Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 22:17
Behavioral task
behavioral1
Sample
5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe
Resource
win10v2004-20240508-en
General
-
Target
5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe
-
Size
2.5MB
-
MD5
8cd04ae4856d169cae59d16a72b587f5
-
SHA1
3a5e7c94b6d2469ae700a9d58c4c4a4507ea3fd0
-
SHA256
5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969
-
SHA512
df5f41ad7de876a28ebb85f1ebed238c2f888a2e5bb15f8058d7158750c34c4b2d0c229cb7a51f9facbad76af95493d6eff8c18f97a3291cd6d6aae589e9adf3
-
SSDEEP
49152:MxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxU:Mxx9NUFkQx753uWuCyyxU
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Detects executables packed with Themida 18 IoCs
Processes:
resource yara_rule behavioral1/memory/1340-0-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida \Windows\Resources\Themes\explorer.exe INDICATOR_EXE_Packed_Themida behavioral1/memory/3064-12-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1340-11-0x0000000003690000-0x0000000003C9E000-memory.dmp INDICATOR_EXE_Packed_Themida C:\Windows\Resources\spoolsv.exe INDICATOR_EXE_Packed_Themida behavioral1/memory/2144-24-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida \Windows\Resources\svchost.exe INDICATOR_EXE_Packed_Themida behavioral1/memory/2764-36-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1340-44-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2832-45-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2832-49-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2144-51-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1340-53-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/3064-54-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2764-56-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/3064-66-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/3064-68-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/3064-74-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
spoolsv.exesvchost.exespoolsv.exe5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exespoolsv.exesvchost.exespoolsv.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 3064 explorer.exe 2144 spoolsv.exe 2764 svchost.exe 2832 spoolsv.exe -
Loads dropped DLL 4 IoCs
Processes:
5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exeexplorer.exespoolsv.exesvchost.exepid process 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 3064 explorer.exe 2144 spoolsv.exe 2764 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1340-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida \Windows\Resources\Themes\explorer.exe themida behavioral1/memory/3064-12-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1340-11-0x0000000003690000-0x0000000003C9E000-memory.dmp themida C:\Windows\Resources\spoolsv.exe themida behavioral1/memory/2144-24-0x0000000000400000-0x0000000000A0E000-memory.dmp themida \Windows\Resources\svchost.exe themida behavioral1/memory/2764-36-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1340-44-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2832-45-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2832-49-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2144-51-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1340-53-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/3064-54-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2764-56-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/3064-66-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/3064-68-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/3064-74-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exe5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 3064 explorer.exe 2144 spoolsv.exe 2764 svchost.exe 2832 spoolsv.exe -
Drops file in Windows directory 4 IoCs
Processes:
5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exeexplorer.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\resources\themes\explorer.exe 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2540 schtasks.exe 1648 schtasks.exe 576 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exeexplorer.exesvchost.exepid process 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 2764 svchost.exe 3064 explorer.exe 2764 svchost.exe 2764 svchost.exe 3064 explorer.exe 3064 explorer.exe 3064 explorer.exe 2764 svchost.exe 2764 svchost.exe 3064 explorer.exe 3064 explorer.exe 2764 svchost.exe 2764 svchost.exe 3064 explorer.exe 3064 explorer.exe 2764 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 3064 explorer.exe 2764 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe 3064 explorer.exe 3064 explorer.exe 2144 spoolsv.exe 2144 spoolsv.exe 2764 svchost.exe 2764 svchost.exe 2832 spoolsv.exe 2832 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1340 wrote to memory of 3064 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe explorer.exe PID 1340 wrote to memory of 3064 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe explorer.exe PID 1340 wrote to memory of 3064 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe explorer.exe PID 1340 wrote to memory of 3064 1340 5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe explorer.exe PID 3064 wrote to memory of 2144 3064 explorer.exe spoolsv.exe PID 3064 wrote to memory of 2144 3064 explorer.exe spoolsv.exe PID 3064 wrote to memory of 2144 3064 explorer.exe spoolsv.exe PID 3064 wrote to memory of 2144 3064 explorer.exe spoolsv.exe PID 2144 wrote to memory of 2764 2144 spoolsv.exe svchost.exe PID 2144 wrote to memory of 2764 2144 spoolsv.exe svchost.exe PID 2144 wrote to memory of 2764 2144 spoolsv.exe svchost.exe PID 2144 wrote to memory of 2764 2144 spoolsv.exe svchost.exe PID 2764 wrote to memory of 2832 2764 svchost.exe spoolsv.exe PID 2764 wrote to memory of 2832 2764 svchost.exe spoolsv.exe PID 2764 wrote to memory of 2832 2764 svchost.exe spoolsv.exe PID 2764 wrote to memory of 2832 2764 svchost.exe spoolsv.exe PID 3064 wrote to memory of 2700 3064 explorer.exe Explorer.exe PID 3064 wrote to memory of 2700 3064 explorer.exe Explorer.exe PID 3064 wrote to memory of 2700 3064 explorer.exe Explorer.exe PID 3064 wrote to memory of 2700 3064 explorer.exe Explorer.exe PID 2764 wrote to memory of 2540 2764 svchost.exe schtasks.exe PID 2764 wrote to memory of 2540 2764 svchost.exe schtasks.exe PID 2764 wrote to memory of 2540 2764 svchost.exe schtasks.exe PID 2764 wrote to memory of 2540 2764 svchost.exe schtasks.exe PID 2764 wrote to memory of 1648 2764 svchost.exe schtasks.exe PID 2764 wrote to memory of 1648 2764 svchost.exe schtasks.exe PID 2764 wrote to memory of 1648 2764 svchost.exe schtasks.exe PID 2764 wrote to memory of 1648 2764 svchost.exe schtasks.exe PID 2764 wrote to memory of 576 2764 svchost.exe schtasks.exe PID 2764 wrote to memory of 576 2764 svchost.exe schtasks.exe PID 2764 wrote to memory of 576 2764 svchost.exe schtasks.exe PID 2764 wrote to memory of 576 2764 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe"C:\Users\Admin\AppData\Local\Temp\5689bff09fb7baab355dd6f7062b00e24050c6234af0d0a159de1a4c2202b969.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2832 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:19 /f5⤵
- Creates scheduled task(s)
PID:2540 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:20 /f5⤵
- Creates scheduled task(s)
PID:1648 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 22:21 /f5⤵
- Creates scheduled task(s)
PID:576 -
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2700
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\spoolsv.exeFilesize
2.5MB
MD58f4c5125431da56365af82a612ed9059
SHA1e3ecb7c3e55f5fad19e293bbdcf3ad1563dc3955
SHA25681521135ee0212156746a5ab7f9e9ab56bf23cd7efcd808f0e286b81d18aa301
SHA512eec0163d2715079ff2be150269dacee08f1df912ca3dbbdfe014323e9b451519e25f7d8b6c422955625f693bb6595d442e15dbbae53634e583109e11c5d611ce
-
\Windows\Resources\Themes\explorer.exeFilesize
2.5MB
MD597564e26e9c554f6a3a9a9c71adafb99
SHA19d560a6a5b4e6fcfa4e157b2bdd51d3ef47e3a82
SHA2568ddadd59e5b8979484fabd3c4be72c81b35151b3f5fb2b7adf3d6b184ad377c7
SHA5121e55e5dcc0a9f06063e51d0b3933ddbf0c587429c17aa88d2be17cf17c6839bd362d502c538318e80a1f5540faa504883677040f02b6bf223359e24a3337143d
-
\Windows\Resources\svchost.exeFilesize
2.5MB
MD5b2931571958c9af8b32bb6e9285a4d9c
SHA15e9802490c94944ad1b8d7b3c1e6eb3d5df09e1c
SHA256dea7f9dae26687ead751b9288a885aa8826514fe3fcee14ee0fa3fc24132f0f6
SHA512b1b21c2d824eb8db4598f9fd34d998fdfe0c36f0394b3bd658b55af213200114ad2e3f779ecf3cfe609b40afed73e2f729756cc74c4da83c6a9f67b7b42f11a2
-
memory/1340-1-0x0000000077D30000-0x0000000077D32000-memory.dmpFilesize
8KB
-
memory/1340-53-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1340-11-0x0000000003690000-0x0000000003C9E000-memory.dmpFilesize
6.1MB
-
memory/1340-0-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1340-44-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2144-51-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2144-35-0x00000000036D0000-0x0000000003CDE000-memory.dmpFilesize
6.1MB
-
memory/2144-24-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2764-43-0x0000000003440000-0x0000000003A4E000-memory.dmpFilesize
6.1MB
-
memory/2764-36-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2764-56-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2832-45-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2832-49-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/3064-22-0x00000000037A0000-0x0000000003DAE000-memory.dmpFilesize
6.1MB
-
memory/3064-12-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/3064-54-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/3064-57-0x00000000037A0000-0x0000000003DAE000-memory.dmpFilesize
6.1MB
-
memory/3064-66-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/3064-68-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/3064-74-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB