Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 09:21
Static task
static1
Behavioral task
behavioral1
Sample
9460c20d9335ed636acadbb4f07f67b2082af6248027758dee0720022dd7b17f_NeikiAnalytics.dll
Resource
win7-20240419-en
General
-
Target
9460c20d9335ed636acadbb4f07f67b2082af6248027758dee0720022dd7b17f_NeikiAnalytics.dll
-
Size
120KB
-
MD5
476a6bbf4d9465f3c2fdfe0d52b51480
-
SHA1
3aeca15e298d759372523d9c0d9f0e8d073c7d67
-
SHA256
9460c20d9335ed636acadbb4f07f67b2082af6248027758dee0720022dd7b17f
-
SHA512
de74bbca03b47d6c682935884b5f3945aac2446845ef882f07fe4b622468197f56e15ac24df358ae0f699c896060c2862c969e88865b6e66df464cbf1a05dbec
-
SSDEEP
3072:oVZ190+IOH2g33Ov/6yZrza2UZHn6DiX478nY/aIC:0ZxVW0OayZrza2yHDX473SIC
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
e57465f.exee576244.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e57465f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e57465f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e57465f.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e576244.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e576244.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e576244.exe -
Processes:
e57465f.exee576244.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57465f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576244.exe -
Processes:
e576244.exee57465f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57465f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57465f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57465f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57465f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57465f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57465f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576244.exe -
Executes dropped EXE 4 IoCs
Processes:
e57465f.exee574798.exee576225.exee576244.exepid process 1232 e57465f.exe 4088 e574798.exe 528 e576225.exe 4216 e576244.exe -
Processes:
resource yara_rule behavioral2/memory/1232-13-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-8-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-9-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-10-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-11-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-31-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-21-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-20-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-19-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-12-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-37-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-38-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-39-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-40-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-41-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-43-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-44-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-58-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-60-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-61-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-76-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-77-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-80-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-82-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-84-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-86-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-88-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-90-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-92-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/1232-96-0x0000000000880000-0x000000000193A000-memory.dmp upx behavioral2/memory/4216-133-0x0000000000B80000-0x0000000001C3A000-memory.dmp upx -
Processes:
e576244.exee57465f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e576244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e576244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e576244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e57465f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e576244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e57465f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e57465f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e576244.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e576244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e576244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e57465f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e57465f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e57465f.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e57465f.exe -
Processes:
e57465f.exee576244.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57465f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576244.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e57465f.exedescription ioc process File opened (read-only) \??\N: e57465f.exe File opened (read-only) \??\G: e57465f.exe File opened (read-only) \??\Q: e57465f.exe File opened (read-only) \??\S: e57465f.exe File opened (read-only) \??\E: e57465f.exe File opened (read-only) \??\J: e57465f.exe File opened (read-only) \??\L: e57465f.exe File opened (read-only) \??\O: e57465f.exe File opened (read-only) \??\R: e57465f.exe File opened (read-only) \??\H: e57465f.exe File opened (read-only) \??\I: e57465f.exe File opened (read-only) \??\K: e57465f.exe File opened (read-only) \??\M: e57465f.exe File opened (read-only) \??\P: e57465f.exe -
Drops file in Program Files directory 4 IoCs
Processes:
e57465f.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e57465f.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e57465f.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e57465f.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe e57465f.exe -
Drops file in Windows directory 3 IoCs
Processes:
e57465f.exee576244.exedescription ioc process File created C:\Windows\e5746ae e57465f.exe File opened for modification C:\Windows\SYSTEM.INI e57465f.exe File created C:\Windows\e57b0b2 e576244.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e57465f.exepid process 1232 e57465f.exe 1232 e57465f.exe 1232 e57465f.exe 1232 e57465f.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e57465f.exedescription pid process Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe Token: SeDebugPrivilege 1232 e57465f.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
rundll32.exerundll32.exee57465f.exedescription pid process target process PID 4872 wrote to memory of 2604 4872 rundll32.exe rundll32.exe PID 4872 wrote to memory of 2604 4872 rundll32.exe rundll32.exe PID 4872 wrote to memory of 2604 4872 rundll32.exe rundll32.exe PID 2604 wrote to memory of 1232 2604 rundll32.exe e57465f.exe PID 2604 wrote to memory of 1232 2604 rundll32.exe e57465f.exe PID 2604 wrote to memory of 1232 2604 rundll32.exe e57465f.exe PID 1232 wrote to memory of 792 1232 e57465f.exe fontdrvhost.exe PID 1232 wrote to memory of 800 1232 e57465f.exe fontdrvhost.exe PID 1232 wrote to memory of 340 1232 e57465f.exe dwm.exe PID 1232 wrote to memory of 2616 1232 e57465f.exe sihost.exe PID 1232 wrote to memory of 2640 1232 e57465f.exe svchost.exe PID 1232 wrote to memory of 2740 1232 e57465f.exe taskhostw.exe PID 1232 wrote to memory of 3532 1232 e57465f.exe Explorer.EXE PID 1232 wrote to memory of 3640 1232 e57465f.exe svchost.exe PID 1232 wrote to memory of 3824 1232 e57465f.exe DllHost.exe PID 1232 wrote to memory of 3912 1232 e57465f.exe StartMenuExperienceHost.exe PID 1232 wrote to memory of 3976 1232 e57465f.exe RuntimeBroker.exe PID 1232 wrote to memory of 4060 1232 e57465f.exe SearchApp.exe PID 1232 wrote to memory of 4144 1232 e57465f.exe RuntimeBroker.exe PID 1232 wrote to memory of 3920 1232 e57465f.exe TextInputHost.exe PID 1232 wrote to memory of 2976 1232 e57465f.exe RuntimeBroker.exe PID 1232 wrote to memory of 4872 1232 e57465f.exe rundll32.exe PID 1232 wrote to memory of 2604 1232 e57465f.exe rundll32.exe PID 1232 wrote to memory of 2604 1232 e57465f.exe rundll32.exe PID 2604 wrote to memory of 4088 2604 rundll32.exe e574798.exe PID 2604 wrote to memory of 4088 2604 rundll32.exe e574798.exe PID 2604 wrote to memory of 4088 2604 rundll32.exe e574798.exe PID 2604 wrote to memory of 528 2604 rundll32.exe e576225.exe PID 2604 wrote to memory of 528 2604 rundll32.exe e576225.exe PID 2604 wrote to memory of 528 2604 rundll32.exe e576225.exe PID 2604 wrote to memory of 4216 2604 rundll32.exe e576244.exe PID 2604 wrote to memory of 4216 2604 rundll32.exe e576244.exe PID 2604 wrote to memory of 4216 2604 rundll32.exe e576244.exe PID 1232 wrote to memory of 792 1232 e57465f.exe fontdrvhost.exe PID 1232 wrote to memory of 800 1232 e57465f.exe fontdrvhost.exe PID 1232 wrote to memory of 340 1232 e57465f.exe dwm.exe PID 1232 wrote to memory of 2616 1232 e57465f.exe sihost.exe PID 1232 wrote to memory of 2640 1232 e57465f.exe svchost.exe PID 1232 wrote to memory of 2740 1232 e57465f.exe taskhostw.exe PID 1232 wrote to memory of 3532 1232 e57465f.exe Explorer.EXE PID 1232 wrote to memory of 3640 1232 e57465f.exe svchost.exe PID 1232 wrote to memory of 3824 1232 e57465f.exe DllHost.exe PID 1232 wrote to memory of 3912 1232 e57465f.exe StartMenuExperienceHost.exe PID 1232 wrote to memory of 3976 1232 e57465f.exe RuntimeBroker.exe PID 1232 wrote to memory of 4060 1232 e57465f.exe SearchApp.exe PID 1232 wrote to memory of 4144 1232 e57465f.exe RuntimeBroker.exe PID 1232 wrote to memory of 3920 1232 e57465f.exe TextInputHost.exe PID 1232 wrote to memory of 2976 1232 e57465f.exe RuntimeBroker.exe PID 1232 wrote to memory of 4088 1232 e57465f.exe e574798.exe PID 1232 wrote to memory of 4088 1232 e57465f.exe e574798.exe PID 1232 wrote to memory of 528 1232 e57465f.exe e576225.exe PID 1232 wrote to memory of 528 1232 e57465f.exe e576225.exe PID 1232 wrote to memory of 4216 1232 e57465f.exe e576244.exe PID 1232 wrote to memory of 4216 1232 e57465f.exe e576244.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e57465f.exee576244.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e57465f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e576244.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9460c20d9335ed636acadbb4f07f67b2082af6248027758dee0720022dd7b17f_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9460c20d9335ed636acadbb4f07f67b2082af6248027758dee0720022dd7b17f_NeikiAnalytics.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57465f.exeC:\Users\Admin\AppData\Local\Temp\e57465f.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e574798.exeC:\Users\Admin\AppData\Local\Temp\e574798.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e576225.exeC:\Users\Admin\AppData\Local\Temp\e576225.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e576244.exeC:\Users\Admin\AppData\Local\Temp\e576244.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Impair Defenses
4Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e57465f.exeFilesize
97KB
MD5307254b37ae8773f73d99cd7088f4e67
SHA19e68a38997844955f633a4911989e8c78230dc23
SHA2569f7abe051385dccd85630c219bea138746e1967a50bc16a105e5aa86796cef49
SHA512aad426f9011e74d4a2d075eb9059fde1510dbccec570228569d5a87e0427be0174cb6a5f96cc0f0334b3162fa3d2cfdd2ef27951ec1250a9ab89983f59fd85bc
-
C:\Windows\SYSTEM.INIFilesize
257B
MD58c18b5b17485801de12611566d62c05b
SHA16657cb459264984ccadc6f5eb30c391f1d661130
SHA256e85ea080080dbb64423a99284b0cf23b086f4165522aa41d50f84bc447637210
SHA5125ddf2402fa78e26dfa79c15e703a53e2675e6ba88b123bcdfa5ca98451b70260d88db2b678576efe72a8c020c4537e43d7247e98c5d19f1af175c02ad524a519
-
memory/528-120-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/528-66-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/528-71-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/528-73-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/528-51-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1232-44-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-61-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-11-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-32-0x0000000000770000-0x0000000000772000-memory.dmpFilesize
8KB
-
memory/1232-31-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-21-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-5-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1232-35-0x0000000000770000-0x0000000000772000-memory.dmpFilesize
8KB
-
memory/1232-20-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-96-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-100-0x0000000000770000-0x0000000000772000-memory.dmpFilesize
8KB
-
memory/1232-19-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-12-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-112-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1232-37-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-38-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-39-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-40-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-41-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-43-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-25-0x0000000001BC0000-0x0000000001BC1000-memory.dmpFilesize
4KB
-
memory/1232-92-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-10-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-58-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-60-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-90-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-88-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-9-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-86-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-8-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-84-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-82-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-80-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-13-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-77-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/1232-76-0x0000000000880000-0x000000000193A000-memory.dmpFilesize
16.7MB
-
memory/2604-22-0x00000000010B0000-0x00000000010B2000-memory.dmpFilesize
8KB
-
memory/2604-2-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/2604-30-0x00000000010C0000-0x00000000010C1000-memory.dmpFilesize
4KB
-
memory/2604-29-0x00000000010B0000-0x00000000010B2000-memory.dmpFilesize
8KB
-
memory/2604-26-0x00000000010B0000-0x00000000010B2000-memory.dmpFilesize
8KB
-
memory/4088-72-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4088-64-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4088-116-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4088-36-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4088-67-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4216-74-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4216-57-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4216-70-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/4216-69-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4216-133-0x0000000000B80000-0x0000000001C3A000-memory.dmpFilesize
16.7MB
-
memory/4216-135-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB