Analysis
-
max time kernel
148s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 17:08
Static task
static1
Behavioral task
behavioral1
Sample
fc765bcc82fe5404cb1eb1c77fca01d0_NeikiAnalytics.dll
Resource
win7-20240221-en
General
-
Target
fc765bcc82fe5404cb1eb1c77fca01d0_NeikiAnalytics.dll
-
Size
120KB
-
MD5
fc765bcc82fe5404cb1eb1c77fca01d0
-
SHA1
4787adb9df31db9e232123c113e53928a1dd078b
-
SHA256
4fd169508e018f6421c4ac11d8a3f79ea819557b54e9016ce69d38eb403b5a7c
-
SHA512
6bce75e9ea53a0cfcce59f378ce1caa1d9968b6f7eba22f7a7149091025fce99253e5a0b99b3d52672bdf11756a2d215bddc8462224dc24f4208bf3d1300e280
-
SSDEEP
3072:6E0PdUU2aGsd/xBAJ7c8ZC2l/VJe/Lag2vnESz4wX4:sSUcsdAiWC2lq/LagqDz4U4
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e574b03.exee574c2c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e574b03.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e574c2c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e574c2c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e574c2c.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e574b03.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e574b03.exe -
Processes:
e574b03.exee574c2c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574b03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574c2c.exe -
Processes:
e574b03.exee574c2c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574b03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574b03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574b03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574c2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574c2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574c2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574b03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574b03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574c2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574c2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574b03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574c2c.exe -
Executes dropped EXE 3 IoCs
Processes:
e574b03.exee574c2c.exee57739a.exepid process 3336 e574b03.exe 4532 e574c2c.exe 876 e57739a.exe -
Processes:
resource yara_rule behavioral2/memory/3336-6-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-10-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-26-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-14-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-29-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-36-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-11-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-18-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-9-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-8-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-31-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-37-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-38-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-39-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-40-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-41-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-60-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-62-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-63-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-65-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-66-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-67-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-70-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-72-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/3336-83-0x00000000008C0000-0x000000000197A000-memory.dmp upx behavioral2/memory/4532-100-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Processes:
e574b03.exee574c2c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574b03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574b03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574b03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574c2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574c2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e574b03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e574b03.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e574b03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e574c2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574b03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e574c2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e574c2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e574c2c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e574c2c.exe -
Processes:
e574c2c.exee574b03.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574c2c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574b03.exe -
Enumerates connected drives 3 TTPs 9 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e574b03.exedescription ioc process File opened (read-only) \??\J: e574b03.exe File opened (read-only) \??\K: e574b03.exe File opened (read-only) \??\G: e574b03.exe File opened (read-only) \??\H: e574b03.exe File opened (read-only) \??\I: e574b03.exe File opened (read-only) \??\N: e574b03.exe File opened (read-only) \??\E: e574b03.exe File opened (read-only) \??\L: e574b03.exe File opened (read-only) \??\M: e574b03.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e574b03.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e574b03.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e574b03.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e574b03.exe -
Drops file in Windows directory 3 IoCs
Processes:
e574c2c.exee574b03.exedescription ioc process File created C:\Windows\e579bc3 e574c2c.exe File created C:\Windows\e574b51 e574b03.exe File opened for modification C:\Windows\SYSTEM.INI e574b03.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e574b03.exepid process 3336 e574b03.exe 3336 e574b03.exe 3336 e574b03.exe 3336 e574b03.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e574b03.exedescription pid process Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe Token: SeDebugPrivilege 3336 e574b03.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
rundll32.exerundll32.exee574b03.exedescription pid process target process PID 4140 wrote to memory of 3516 4140 rundll32.exe rundll32.exe PID 4140 wrote to memory of 3516 4140 rundll32.exe rundll32.exe PID 4140 wrote to memory of 3516 4140 rundll32.exe rundll32.exe PID 3516 wrote to memory of 3336 3516 rundll32.exe e574b03.exe PID 3516 wrote to memory of 3336 3516 rundll32.exe e574b03.exe PID 3516 wrote to memory of 3336 3516 rundll32.exe e574b03.exe PID 3336 wrote to memory of 792 3336 e574b03.exe fontdrvhost.exe PID 3336 wrote to memory of 800 3336 e574b03.exe fontdrvhost.exe PID 3336 wrote to memory of 64 3336 e574b03.exe dwm.exe PID 3336 wrote to memory of 2472 3336 e574b03.exe sihost.exe PID 3336 wrote to memory of 2488 3336 e574b03.exe svchost.exe PID 3336 wrote to memory of 2604 3336 e574b03.exe taskhostw.exe PID 3336 wrote to memory of 3484 3336 e574b03.exe Explorer.EXE PID 3336 wrote to memory of 3636 3336 e574b03.exe svchost.exe PID 3336 wrote to memory of 3844 3336 e574b03.exe DllHost.exe PID 3336 wrote to memory of 3972 3336 e574b03.exe StartMenuExperienceHost.exe PID 3336 wrote to memory of 4040 3336 e574b03.exe RuntimeBroker.exe PID 3336 wrote to memory of 668 3336 e574b03.exe SearchApp.exe PID 3336 wrote to memory of 4104 3336 e574b03.exe RuntimeBroker.exe PID 3336 wrote to memory of 2744 3336 e574b03.exe RuntimeBroker.exe PID 3336 wrote to memory of 4312 3336 e574b03.exe TextInputHost.exe PID 3336 wrote to memory of 4352 3336 e574b03.exe backgroundTaskHost.exe PID 3336 wrote to memory of 3316 3336 e574b03.exe backgroundTaskHost.exe PID 3336 wrote to memory of 4140 3336 e574b03.exe rundll32.exe PID 3336 wrote to memory of 3516 3336 e574b03.exe rundll32.exe PID 3336 wrote to memory of 3516 3336 e574b03.exe rundll32.exe PID 3516 wrote to memory of 4532 3516 rundll32.exe e574c2c.exe PID 3516 wrote to memory of 4532 3516 rundll32.exe e574c2c.exe PID 3516 wrote to memory of 4532 3516 rundll32.exe e574c2c.exe PID 3516 wrote to memory of 876 3516 rundll32.exe e57739a.exe PID 3516 wrote to memory of 876 3516 rundll32.exe e57739a.exe PID 3516 wrote to memory of 876 3516 rundll32.exe e57739a.exe PID 3336 wrote to memory of 792 3336 e574b03.exe fontdrvhost.exe PID 3336 wrote to memory of 800 3336 e574b03.exe fontdrvhost.exe PID 3336 wrote to memory of 64 3336 e574b03.exe dwm.exe PID 3336 wrote to memory of 2472 3336 e574b03.exe sihost.exe PID 3336 wrote to memory of 2488 3336 e574b03.exe svchost.exe PID 3336 wrote to memory of 2604 3336 e574b03.exe taskhostw.exe PID 3336 wrote to memory of 3484 3336 e574b03.exe Explorer.EXE PID 3336 wrote to memory of 3636 3336 e574b03.exe svchost.exe PID 3336 wrote to memory of 3844 3336 e574b03.exe DllHost.exe PID 3336 wrote to memory of 3972 3336 e574b03.exe StartMenuExperienceHost.exe PID 3336 wrote to memory of 4040 3336 e574b03.exe RuntimeBroker.exe PID 3336 wrote to memory of 668 3336 e574b03.exe SearchApp.exe PID 3336 wrote to memory of 4104 3336 e574b03.exe RuntimeBroker.exe PID 3336 wrote to memory of 2744 3336 e574b03.exe RuntimeBroker.exe PID 3336 wrote to memory of 4312 3336 e574b03.exe TextInputHost.exe PID 3336 wrote to memory of 4352 3336 e574b03.exe backgroundTaskHost.exe PID 3336 wrote to memory of 3316 3336 e574b03.exe backgroundTaskHost.exe PID 3336 wrote to memory of 4532 3336 e574b03.exe e574c2c.exe PID 3336 wrote to memory of 4532 3336 e574b03.exe e574c2c.exe PID 3336 wrote to memory of 1180 3336 e574b03.exe RuntimeBroker.exe PID 3336 wrote to memory of 3312 3336 e574b03.exe RuntimeBroker.exe PID 3336 wrote to memory of 876 3336 e574b03.exe e57739a.exe PID 3336 wrote to memory of 876 3336 e574b03.exe e57739a.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e574b03.exee574c2c.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574b03.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e574c2c.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fc765bcc82fe5404cb1eb1c77fca01d0_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fc765bcc82fe5404cb1eb1c77fca01d0_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e574b03.exeC:\Users\Admin\AppData\Local\Temp\e574b03.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e574c2c.exeC:\Users\Admin\AppData\Local\Temp\e574c2c.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e57739a.exeC:\Users\Admin\AppData\Local\Temp\e57739a.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e574b03.exeFilesize
97KB
MD5e4e54105dd80c3f84e5a0d50201954b0
SHA1a940f826814323765dd86a9459e974859c01f8f8
SHA256c31913e3c23b975f337db7625809f9a3dc8f41eb6878824bca93bc93e269dbe2
SHA51245074831e5cd25c7025855f1dc9d06225fc8a9cba47d4d06697696b213e435d3b43e67ad11ab05aeac8c8f42a3397437d82f54494cc9758ce618653669eb9e0b
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5bac39904398cc2eff026d2730d8356e9
SHA13cca4826681aee8417a71bb0a791affe33f32a4e
SHA256e475b0bd8c2b0093132d22e562bbb1b1d59138e31740219b647c7128f14f4b05
SHA51290854680d7a0d037ab20bb99494d29e9f173bfc72da520dd47931bd8ab4f67be8fa35775eaaaeb94b6b779c54b45d83dc50d70a4fdab64a78d038a92954d54e5
-
memory/876-104-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/876-58-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/876-56-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/876-54-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/876-47-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3336-40-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-14-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3336-36-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-30-0x00000000006B0000-0x00000000006B2000-memory.dmpFilesize
8KB
-
memory/3336-11-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-22-0x0000000003C30000-0x0000000003C31000-memory.dmpFilesize
4KB
-
memory/3336-6-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-93-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3336-83-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-18-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-9-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-8-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-31-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-37-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-38-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-39-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-33-0x00000000006B0000-0x00000000006B2000-memory.dmpFilesize
8KB
-
memory/3336-41-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-82-0x00000000006B0000-0x00000000006B2000-memory.dmpFilesize
8KB
-
memory/3336-29-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-72-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-26-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-70-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-67-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-66-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-65-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-10-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-60-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-62-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3336-63-0x00000000008C0000-0x000000000197A000-memory.dmpFilesize
16.7MB
-
memory/3516-27-0x0000000000D50000-0x0000000000D52000-memory.dmpFilesize
8KB
-
memory/3516-28-0x0000000000D60000-0x0000000000D61000-memory.dmpFilesize
4KB
-
memory/3516-23-0x0000000000D50000-0x0000000000D52000-memory.dmpFilesize
8KB
-
memory/3516-19-0x0000000000D50000-0x0000000000D52000-memory.dmpFilesize
8KB
-
memory/3516-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3516-48-0x0000000000D50000-0x0000000000D52000-memory.dmpFilesize
8KB
-
memory/4532-34-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4532-57-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4532-55-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4532-100-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4532-99-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4532-52-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4532-105-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB