breakin.exe

  • File Path: C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\breakin.exe
  • Description: Microsoft Breakpoint forcer

Hashes

Type Hash
MD5 723BE264E0CCFD1E4EF1DA8C307AEC7D
SHA1 0523C3721589228EB42DA555D0A31F74F616AF69
SHA256 C9566AAEC773FBB5D0DCF12C2AAB85963979DFF085F8A13F03AEE95A5B6C0335
SHA384 D107CBFB62B5E218D98A9C299C68DFB1A6AE7CA46BCB976D69B95D5E5202352917686F8F5AD70F74A1A8499640A5E005
SHA512 7C41EBD8D69F9A6BB6D8A46E50973655904913EEDF5F0C04905645DD9AF20271A4BB96C995B42D9FB13CC4DB1684421F10EE079CBA1A77F276911EFF3EF4E000
SSDEEP 384:G3b+fZmLoWBrvfaxaMS0EOWYGNWtwGy2HS4JeRlFTWV:QMZOvfKxS0EXql58A
IMP C77ABE483E27C8CC9A2B2DC69A1EC27E
PESHA1 C3565A8E41B91308A8261C26D92807828048F019
PE256 4502F2EA94E5325A26BDDB763B1936954AA9BEAFE8D2F2612BB549FC9B845698

Runtime Data

Usage (stderr):

usage: breakin <pid>

Loaded Modules:

Path
C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\breakin.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002CF6D2CC57CAA65A6D80000000002CF
  • Thumbprint: 1A221B3B4FEF088B17BA6704FD088DF192D9E0EF
  • Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: breakin.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/c9566aaec773fbb5d0dcf12c2aab85963979dff085f8a13f03aee95a5b6c0335/detection

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Windows Kits\10\Debuggers\arm64\breakin.exe 35
C:\Program Files (x86)\Windows Kits\10\Redist\10.0.19041.0\ucrt\DLLs\arm\api-ms-win-core-errorhandling-l1-1-0.dll 29

Possible Misuse

The following table contains possible examples of breakin.exe being misused. While breakin.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
malware-ioc misp-dukes-operation-ghost-event.json "description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '", © ESET 2014-2018

MIT License. Copyright (c) 2020-2021 Strontic.