memory.dmpFilesize
8KB
-
memory/3336-85-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3336-6-0x0000000000810000-0x00000000018CA000-memory.dmpFilesize
16.7MB
-
memory/4196-52-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4196-94-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/4196-90-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/4196-142-0x0000000000740000-0x00000000017FA000-memory.dmpFilesize
16.7MB
-
memory/4196-141-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB