Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 03:34
Behavioral task
behavioral1
Sample
bf3f5123a1a71b1f9f235cbc325d1c70.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bf3f5123a1a71b1f9f235cbc325d1c70.exe
Resource
win10v2004-20240426-en
General
-
Target
bf3f5123a1a71b1f9f235cbc325d1c70.exe
-
Size
2.6MB
-
MD5
bf3f5123a1a71b1f9f235cbc325d1c70
-
SHA1
4eb19a43f14f689f1ee05836022918c8f175d057
-
SHA256
4a8f10759984f27edaed60d418d231f564c406817b6398f462daa3deb8a05867
-
SHA512
36031872fbc6774cc15b7d66a3f9dc5fb27a5fd5a8d3fff0fa0d282cac26ddf425c76c9e2c3f5204266c5419e435cf6727a9770764e55381561c35764acd5083
-
SSDEEP
49152:8xmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyx0:8xx9NUFkQx753uWuCyyx0
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
Processes:
bf3f5123a1a71b1f9f235cbc325d1c70.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ bf3f5123a1a71b1f9f235cbc325d1c70.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ icsys.icn.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exebf3f5123a1a71b1f9f235cbc325d1c70.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bf3f5123a1a71b1f9f235cbc325d1c70.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bf3f5123a1a71b1f9f235cbc325d1c70.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Executes dropped EXE 6 IoCs
Processes:
bf3f5123a1a71b1f9f235cbc325d1c70.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2728 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2600 icsys.icn.exe 2880 explorer.exe 1676 spoolsv.exe 828 svchost.exe 2360 spoolsv.exe -
Loads dropped DLL 6 IoCs
Processes:
bf3f5123a1a71b1f9f235cbc325d1c70.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exepid process 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2600 icsys.icn.exe 2880 explorer.exe 1676 spoolsv.exe 828 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/2400-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida \Windows\Resources\Themes\icsys.icn.exe themida behavioral1/memory/2600-18-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2400-16-0x0000000003460000-0x0000000003A6E000-memory.dmp themida C:\Windows\Resources\Themes\explorer.exe themida behavioral1/memory/2880-31-0x0000000000400000-0x0000000000A0E000-memory.dmp themida \Windows\Resources\spoolsv.exe themida behavioral1/memory/2880-42-0x0000000003770000-0x0000000003D7E000-memory.dmp themida behavioral1/memory/1676-45-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2400-44-0x0000000000400000-0x0000000000A0E000-memory.dmp themida \Windows\Resources\svchost.exe themida behavioral1/memory/2600-67-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2360-68-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/828-58-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2360-74-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1676-75-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2600-77-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2400-79-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2880-80-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/828-82-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2880-93-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2880-99-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2880-103-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe -
Processes:
spoolsv.exebf3f5123a1a71b1f9f235cbc325d1c70.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bf3f5123a1a71b1f9f235cbc325d1c70.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icsys.icn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
bf3f5123a1a71b1f9f235cbc325d1c70.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2600 icsys.icn.exe 2880 explorer.exe 1676 spoolsv.exe 828 svchost.exe 2360 spoolsv.exe -
Drops file in Windows directory 5 IoCs
Processes:
bf3f5123a1a71b1f9f235cbc325d1c70.exeicsys.icn.exeexplorer.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe bf3f5123a1a71b1f9f235cbc325d1c70.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2152 schtasks.exe 600 schtasks.exe 1584 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bf3f5123a1a71b1f9f235cbc325d1c70.exebf3f5123a1a71b1f9f235cbc325d1c70.exe icsys.icn.exeexplorer.exesvchost.exepid process 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2728 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2728 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2600 icsys.icn.exe 2600 icsys.icn.exe 2600 icsys.icn.exe 2600 icsys.icn.exe 2600 icsys.icn.exe 2600 icsys.icn.exe 2600 icsys.icn.exe 2600 icsys.icn.exe 2600 icsys.icn.exe 2600 icsys.icn.exe 2600 icsys.icn.exe 2600 icsys.icn.exe 2600 icsys.icn.exe 2600 icsys.icn.exe 2600 icsys.icn.exe 2600 icsys.icn.exe 2600 icsys.icn.exe 2880 explorer.exe 2880 explorer.exe 2880 explorer.exe 2880 explorer.exe 2880 explorer.exe 2880 explorer.exe 2880 explorer.exe 2880 explorer.exe 2880 explorer.exe 2880 explorer.exe 2880 explorer.exe 2880 explorer.exe 2880 explorer.exe 2880 explorer.exe 2880 explorer.exe 2880 explorer.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2880 explorer.exe 828 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bf3f5123a1a71b1f9f235cbc325d1c70.exedescription pid process Token: SeDebugPrivilege 2728 bf3f5123a1a71b1f9f235cbc325d1c70.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
bf3f5123a1a71b1f9f235cbc325d1c70.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe 2600 icsys.icn.exe 2600 icsys.icn.exe 2880 explorer.exe 2880 explorer.exe 1676 spoolsv.exe 1676 spoolsv.exe 828 svchost.exe 828 svchost.exe 2360 spoolsv.exe 2360 spoolsv.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
bf3f5123a1a71b1f9f235cbc325d1c70.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2400 wrote to memory of 2728 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe bf3f5123a1a71b1f9f235cbc325d1c70.exe PID 2400 wrote to memory of 2728 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe bf3f5123a1a71b1f9f235cbc325d1c70.exe PID 2400 wrote to memory of 2728 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe bf3f5123a1a71b1f9f235cbc325d1c70.exe PID 2400 wrote to memory of 2728 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe bf3f5123a1a71b1f9f235cbc325d1c70.exe PID 2400 wrote to memory of 2600 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe icsys.icn.exe PID 2400 wrote to memory of 2600 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe icsys.icn.exe PID 2400 wrote to memory of 2600 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe icsys.icn.exe PID 2400 wrote to memory of 2600 2400 bf3f5123a1a71b1f9f235cbc325d1c70.exe icsys.icn.exe PID 2600 wrote to memory of 2880 2600 icsys.icn.exe explorer.exe PID 2600 wrote to memory of 2880 2600 icsys.icn.exe explorer.exe PID 2600 wrote to memory of 2880 2600 icsys.icn.exe explorer.exe PID 2600 wrote to memory of 2880 2600 icsys.icn.exe explorer.exe PID 2880 wrote to memory of 1676 2880 explorer.exe spoolsv.exe PID 2880 wrote to memory of 1676 2880 explorer.exe spoolsv.exe PID 2880 wrote to memory of 1676 2880 explorer.exe spoolsv.exe PID 2880 wrote to memory of 1676 2880 explorer.exe spoolsv.exe PID 1676 wrote to memory of 828 1676 spoolsv.exe svchost.exe PID 1676 wrote to memory of 828 1676 spoolsv.exe svchost.exe PID 1676 wrote to memory of 828 1676 spoolsv.exe svchost.exe PID 1676 wrote to memory of 828 1676 spoolsv.exe svchost.exe PID 828 wrote to memory of 2360 828 svchost.exe spoolsv.exe PID 828 wrote to memory of 2360 828 svchost.exe spoolsv.exe PID 828 wrote to memory of 2360 828 svchost.exe spoolsv.exe PID 828 wrote to memory of 2360 828 svchost.exe spoolsv.exe PID 2880 wrote to memory of 2508 2880 explorer.exe Explorer.exe PID 2880 wrote to memory of 2508 2880 explorer.exe Explorer.exe PID 2880 wrote to memory of 2508 2880 explorer.exe Explorer.exe PID 2880 wrote to memory of 2508 2880 explorer.exe Explorer.exe PID 828 wrote to memory of 2152 828 svchost.exe schtasks.exe PID 828 wrote to memory of 2152 828 svchost.exe schtasks.exe PID 828 wrote to memory of 2152 828 svchost.exe schtasks.exe PID 828 wrote to memory of 2152 828 svchost.exe schtasks.exe PID 828 wrote to memory of 600 828 svchost.exe schtasks.exe PID 828 wrote to memory of 600 828 svchost.exe schtasks.exe PID 828 wrote to memory of 600 828 svchost.exe schtasks.exe PID 828 wrote to memory of 600 828 svchost.exe schtasks.exe PID 828 wrote to memory of 1584 828 svchost.exe schtasks.exe PID 828 wrote to memory of 1584 828 svchost.exe schtasks.exe PID 828 wrote to memory of 1584 828 svchost.exe schtasks.exe PID 828 wrote to memory of 1584 828 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe"C:\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exec:\users\admin\appdata\local\temp\bf3f5123a1a71b1f9f235cbc325d1c70.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2360 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:36 /f6⤵
- Creates scheduled task(s)
PID:2152 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:37 /f6⤵
- Creates scheduled task(s)
PID:600 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:38 /f6⤵
- Creates scheduled task(s)
PID:1584 -
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:2508
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\Themes\explorer.exeFilesize
2.5MB
MD5705efc00603c0b4c57116e1fdc70fab6
SHA167bd0bc8670654e113c5a825d613ce6c070d00ae
SHA25662427ce925cb97c01d49ef8280e817dbd4b52dd5144f0885b4116acd66a87b31
SHA5125ca0ff74062b1229eb5eb42106d1f8941dfbb238f5630970917fb549867b970daf5c1a0f4394e22e583062d113b2e87eaa2aad9d671b97a8fa78e02ee988c7ec
-
\Users\Admin\AppData\Local\Temp\bf3f5123a1a71b1f9f235cbc325d1c70.exeFilesize
13KB
MD56557bd5240397f026e675afb78544a26
SHA1839e683bf68703d373b6eac246f19386bb181713
SHA256a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
SHA512f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97
-
\Windows\Resources\Themes\icsys.icn.exeFilesize
2.5MB
MD595f9ad7a3c0d5efccb69d1f73865e9bb
SHA15f37f0bab11636ac69178f6d55be82215db722fa
SHA25627ec9335413985ca8abdc8552096b95e73eb784e773eeda5b577db864871d99a
SHA512709ba17de1626e596c965e4a0b1144d68e4423df7fc55e5011a74be74117f0a6a7ec29ef25ad696ad39b8fa94887a2d13036139f78c58dee116bab0b46a94f25
-
\Windows\Resources\spoolsv.exeFilesize
2.5MB
MD52fd70a0bc1d41536fcc6f7bf12531cf3
SHA1c95817624252bd2e20f6cfe17285b8d99d2c3f06
SHA256a1d41716a93e973d77b8573ec01d01667f39e534c9e642352193f0816840754d
SHA512688651e715bf82773a8b2585c81bb44650555470528956135e3615ba788f0e210090c233c78f3dabc42f2b2330cd8cc94761b2eb59534a53b1a0729f7161888f
-
\Windows\Resources\svchost.exeFilesize
2.5MB
MD51da8c5cdddcf2d054da6af08a74328cd
SHA1b1bf290ade68657d7c415c5cbc761a595a84158b
SHA256d7e1235a89af8f642758ccea38d8fbf53301f8f1b2107810613e178455b047b3
SHA512c56f21aa8f2a0a331868af38741cf90d352a240a228fab5105aea366e619f5b4aca668f969fd48bffb8dc9a4511c5774471b514469096388a06aa9a732f85f31
-
memory/828-58-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/828-82-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/828-65-0x0000000003390000-0x000000000399E000-memory.dmpFilesize
6.1MB
-
memory/1676-45-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1676-75-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1676-56-0x0000000003600000-0x0000000003C0E000-memory.dmpFilesize
6.1MB
-
memory/2360-74-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2360-68-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2400-79-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2400-1-0x0000000077170000-0x0000000077172000-memory.dmpFilesize
8KB
-
memory/2400-16-0x0000000003460000-0x0000000003A6E000-memory.dmpFilesize
6.1MB
-
memory/2400-44-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2400-0-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2400-57-0x0000000003460000-0x0000000003A6E000-memory.dmpFilesize
6.1MB
-
memory/2600-77-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2600-29-0x0000000003760000-0x0000000003D6E000-memory.dmpFilesize
6.1MB
-
memory/2600-67-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2600-18-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2728-17-0x0000000073E7E000-0x0000000073E7F000-memory.dmpFilesize
4KB
-
memory/2728-32-0x0000000004910000-0x0000000004950000-memory.dmpFilesize
256KB
-
memory/2728-19-0x0000000000D90000-0x0000000000D9A000-memory.dmpFilesize
40KB
-
memory/2728-64-0x0000000073E7E000-0x0000000073E7F000-memory.dmpFilesize
4KB
-
memory/2880-31-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2880-42-0x0000000003770000-0x0000000003D7E000-memory.dmpFilesize
6.1MB
-
memory/2880-80-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2880-93-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2880-99-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2880-103-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB