Analysis
-
max time kernel
169s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2022 07:58
Static task
static1
Behavioral task
behavioral1
Sample
virussign.dll
Resource
win7-20220414-en
General
-
Target
virussign.dll
-
Size
120KB
-
MD5
981c8a2357a000371a465746daf3a340
-
SHA1
ed2872a3df64db6859d15ec30382156aa203015f
-
SHA256
449463aa2edcc35b3f5db7cbae40b09aac5ec12ee65d1c0f89c8628b5bd868e1
-
SHA512
434b7c87cbf9b62bdd0f7f942fda10c74ce9c62eb5d64fd3847958749d2ac94670737205212ccfc3f86d018d879916177072bbf03f51170fa9d0bd5209e1bded
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
e56aa4e.exee56bcad.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e56aa4e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e56aa4e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e56aa4e.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" e56bcad.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" e56bcad.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" e56bcad.exe -
Processes:
e56bcad.exee56aa4e.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56bcad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56aa4e.exe -
Processes:
e56bcad.exee56aa4e.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e56bcad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e56bcad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e56bcad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e56aa4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e56aa4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e56aa4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e56aa4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e56aa4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e56bcad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e56bcad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e56bcad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e56aa4e.exe -
Executes dropped EXE 4 IoCs
Processes:
e56aa4e.exee56acbf.exee56bc6f.exee56bcad.exepid process 4248 e56aa4e.exe 4840 e56acbf.exe 2596 e56bc6f.exe 4488 e56bcad.exe -
Processes:
resource yara_rule behavioral2/memory/4248-134-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4248-140-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4248-150-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4248-151-0x0000000000870000-0x000000000192A000-memory.dmp upx behavioral2/memory/4488-153-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/4488-155-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx behavioral2/memory/4488-157-0x0000000000B30000-0x0000000001BEA000-memory.dmp upx -
Processes:
e56aa4e.exee56bcad.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e56aa4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e56aa4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e56bcad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e56aa4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e56aa4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" e56bcad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" e56aa4e.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e56aa4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" e56bcad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e56bcad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e56aa4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e56bcad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" e56bcad.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc e56bcad.exe -
Processes:
e56aa4e.exee56bcad.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56aa4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56bcad.exe -
Enumerates connected drives 3 TTPs 15 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e56aa4e.exedescription ioc process File opened (read-only) \??\F: e56aa4e.exe File opened (read-only) \??\J: e56aa4e.exe File opened (read-only) \??\G: e56aa4e.exe File opened (read-only) \??\L: e56aa4e.exe File opened (read-only) \??\Q: e56aa4e.exe File opened (read-only) \??\R: e56aa4e.exe File opened (read-only) \??\O: e56aa4e.exe File opened (read-only) \??\P: e56aa4e.exe File opened (read-only) \??\S: e56aa4e.exe File opened (read-only) \??\E: e56aa4e.exe File opened (read-only) \??\I: e56aa4e.exe File opened (read-only) \??\K: e56aa4e.exe File opened (read-only) \??\M: e56aa4e.exe File opened (read-only) \??\H: e56aa4e.exe File opened (read-only) \??\N: e56aa4e.exe -
Drops file in Program Files directory 3 IoCs
Processes:
e56aa4e.exedescription ioc process File opened for modification C:\Program Files\7-Zip\7z.exe e56aa4e.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe e56aa4e.exe File opened for modification C:\Program Files\7-Zip\7zG.exe e56aa4e.exe -
Drops file in Windows directory 3 IoCs
Processes:
e56aa4e.exee56bcad.exedescription ioc process File created C:\Windows\e56ac52 e56aa4e.exe File opened for modification C:\Windows\SYSTEM.INI e56aa4e.exe File created C:\Windows\e56fd60 e56bcad.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
e56aa4e.exee56bcad.exepid process 4248 e56aa4e.exe 4248 e56aa4e.exe 4248 e56aa4e.exe 4248 e56aa4e.exe 4488 e56bcad.exe 4488 e56bcad.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e56aa4e.exedescription pid process Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe Token: SeDebugPrivilege 4248 e56aa4e.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
rundll32.exerundll32.exee56aa4e.exee56bcad.exedescription pid process target process PID 3020 wrote to memory of 3420 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 3420 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 3420 3020 rundll32.exe rundll32.exe PID 3420 wrote to memory of 4248 3420 rundll32.exe e56aa4e.exe PID 3420 wrote to memory of 4248 3420 rundll32.exe e56aa4e.exe PID 3420 wrote to memory of 4248 3420 rundll32.exe e56aa4e.exe PID 4248 wrote to memory of 796 4248 e56aa4e.exe fontdrvhost.exe PID 4248 wrote to memory of 792 4248 e56aa4e.exe fontdrvhost.exe PID 4248 wrote to memory of 372 4248 e56aa4e.exe dwm.exe PID 4248 wrote to memory of 2796 4248 e56aa4e.exe sihost.exe PID 4248 wrote to memory of 2820 4248 e56aa4e.exe svchost.exe PID 4248 wrote to memory of 2868 4248 e56aa4e.exe taskhostw.exe PID 4248 wrote to memory of 672 4248 e56aa4e.exe Explorer.EXE PID 4248 wrote to memory of 3084 4248 e56aa4e.exe svchost.exe PID 4248 wrote to memory of 3272 4248 e56aa4e.exe DllHost.exe PID 4248 wrote to memory of 3364 4248 e56aa4e.exe StartMenuExperienceHost.exe PID 4248 wrote to memory of 3432 4248 e56aa4e.exe RuntimeBroker.exe PID 4248 wrote to memory of 3516 4248 e56aa4e.exe SearchApp.exe PID 4248 wrote to memory of 3716 4248 e56aa4e.exe RuntimeBroker.exe PID 4248 wrote to memory of 3020 4248 e56aa4e.exe rundll32.exe PID 4248 wrote to memory of 3420 4248 e56aa4e.exe rundll32.exe PID 4248 wrote to memory of 3420 4248 e56aa4e.exe rundll32.exe PID 3420 wrote to memory of 4840 3420 rundll32.exe e56acbf.exe PID 3420 wrote to memory of 4840 3420 rundll32.exe e56acbf.exe PID 3420 wrote to memory of 4840 3420 rundll32.exe e56acbf.exe PID 3420 wrote to memory of 2596 3420 rundll32.exe e56bc6f.exe PID 3420 wrote to memory of 2596 3420 rundll32.exe e56bc6f.exe PID 3420 wrote to memory of 2596 3420 rundll32.exe e56bc6f.exe PID 3420 wrote to memory of 4488 3420 rundll32.exe e56bcad.exe PID 3420 wrote to memory of 4488 3420 rundll32.exe e56bcad.exe PID 3420 wrote to memory of 4488 3420 rundll32.exe e56bcad.exe PID 4248 wrote to memory of 796 4248 e56aa4e.exe fontdrvhost.exe PID 4248 wrote to memory of 792 4248 e56aa4e.exe fontdrvhost.exe PID 4248 wrote to memory of 372 4248 e56aa4e.exe dwm.exe PID 4248 wrote to memory of 2796 4248 e56aa4e.exe sihost.exe PID 4248 wrote to memory of 2820 4248 e56aa4e.exe svchost.exe PID 4248 wrote to memory of 2868 4248 e56aa4e.exe taskhostw.exe PID 4248 wrote to memory of 672 4248 e56aa4e.exe Explorer.EXE PID 4248 wrote to memory of 3084 4248 e56aa4e.exe svchost.exe PID 4248 wrote to memory of 3272 4248 e56aa4e.exe DllHost.exe PID 4248 wrote to memory of 3364 4248 e56aa4e.exe StartMenuExperienceHost.exe PID 4248 wrote to memory of 3432 4248 e56aa4e.exe RuntimeBroker.exe PID 4248 wrote to memory of 3516 4248 e56aa4e.exe SearchApp.exe PID 4248 wrote to memory of 3716 4248 e56aa4e.exe RuntimeBroker.exe PID 4248 wrote to memory of 4840 4248 e56aa4e.exe e56acbf.exe PID 4248 wrote to memory of 4840 4248 e56aa4e.exe e56acbf.exe PID 4248 wrote to memory of 2596 4248 e56aa4e.exe e56bc6f.exe PID 4248 wrote to memory of 2596 4248 e56aa4e.exe e56bc6f.exe PID 4248 wrote to memory of 4488 4248 e56aa4e.exe e56bcad.exe PID 4248 wrote to memory of 4488 4248 e56aa4e.exe e56bcad.exe PID 4488 wrote to memory of 796 4488 e56bcad.exe fontdrvhost.exe PID 4488 wrote to memory of 792 4488 e56bcad.exe fontdrvhost.exe PID 4488 wrote to memory of 372 4488 e56bcad.exe dwm.exe PID 4488 wrote to memory of 2796 4488 e56bcad.exe sihost.exe PID 4488 wrote to memory of 2820 4488 e56bcad.exe svchost.exe PID 4488 wrote to memory of 2868 4488 e56bcad.exe taskhostw.exe PID 4488 wrote to memory of 672 4488 e56bcad.exe Explorer.EXE PID 4488 wrote to memory of 3084 4488 e56bcad.exe svchost.exe PID 4488 wrote to memory of 3272 4488 e56bcad.exe DllHost.exe PID 4488 wrote to memory of 3364 4488 e56bcad.exe StartMenuExperienceHost.exe PID 4488 wrote to memory of 3432 4488 e56bcad.exe RuntimeBroker.exe PID 4488 wrote to memory of 3516 4488 e56bcad.exe SearchApp.exe PID 4488 wrote to memory of 3716 4488 e56bcad.exe RuntimeBroker.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
e56aa4e.exee56bcad.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56aa4e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e56bcad.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\virussign.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\virussign.dll,#13⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e56aa4e.exeC:\Users\Admin\AppData\Local\Temp\e56aa4e.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\e56acbf.exeC:\Users\Admin\AppData\Local\Temp\e56acbf.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e56bc6f.exeC:\Users\Admin\AppData\Local\Temp\e56bc6f.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\e56bcad.exeC:\Users\Admin\AppData\Local\Temp\e56bcad.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e56aa4e.exeFilesize
97KB
MD53a00289a3ffdf63aa62b52e411ffd3a5
SHA16722ba636ab432bd8597fdd2f61599bd97c65aa5
SHA2566fc0a47ae77064fb7d210db67785ad1d26802e5280622cf5fd21febfe92cc75f
SHA512bd729500e4d0ae732294c784b047f3849b899ff14ed089a97954b9a970dba2d2d4ba2aaa5e4c7c36f9bec229f61dc5c28cd36b81adfb9fdbe24b99d486a1f516
-
C:\Users\Admin\AppData\Local\Temp\e56aa4e.exeFilesize
97KB
MD53a00289a3ffdf63aa62b52e411ffd3a5
SHA16722ba636ab432bd8597fdd2f61599bd97c65aa5
SHA2566fc0a47ae77064fb7d210db67785ad1d26802e5280622cf5fd21febfe92cc75f
SHA512bd729500e4d0ae732294c784b047f3849b899ff14ed089a97954b9a970dba2d2d4ba2aaa5e4c7c36f9bec229f61dc5c28cd36b81adfb9fdbe24b99d486a1f516
-
C:\Users\Admin\AppData\Local\Temp\e56acbf.exeFilesize
97KB
MD53a00289a3ffdf63aa62b52e411ffd3a5
SHA16722ba636ab432bd8597fdd2f61599bd97c65aa5
SHA2566fc0a47ae77064fb7d210db67785ad1d26802e5280622cf5fd21febfe92cc75f
SHA512bd729500e4d0ae732294c784b047f3849b899ff14ed089a97954b9a970dba2d2d4ba2aaa5e4c7c36f9bec229f61dc5c28cd36b81adfb9fdbe24b99d486a1f516
-
C:\Users\Admin\AppData\Local\Temp\e56acbf.exeFilesize
97KB
MD53a00289a3ffdf63aa62b52e411ffd3a5
SHA16722ba636ab432bd8597fdd2f61599bd97c65aa5
SHA2566fc0a47ae77064fb7d210db67785ad1d26802e5280622cf5fd21febfe92cc75f
SHA512bd729500e4d0ae732294c784b047f3849b899ff14ed089a97954b9a970dba2d2d4ba2aaa5e4c7c36f9bec229f61dc5c28cd36b81adfb9fdbe24b99d486a1f516
-
C:\Users\Admin\AppData\Local\Temp\e56bc6f.exeFilesize
97KB
MD53a00289a3ffdf63aa62b52e411ffd3a5
SHA16722ba636ab432bd8597fdd2f61599bd97c65aa5
SHA2566fc0a47ae77064fb7d210db67785ad1d26802e5280622cf5fd21febfe92cc75f
SHA512bd729500e4d0ae732294c784b047f3849b899ff14ed089a97954b9a970dba2d2d4ba2aaa5e4c7c36f9bec229f61dc5c28cd36b81adfb9fdbe24b99d486a1f516
-
C:\Users\Admin\AppData\Local\Temp\e56bc6f.exeFilesize
97KB
MD53a00289a3ffdf63aa62b52e411ffd3a5
SHA16722ba636ab432bd8597fdd2f61599bd97c65aa5
SHA2566fc0a47ae77064fb7d210db67785ad1d26802e5280622cf5fd21febfe92cc75f
SHA512bd729500e4d0ae732294c784b047f3849b899ff14ed089a97954b9a970dba2d2d4ba2aaa5e4c7c36f9bec229f61dc5c28cd36b81adfb9fdbe24b99d486a1f516
-
C:\Users\Admin\AppData\Local\Temp\e56bcad.exeFilesize
97KB
MD53a00289a3ffdf63aa62b52e411ffd3a5
SHA16722ba636ab432bd8597fdd2f61599bd97c65aa5
SHA2566fc0a47ae77064fb7d210db67785ad1d26802e5280622cf5fd21febfe92cc75f
SHA512bd729500e4d0ae732294c784b047f3849b899ff14ed089a97954b9a970dba2d2d4ba2aaa5e4c7c36f9bec229f61dc5c28cd36b81adfb9fdbe24b99d486a1f516
-
C:\Users\Admin\AppData\Local\Temp\e56bcad.exeFilesize
97KB
MD53a00289a3ffdf63aa62b52e411ffd3a5
SHA16722ba636ab432bd8597fdd2f61599bd97c65aa5
SHA2566fc0a47ae77064fb7d210db67785ad1d26802e5280622cf5fd21febfe92cc75f
SHA512bd729500e4d0ae732294c784b047f3849b899ff14ed089a97954b9a970dba2d2d4ba2aaa5e4c7c36f9bec229f61dc5c28cd36b81adfb9fdbe24b99d486a1f516
-
C:\Windows\SYSTEM.INIFilesize
257B
MD585ff53bf1f747fb725edbb131911db7b
SHA1ebce920ab9016cbeb9a6cf7aac6d1e7e74168750
SHA2560867adc713ac9ffa0a1c90606592c6034929dd00c0872beb6fb59b525af94d39
SHA512c32cc95223049bc84f0ee9f13a93d254524c6da4336ac70cf8318bc55f224f1150db1e3dca068375ffb6209aa5a4aad3012469c7097fdfb2bbd130123eead5f0
-
memory/2596-156-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2596-148-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2596-142-0x0000000000000000-mapping.dmp
-
memory/3420-130-0x0000000000000000-mapping.dmp
-
memory/3420-138-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/4248-151-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/4248-139-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4248-131-0x0000000000000000-mapping.dmp
-
memory/4248-134-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/4248-140-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/4248-150-0x0000000000870000-0x000000000192A000-memory.dmpFilesize
16.7MB
-
memory/4488-149-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4488-153-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4488-145-0x0000000000000000-mapping.dmp
-
memory/4488-155-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4488-157-0x0000000000B30000-0x0000000001BEA000-memory.dmpFilesize
16.7MB
-
memory/4488-158-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4840-135-0x0000000000000000-mapping.dmp
-
memory/4840-152-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4840-141-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB