Analysis
-
max time kernel
90s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2022 07:58
Static task
static1
Behavioral task
behavioral1
Sample
virussign.dll
Resource
win7-20220414-en
General
-
Target
virussign.dll
-
Size
120KB
-
MD5
6366eaad7fbe650aa346862be63f0860
-
SHA1
fe6ead8133f20792b21788013770e10843c7dd8f
-
SHA256
2e7df1ce70cea4fbc38cebe86cbb7e3b1ef038c9f69f099406164c0ace977225
-
SHA512
1bf599648126446a581afe3362d36d4358d47ffca16c76ecbe49e20bc09779987f0da4a9c860c658b9a7d96a3705cdb0323df4031560559d14ceb0ebb263cf5b
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e56f263.exee56e6cb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e56f263.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e56e6cb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e56e6cb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e56e6cb.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e56f263.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e56f263.exe -
Processes:
e56e6cb.exee56f263.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56e6cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56f263.exe -
Processes:
e56e6cb.exee56f263.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e56e6cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e56e6cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e56e6cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e56e6cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e56e6cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e56f263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e56f263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e56f263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e56f263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e56e6cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e56f263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e56f263.exe -
Executes dropped EXE 4 IoCs
Processes:
e56e6cb.exee56ef37.exee56f225.exee56f263.exepid process 2148 e56e6cb.exe 2224 e56ef37.exe 1648 e56f225.exe 3868 e56f263.exe -
Processes:
resource yara_rule behavioral2/memory/2148-135-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2148-149-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/2148-150-0x0000000000800000-0x00000000018BA000-memory.dmp upx behavioral2/memory/3868-152-0x0000000000B10000-0x0000000001BCA000-memory.dmp upx behavioral2/memory/3868-155-0x0000000000B10000-0x0000000001BCA000-memory.dmp upx -
Processes:
e56f263.exee56e6cb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e56f263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e56f263.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e56e6cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e56f263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e56f263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e56f263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e56e6cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e56e6cb.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e56f263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e56e6cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e56f263.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e56e6cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e56e6cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e56e6cb.exe -
Processes:
e56e6cb.exee56f263.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56e6cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56f263.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e56e6cb.exedescription ioc process File opened (read-only) \??\N: e56e6cb.exe File opened (read-only) \??\R: e56e6cb.exe File opened (read-only) \??\F: e56e6cb.exe File opened (read-only) \??\K: e56e6cb.exe File opened (read-only) \??\L: e56e6cb.exe File opened (read-only) \??\O: e56e6cb.exe File opened (read-only) \??\P: e56e6cb.exe File opened (read-only) \??\H: e56e6cb.exe File opened (read-only) \??\J: e56e6cb.exe File opened (read-only) \??\M: e56e6cb.exe File opened (read-only) \??\Q: e56e6cb.exe File opened (read-only) \??\S: e56e6cb.exe File opened (read-only) \??\E: e56e6cb.exe File opened (read-only) \??\G: e56e6cb.exe File opened (read-only) \??\I: e56e6cb.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e56e6cb.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e56e6cb.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e56e6cb.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e56e6cb.exe -
Drops file in Windows directory 3 IoCs
Processes:
e56e6cb.exee56f263.exedescription ioc process File created C:\Windows\e56edfe e56e6cb.exe File opened for modification C:\Windows\SYSTEM.INI e56e6cb.exe File created C:\Windows\e574035 e56f263.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e56e6cb.exee56f263.exepid process 2148 e56e6cb.exe 2148 e56e6cb.exe 2148 e56e6cb.exe 2148 e56e6cb.exe 3868 e56f263.exe 3868 e56f263.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e56e6cb.exedescription pid process Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe Token: SeDebugPrivilege 2148 e56e6cb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exee56e6cb.exee56f263.exedescription pid process target process PID 4216 wrote to memory of 2688 4216 rundll32.exe rundll32.exe PID 4216 wrote to memory of 2688 4216 rundll32.exe rundll32.exe PID 4216 wrote to memory of 2688 4216 rundll32.exe rundll32.exe PID 2688 wrote to memory of 2148 2688 rundll32.exe e56e6cb.exe PID 2688 wrote to memory of 2148 2688 rundll32.exe e56e6cb.exe PID 2688 wrote to memory of 2148 2688 rundll32.exe e56e6cb.exe PID 2148 wrote to memory of 776 2148 e56e6cb.exe fontdrvhost.exe PID 2148 wrote to memory of 784 2148 e56e6cb.exe fontdrvhost.exe PID 2148 wrote to memory of 1012 2148 e56e6cb.exe dwm.exe PID 2148 wrote to memory of 2332 2148 e56e6cb.exe sihost.exe PID 2148 wrote to memory of 2360 2148 e56e6cb.exe svchost.exe PID 2148 wrote to memory of 2468 2148 e56e6cb.exe taskhostw.exe PID 2148 wrote to memory of 3032 2148 e56e6cb.exe Explorer.EXE PID 2148 wrote to memory of 2172 2148 e56e6cb.exe svchost.exe PID 2148 wrote to memory of 3252 2148 e56e6cb.exe DllHost.exe PID 2148 wrote to memory of 3352 2148 e56e6cb.exe StartMenuExperienceHost.exe PID 2148 wrote to memory of 3472 2148 e56e6cb.exe RuntimeBroker.exe PID 2148 wrote to memory of 3584 2148 e56e6cb.exe SearchApp.exe PID 2148 wrote to memory of 3784 2148 e56e6cb.exe RuntimeBroker.exe PID 2148 wrote to memory of 1632 2148 e56e6cb.exe RuntimeBroker.exe PID 2148 wrote to memory of 4216 2148 e56e6cb.exe rundll32.exe PID 2148 wrote to memory of 2688 2148 e56e6cb.exe rundll32.exe PID 2148 wrote to memory of 2688 2148 e56e6cb.exe rundll32.exe PID 2688 wrote to memory of 2224 2688 rundll32.exe e56ef37.exe PID 2688 wrote to memory of 2224 2688 rundll32.exe e56ef37.exe PID 2688 wrote to memory of 2224 2688 rundll32.exe e56ef37.exe PID 2688 wrote to memory of 1648 2688 rundll32.exe e56f225.exe PID 2688 wrote to memory of 1648 2688 rundll32.exe e56f225.exe PID 2688 wrote to memory of 1648 2688 rundll32.exe e56f225.exe PID 2688 wrote to memory of 3868 2688 rundll32.exe e56f263.exe PID 2688 wrote to memory of 3868 2688 rundll32.exe e56f263.exe PID 2688 wrote to memory of 3868 2688 rundll32.exe e56f263.exe PID 2148 wrote to memory of 776 2148 e56e6cb.exe fontdrvhost.exe PID 2148 wrote to memory of 784 2148 e56e6cb.exe fontdrvhost.exe PID 2148 wrote to memory of 1012 2148 e56e6cb.exe dwm.exe PID 2148 wrote to memory of 2332 2148 e56e6cb.exe sihost.exe PID 2148 wrote to memory of 2360 2148 e56e6cb.exe svchost.exe PID 2148 wrote to memory of 2468 2148 e56e6cb.exe taskhostw.exe PID 2148 wrote to memory of 3032 2148 e56e6cb.exe Explorer.EXE PID 2148 wrote to memory of 2172 2148 e56e6cb.exe svchost.exe PID 2148 wrote to memory of 3252 2148 e56e6cb.exe DllHost.exe PID 2148 wrote to memory of 3352 2148 e56e6cb.exe StartMenuExperienceHost.exe PID 2148 wrote to memory of 3472 2148 e56e6cb.exe RuntimeBroker.exe PID 2148 wrote to memory of 3584 2148 e56e6cb.exe SearchApp.exe PID 2148 wrote to memory of 3784 2148 e56e6cb.exe RuntimeBroker.exe PID 2148 wrote to memory of 1632 2148 e56e6cb.exe RuntimeBroker.exe PID 2148 wrote to memory of 2224 2148 e56e6cb.exe e56ef37.exe PID 2148 wrote to memory of 2224 2148 e56e6cb.exe e56ef37.exe PID 2148 wrote to memory of 1648 2148 e56e6cb.exe e56f225.exe PID 2148 wrote to memory of 1648 2148 e56e6cb.exe e56f225.exe PID 2148 wrote to memory of 3868 2148 e56e6cb.exe e56f263.exe PID 2148 wrote to memory of 3868 2148 e56e6cb.exe e56f263.exe PID 3868 wrote to memory of 776 3868 e56f263.exe fontdrvhost.exe PID 3868 wrote to memory of 784 3868 e56f263.exe fontdrvhost.exe PID 3868 wrote to memory of 1012 3868 e56f263.exe dwm.exe PID 3868 wrote to memory of 2332 3868 e56f263.exe sihost.exe PID 3868 wrote to memory of 2360 3868 e56f263.exe svchost.exe PID 3868 wrote to memory of 2468 3868 e56f263.exe taskhostw.exe PID 3868 wrote to memory of 3032 3868 e56f263.exe Explorer.EXE PID 3868 wrote to memory of 2172 3868 e56f263.exe svchost.exe PID 3868 wrote to memory of 3252 3868 e56f263.exe DllHost.exe PID 3868 wrote to memory of 3352 3868 e56f263.exe StartMenuExperienceHost.exe PID 3868 wrote to memory of 3472 3868 e56f263.exe RuntimeBroker.exe PID 3868 wrote to memory of 3584 3868 e56f263.exe SearchApp.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e56e6cb.exee56f263.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56e6cb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56f263.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\virussign.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\virussign.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e56e6cb.exeC:\Users\Admin\AppData\Local\Temp\e56e6cb.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e56ef37.exeC:\Users\Admin\AppData\Local\Temp\e56ef37.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e56f225.exeC:\Users\Admin\AppData\Local\Temp\e56f225.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e56f263.exeC:\Users\Admin\AppData\Local\Temp\e56f263.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e56e6cb.exeFilesize
97KB
MD59b35cecb7a9bc697158583de34fc110a
SHA12c384746380573acf369cae64f62eda3e9a80710
SHA256cff3a2b9361fa5e7c90ef82bf16ff0038579858f83df88e489feb7dd6f0b29bc
SHA512b0025491503ddb123339036f47b363f0b22fce080415b759a45056f684f5fe729c70f3ff940ea0ad698d773f213399ac11226acd17de825b6541291ea39b356d
-
C:\Users\Admin\AppData\Local\Temp\e56e6cb.exeFilesize
97KB
MD59b35cecb7a9bc697158583de34fc110a
SHA12c384746380573acf369cae64f62eda3e9a80710
SHA256cff3a2b9361fa5e7c90ef82bf16ff0038579858f83df88e489feb7dd6f0b29bc
SHA512b0025491503ddb123339036f47b363f0b22fce080415b759a45056f684f5fe729c70f3ff940ea0ad698d773f213399ac11226acd17de825b6541291ea39b356d
-
C:\Users\Admin\AppData\Local\Temp\e56ef37.exeFilesize
97KB
MD59b35cecb7a9bc697158583de34fc110a
SHA12c384746380573acf369cae64f62eda3e9a80710
SHA256cff3a2b9361fa5e7c90ef82bf16ff0038579858f83df88e489feb7dd6f0b29bc
SHA512b0025491503ddb123339036f47b363f0b22fce080415b759a45056f684f5fe729c70f3ff940ea0ad698d773f213399ac11226acd17de825b6541291ea39b356d
-
C:\Users\Admin\AppData\Local\Temp\e56ef37.exeFilesize
97KB
MD59b35cecb7a9bc697158583de34fc110a
SHA12c384746380573acf369cae64f62eda3e9a80710
SHA256cff3a2b9361fa5e7c90ef82bf16ff0038579858f83df88e489feb7dd6f0b29bc
SHA512b0025491503ddb123339036f47b363f0b22fce080415b759a45056f684f5fe729c70f3ff940ea0ad698d773f213399ac11226acd17de825b6541291ea39b356d
-
C:\Users\Admin\AppData\Local\Temp\e56f225.exeFilesize
97KB
MD59b35cecb7a9bc697158583de34fc110a
SHA12c384746380573acf369cae64f62eda3e9a80710
SHA256cff3a2b9361fa5e7c90ef82bf16ff0038579858f83df88e489feb7dd6f0b29bc
SHA512b0025491503ddb123339036f47b363f0b22fce080415b759a45056f684f5fe729c70f3ff940ea0ad698d773f213399ac11226acd17de825b6541291ea39b356d
-
C:\Users\Admin\AppData\Local\Temp\e56f225.exeFilesize
97KB
MD59b35cecb7a9bc697158583de34fc110a
SHA12c384746380573acf369cae64f62eda3e9a80710
SHA256cff3a2b9361fa5e7c90ef82bf16ff0038579858f83df88e489feb7dd6f0b29bc
SHA512b0025491503ddb123339036f47b363f0b22fce080415b759a45056f684f5fe729c70f3ff940ea0ad698d773f213399ac11226acd17de825b6541291ea39b356d
-
C:\Users\Admin\AppData\Local\Temp\e56f263.exeFilesize
97KB
MD59b35cecb7a9bc697158583de34fc110a
SHA12c384746380573acf369cae64f62eda3e9a80710
SHA256cff3a2b9361fa5e7c90ef82bf16ff0038579858f83df88e489feb7dd6f0b29bc
SHA512b0025491503ddb123339036f47b363f0b22fce080415b759a45056f684f5fe729c70f3ff940ea0ad698d773f213399ac11226acd17de825b6541291ea39b356d
-
C:\Users\Admin\AppData\Local\Temp\e56f263.exeFilesize
97KB
MD59b35cecb7a9bc697158583de34fc110a
SHA12c384746380573acf369cae64f62eda3e9a80710
SHA256cff3a2b9361fa5e7c90ef82bf16ff0038579858f83df88e489feb7dd6f0b29bc
SHA512b0025491503ddb123339036f47b363f0b22fce080415b759a45056f684f5fe729c70f3ff940ea0ad698d773f213399ac11226acd17de825b6541291ea39b356d
-
C:\Windows\SYSTEM.INIFilesize
257B
MD58a921045e224e0ed4253c66bf4d01e28
SHA1f3adc98c52d4b167fb4db5f574af97fe9dc2666b
SHA256a2dbda506f2c93aacacad3297d6fa858e1c10ce054e02d2d34fb5bc69bb83a22
SHA51227b9f71f366a0188ed8be3af19ec2a6f18a3adce7b582d1b4a1d99b86b3703fd88e37be8d6788c0e7458fc27a2c9378155ff2cc82634eac851efd5f4aa0c2e64
-
memory/1648-154-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1648-147-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1648-141-0x0000000000000000-mapping.dmp
-
memory/2148-135-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2148-150-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2148-132-0x0000000000000000-mapping.dmp
-
memory/2148-136-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2148-149-0x0000000000800000-0x00000000018BA000-memory.dmpFilesize
16.7MB
-
memory/2224-137-0x0000000000000000-mapping.dmp
-
memory/2224-140-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2224-151-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2688-130-0x0000000000000000-mapping.dmp
-
memory/2688-131-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/3868-148-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3868-152-0x0000000000B10000-0x0000000001BCA000-memory.dmpFilesize
16.7MB
-
memory/3868-144-0x0000000000000000-mapping.dmp
-
memory/3868-155-0x0000000000B10000-0x0000000001BCA000-memory.dmpFilesize
16.7MB
-
memory/3868-156-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB