Analysis
-
max time kernel
90s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-06-2022 23:50
Static task
static1
Behavioral task
behavioral1
Sample
4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe
Resource
win7-20220414-en
General
-
Target
4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe
-
Size
2.8MB
-
MD5
ad3697357986602530c84cbe13899d6f
-
SHA1
041ed939b5af1e3af4ee2850a6cdbd1ec2a1cea1
-
SHA256
4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa
-
SHA512
3db87973635866759cebac374def08a2b09e6b8584f4180b566c2c990611b5e9a1f1d2c33270dd763924aeb205eb87bc6c030820e4380c7926ccce305cfa2570
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe -
Processes:
4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe -
Processes:
4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe -
Executes dropped EXE 1 IoCs
Processes:
SLIPatch.exepid process 3580 SLIPatch.exe -
Processes:
resource yara_rule behavioral2/memory/3220-131-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3220-135-0x0000000002360000-0x00000000033EE000-memory.dmp upx behavioral2/memory/3220-141-0x0000000002360000-0x00000000033EE000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe -
Processes:
4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe -
Processes:
4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exedescription ioc process File opened (read-only) \??\E: 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe -
Drops file in Windows directory 1 IoCs
Processes:
4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exepid process 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exedescription pid process Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Token: SeDebugPrivilege 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exedescription pid process target process PID 3220 wrote to memory of 808 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe fontdrvhost.exe PID 3220 wrote to memory of 816 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe fontdrvhost.exe PID 3220 wrote to memory of 328 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe dwm.exe PID 3220 wrote to memory of 2836 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe sihost.exe PID 3220 wrote to memory of 2924 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe svchost.exe PID 3220 wrote to memory of 3060 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe taskhostw.exe PID 3220 wrote to memory of 3152 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe Explorer.EXE PID 3220 wrote to memory of 3264 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe svchost.exe PID 3220 wrote to memory of 3456 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe DllHost.exe PID 3220 wrote to memory of 3568 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe StartMenuExperienceHost.exe PID 3220 wrote to memory of 3632 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe RuntimeBroker.exe PID 3220 wrote to memory of 3724 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe SearchApp.exe PID 3220 wrote to memory of 3912 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe RuntimeBroker.exe PID 3220 wrote to memory of 4584 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe RuntimeBroker.exe PID 3220 wrote to memory of 3580 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe SLIPatch.exe PID 3220 wrote to memory of 3580 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe SLIPatch.exe PID 3220 wrote to memory of 3580 3220 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe SLIPatch.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:808
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:328
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4584
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3724
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3632
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3264
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe"C:\Users\Admin\AppData\Local\Temp\4f2e5b014320991363cea0510b1f8f348428a6acaf969a4a6e209c6e628501aa.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exe"3⤵
- Executes dropped EXE
PID:3580
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2924
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2836
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:816
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Patch\HalX64.datFilesize
3KB
MD59aa9781d662cb8e0c8c8dab376b883f9
SHA13f1ded73dc780b6593bc0ddf3dc804b9f535236f
SHA256e74e3582fb8450a40000cda5a4ac16c0a6d1ded7b68522b4cea0c3c2bb4aa10f
SHA512153e81c641c1674222cbe0b89d72506da37b341701f971c674443749a57a401d4e99bfa82c5f5a54f8c33bfa7c6a5fc0cad3285b35d2c05574b6fc34421224aa
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Patch\KernelX64.datFilesize
9KB
MD51c115b5abd71048c96ad2945bbfd9c0d
SHA1f850297f80e655113168bd82bfc5bef9f2e02f71
SHA256c0d2a9ba83bf38971ab95feb892de8600b4de7c1cf4f497219a9128178b67400
SHA5120d2c0cf589af50caec0cfa984aa46281b9925b5ca38f360dd49449167a2bfa59b9ceb86b863f7ef086ac2da76cb5940a193663b2c6e1ec683ad28ba6124ca246
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Repository\hal.dllFilesize
16KB
MD56839c0748b5536ed3bbb54dd93218048
SHA17e244d12e95b402b4cd7a46d4348b05d27026c3e
SHA2568d0e4ac3fb5f47ee94be66d38aeafa3d5f0c46b2ad27fea5ad9bcc7c42bb3ed3
SHA512efd67283d483c444e97e902d6b0e72a305cb593823c8c2695f5a5aae8187b433a457faeb22a6873c62a41aacd193c87b1a33b603b961f3584a09aa16cd8b2f67
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Repository\ntoskrnl.exeFilesize
10.3MB
MD5586f24d606361a8ee7f26e31c6f7f0ca
SHA1841d01770132be7ef8187ef53bc4198d0807bf67
SHA25611dce42a13a49f025856414748b03e62db7c955d6894a3c36cb3776aa45be857
SHA5124e0afd3a33eff4bac88f5768603d05707b4511b10197f5c5e5c0b2a8ace7bf9bb9e17addff2a74297a1b39a04fd21c19aecd038836b9eb5513cecd1c2de1f767
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exeFilesize
1.8MB
MD527cd350c5ae9453b62b5be2bf1b6c492
SHA1011495b42b4f94fb4b7e348b1374c499b8fb438c
SHA2566370ed7c9237b5f5c3420903fb87a5556ae78b6f12032ae1e259ad8cbf83a063
SHA51261ef0857ffe23fb52eab1f2cb77db3685756e8d7b12b4e153fd63ceaa85be2c0d285868e2d03dfcb8ebbf6de955e286742ba4e7829c3e71140911c403658e420
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SLIPatch.exeFilesize
1.8MB
MD527cd350c5ae9453b62b5be2bf1b6c492
SHA1011495b42b4f94fb4b7e348b1374c499b8fb438c
SHA2566370ed7c9237b5f5c3420903fb87a5556ae78b6f12032ae1e259ad8cbf83a063
SHA51261ef0857ffe23fb52eab1f2cb77db3685756e8d7b12b4e153fd63ceaa85be2c0d285868e2d03dfcb8ebbf6de955e286742ba4e7829c3e71140911c403658e420
-
memory/3220-130-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3220-131-0x0000000002360000-0x00000000033EE000-memory.dmpFilesize
16.6MB
-
memory/3220-135-0x0000000002360000-0x00000000033EE000-memory.dmpFilesize
16.6MB
-
memory/3220-140-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/3220-141-0x0000000002360000-0x00000000033EE000-memory.dmpFilesize
16.6MB
-
memory/3580-132-0x0000000000000000-mapping.dmp