Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 14:08
Behavioral task
behavioral1
Sample
81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe
Resource
win10v2004-20240508-en
General
-
Target
81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe
-
Size
2.7MB
-
MD5
ca9f5b0e85b54f7f3105277f0185de58
-
SHA1
b8cc00043eb4bf6fad0636436980adf04918a930
-
SHA256
81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4
-
SHA512
60bbd25177b8415fd82e28f65bba5145bc50a4726c578f1045676417a88a6cf9a466cf8667ad67780ceb31de438d42b0c6ffd24a4080daff4798f793ab27f734
-
SSDEEP
49152:VtzBOauT0i7ZSQcCG1+bLthSo9/ktjPf4EXzwgb+LquT05j:VtzaT00zcC8ahhSo9sRf44z1/5j
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Detects executables packed with Themida 19 IoCs
Processes:
resource yara_rule behavioral1/memory/1772-0-0x0000000000400000-0x0000000000A60000-memory.dmp INDICATOR_EXE_Packed_Themida \Windows\Resources\Themes\explorer.exe INDICATOR_EXE_Packed_Themida behavioral1/memory/1772-11-0x0000000003850000-0x0000000003EB0000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2312-12-0x0000000000400000-0x0000000000A60000-memory.dmp INDICATOR_EXE_Packed_Themida C:\Windows\Resources\spoolsv.exe INDICATOR_EXE_Packed_Themida behavioral1/memory/3028-24-0x0000000000400000-0x0000000000A60000-memory.dmp INDICATOR_EXE_Packed_Themida \Windows\Resources\svchost.exe INDICATOR_EXE_Packed_Themida behavioral1/memory/2720-36-0x0000000000400000-0x0000000000A60000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1152-45-0x0000000000400000-0x0000000000A60000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1772-44-0x0000000000400000-0x0000000000A60000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/3028-52-0x0000000000400000-0x0000000000A60000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1152-51-0x0000000000400000-0x0000000000A60000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1772-53-0x0000000000400000-0x0000000000A60000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2312-54-0x0000000000400000-0x0000000000A60000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2312-55-0x0000000000400000-0x0000000000A60000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2720-56-0x0000000000400000-0x0000000000A60000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2312-66-0x0000000000400000-0x0000000000A60000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2312-74-0x0000000000400000-0x0000000000A60000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2312-78-0x0000000000400000-0x0000000000A60000-memory.dmp INDICATOR_EXE_Packed_Themida -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exespoolsv.exeexplorer.exespoolsv.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2312 explorer.exe 3028 spoolsv.exe 2720 svchost.exe 1152 spoolsv.exe -
Loads dropped DLL 4 IoCs
Processes:
81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exeexplorer.exespoolsv.exesvchost.exepid process 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 2312 explorer.exe 3028 spoolsv.exe 2720 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1772-0-0x0000000000400000-0x0000000000A60000-memory.dmp themida \Windows\Resources\Themes\explorer.exe themida behavioral1/memory/1772-11-0x0000000003850000-0x0000000003EB0000-memory.dmp themida behavioral1/memory/2312-12-0x0000000000400000-0x0000000000A60000-memory.dmp themida C:\Windows\Resources\spoolsv.exe themida behavioral1/memory/3028-24-0x0000000000400000-0x0000000000A60000-memory.dmp themida \Windows\Resources\svchost.exe themida behavioral1/memory/2720-36-0x0000000000400000-0x0000000000A60000-memory.dmp themida behavioral1/memory/1152-45-0x0000000000400000-0x0000000000A60000-memory.dmp themida behavioral1/memory/1772-44-0x0000000000400000-0x0000000000A60000-memory.dmp themida behavioral1/memory/3028-52-0x0000000000400000-0x0000000000A60000-memory.dmp themida behavioral1/memory/1152-51-0x0000000000400000-0x0000000000A60000-memory.dmp themida behavioral1/memory/1772-53-0x0000000000400000-0x0000000000A60000-memory.dmp themida behavioral1/memory/2312-54-0x0000000000400000-0x0000000000A60000-memory.dmp themida behavioral1/memory/2312-55-0x0000000000400000-0x0000000000A60000-memory.dmp themida behavioral1/memory/2720-56-0x0000000000400000-0x0000000000A60000-memory.dmp themida behavioral1/memory/2312-66-0x0000000000400000-0x0000000000A60000-memory.dmp themida behavioral1/memory/2312-74-0x0000000000400000-0x0000000000A60000-memory.dmp themida behavioral1/memory/2312-78-0x0000000000400000-0x0000000000A60000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Processes:
spoolsv.exesvchost.exespoolsv.exe81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 2312 explorer.exe 3028 spoolsv.exe 2720 svchost.exe 1152 spoolsv.exe -
Drops file in Windows directory 4 IoCs
Processes:
explorer.exespoolsv.exe81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exedescription ioc process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2508 schtasks.exe 2424 schtasks.exe 2444 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exeexplorer.exesvchost.exepid process 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 2312 explorer.exe 2312 explorer.exe 2312 explorer.exe 2312 explorer.exe 2312 explorer.exe 2312 explorer.exe 2312 explorer.exe 2312 explorer.exe 2312 explorer.exe 2312 explorer.exe 2312 explorer.exe 2312 explorer.exe 2312 explorer.exe 2312 explorer.exe 2312 explorer.exe 2312 explorer.exe 2720 svchost.exe 2720 svchost.exe 2720 svchost.exe 2720 svchost.exe 2720 svchost.exe 2720 svchost.exe 2720 svchost.exe 2720 svchost.exe 2720 svchost.exe 2720 svchost.exe 2720 svchost.exe 2720 svchost.exe 2720 svchost.exe 2720 svchost.exe 2720 svchost.exe 2720 svchost.exe 2312 explorer.exe 2312 explorer.exe 2720 svchost.exe 2720 svchost.exe 2312 explorer.exe 2312 explorer.exe 2720 svchost.exe 2720 svchost.exe 2312 explorer.exe 2312 explorer.exe 2720 svchost.exe 2720 svchost.exe 2312 explorer.exe 2312 explorer.exe 2720 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
svchost.exeexplorer.exepid process 2720 svchost.exe 2312 explorer.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe 2312 explorer.exe 2312 explorer.exe 3028 spoolsv.exe 3028 spoolsv.exe 2720 svchost.exe 2720 svchost.exe 1152 spoolsv.exe 1152 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1772 wrote to memory of 2312 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe explorer.exe PID 1772 wrote to memory of 2312 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe explorer.exe PID 1772 wrote to memory of 2312 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe explorer.exe PID 1772 wrote to memory of 2312 1772 81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe explorer.exe PID 2312 wrote to memory of 3028 2312 explorer.exe spoolsv.exe PID 2312 wrote to memory of 3028 2312 explorer.exe spoolsv.exe PID 2312 wrote to memory of 3028 2312 explorer.exe spoolsv.exe PID 2312 wrote to memory of 3028 2312 explorer.exe spoolsv.exe PID 3028 wrote to memory of 2720 3028 spoolsv.exe svchost.exe PID 3028 wrote to memory of 2720 3028 spoolsv.exe svchost.exe PID 3028 wrote to memory of 2720 3028 spoolsv.exe svchost.exe PID 3028 wrote to memory of 2720 3028 spoolsv.exe svchost.exe PID 2720 wrote to memory of 1152 2720 svchost.exe spoolsv.exe PID 2720 wrote to memory of 1152 2720 svchost.exe spoolsv.exe PID 2720 wrote to memory of 1152 2720 svchost.exe spoolsv.exe PID 2720 wrote to memory of 1152 2720 svchost.exe spoolsv.exe PID 2312 wrote to memory of 2544 2312 explorer.exe Explorer.exe PID 2312 wrote to memory of 2544 2312 explorer.exe Explorer.exe PID 2312 wrote to memory of 2544 2312 explorer.exe Explorer.exe PID 2312 wrote to memory of 2544 2312 explorer.exe Explorer.exe PID 2720 wrote to memory of 2508 2720 svchost.exe schtasks.exe PID 2720 wrote to memory of 2508 2720 svchost.exe schtasks.exe PID 2720 wrote to memory of 2508 2720 svchost.exe schtasks.exe PID 2720 wrote to memory of 2508 2720 svchost.exe schtasks.exe PID 2720 wrote to memory of 2424 2720 svchost.exe schtasks.exe PID 2720 wrote to memory of 2424 2720 svchost.exe schtasks.exe PID 2720 wrote to memory of 2424 2720 svchost.exe schtasks.exe PID 2720 wrote to memory of 2424 2720 svchost.exe schtasks.exe PID 2720 wrote to memory of 2444 2720 svchost.exe schtasks.exe PID 2720 wrote to memory of 2444 2720 svchost.exe schtasks.exe PID 2720 wrote to memory of 2444 2720 svchost.exe schtasks.exe PID 2720 wrote to memory of 2444 2720 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe"C:\Users\Admin\AppData\Local\Temp\81a09f341b601660cb8d3171a03ae7b11367f536ab4174021304bd846483d1c4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1152 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:11 /f5⤵
- Creates scheduled task(s)
PID:2508 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:12 /f5⤵
- Creates scheduled task(s)
PID:2424 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 14:13 /f5⤵
- Creates scheduled task(s)
PID:2444 -
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2544
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\spoolsv.exeFilesize
2.7MB
MD5c7f546f26637bf8277fed9e70ab1a01d
SHA16416d15a7efb25c57fa4f9eff16cccf1b9ec3cd1
SHA2561f8ac5304acde9d20a5041bbd381f8fd2231275225f4a5ce99f14c2d0dbc2abd
SHA512d2a6fe7cd13bb0eb282e2b9e6dcd30339d5f64e959d2a73e53a0059e3cf9105c1d78e63bb2b2bfe640ef72c01563a76ff5059857de175095bc31df09019098e8
-
\Windows\Resources\Themes\explorer.exeFilesize
2.7MB
MD59a22c6dc858a891b6b61c7f2f5afd042
SHA18d03f4403e964d16612aab32469b5e86bf60018f
SHA25654a854da1d52e8e58cc1a4b05485f8ec28a9601d863c43f267bbf3c7db4886c7
SHA512aeabb4d72b7c22b07fd612d0c0853000878494e94b3a8eac87e3fd8e8a42acd19923c25bc6f4e9ccc676f123542c8ea704f4bdc592e40d00d230fc0fa29c9fcb
-
\Windows\Resources\svchost.exeFilesize
2.7MB
MD517185a62f70beca2d71068449dffba6a
SHA1ec2912e1e88c944166114405f12b393ade1e37f1
SHA2565a89fb50191bdc8ed99946d8954f3737477f6829b7402882be62c9a7a7c8fa74
SHA512c3de929aa43a7e2309a665c71767e130620448b241f06dcfb2bf67a3fea3c72f4e54ad61cd63e2ad038f35f02bb2b9d7439a478c78845632b9aa08d5ccf2eb2e
-
memory/1152-45-0x0000000000400000-0x0000000000A60000-memory.dmpFilesize
6.4MB
-
memory/1152-51-0x0000000000400000-0x0000000000A60000-memory.dmpFilesize
6.4MB
-
memory/1772-1-0x0000000077890000-0x0000000077892000-memory.dmpFilesize
8KB
-
memory/1772-11-0x0000000003850000-0x0000000003EB0000-memory.dmpFilesize
6.4MB
-
memory/1772-53-0x0000000000400000-0x0000000000A60000-memory.dmpFilesize
6.4MB
-
memory/1772-0-0x0000000000400000-0x0000000000A60000-memory.dmpFilesize
6.4MB
-
memory/1772-44-0x0000000000400000-0x0000000000A60000-memory.dmpFilesize
6.4MB
-
memory/2312-23-0x00000000038D0000-0x0000000003F30000-memory.dmpFilesize
6.4MB
-
memory/2312-57-0x00000000038D0000-0x0000000003F30000-memory.dmpFilesize
6.4MB
-
memory/2312-78-0x0000000000400000-0x0000000000A60000-memory.dmpFilesize
6.4MB
-
memory/2312-74-0x0000000000400000-0x0000000000A60000-memory.dmpFilesize
6.4MB
-
memory/2312-66-0x0000000000400000-0x0000000000A60000-memory.dmpFilesize
6.4MB
-
memory/2312-55-0x0000000000400000-0x0000000000A60000-memory.dmpFilesize
6.4MB
-
memory/2312-12-0x0000000000400000-0x0000000000A60000-memory.dmpFilesize
6.4MB
-
memory/2312-54-0x0000000000400000-0x0000000000A60000-memory.dmpFilesize
6.4MB
-
memory/2720-56-0x0000000000400000-0x0000000000A60000-memory.dmpFilesize
6.4MB
-
memory/2720-43-0x0000000003300000-0x0000000003960000-memory.dmpFilesize
6.4MB
-
memory/2720-36-0x0000000000400000-0x0000000000A60000-memory.dmpFilesize
6.4MB
-
memory/3028-24-0x0000000000400000-0x0000000000A60000-memory.dmpFilesize
6.4MB
-
memory/3028-35-0x0000000003740000-0x0000000003DA0000-memory.dmpFilesize
6.4MB
-
memory/3028-52-0x0000000000400000-0x0000000000A60000-memory.dmpFilesize
6.4MB