Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 23:48
Behavioral task
behavioral1
Sample
8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe
Resource
win10v2004-20240611-en
General
-
Target
8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe
-
Size
2.5MB
-
MD5
38b0a3344a4c27382d09d1d2b2488039
-
SHA1
9884bbeb3e2310f8f17a2d801c63793ee526c8b8
-
SHA256
8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd
-
SHA512
937b233dd90600a33de4e1f13ecbbcd30431de5c32445c35da55c4bd9fdba0aadafb9803192114455f3bd74888e9aa885a10dfa3e6b964c15607b10f2331fdf8
-
SSDEEP
49152:gxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxB:gxx9NUFkQx753uWuCyyxB
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Detects executables packed with Themida 19 IoCs
Processes:
resource yara_rule behavioral1/memory/1576-0-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1576-6-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida \Windows\Resources\Themes\explorer.exe INDICATOR_EXE_Packed_Themida behavioral1/memory/1144-12-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1144-20-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1144-17-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida \Windows\Resources\spoolsv.exe INDICATOR_EXE_Packed_Themida behavioral1/memory/2600-26-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2600-35-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida \Windows\Resources\svchost.exe INDICATOR_EXE_Packed_Themida behavioral1/memory/2752-39-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2936-47-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2600-54-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2936-52-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1576-55-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1144-56-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2752-57-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1144-67-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/1144-75-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exe8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 1144 explorer.exe 2600 spoolsv.exe 2752 svchost.exe 2936 spoolsv.exe -
Loads dropped DLL 4 IoCs
Processes:
8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exeexplorer.exespoolsv.exesvchost.exepid process 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1144 explorer.exe 2600 spoolsv.exe 2752 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/1576-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1576-6-0x0000000000400000-0x0000000000A0E000-memory.dmp themida \Windows\Resources\Themes\explorer.exe themida behavioral1/memory/1144-12-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1144-20-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1144-17-0x0000000000400000-0x0000000000A0E000-memory.dmp themida \Windows\Resources\spoolsv.exe themida behavioral1/memory/2600-26-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2600-35-0x0000000000400000-0x0000000000A0E000-memory.dmp themida \Windows\Resources\svchost.exe themida behavioral1/memory/2752-39-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2936-47-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2600-54-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2936-52-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1576-55-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1144-56-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2752-57-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1144-67-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/1144-75-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Processes:
8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exeexplorer.exespoolsv.exesvchost.exespoolsv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1144 explorer.exe 2600 spoolsv.exe 2752 svchost.exe 2936 spoolsv.exe -
Drops file in Windows directory 4 IoCs
Processes:
8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exeexplorer.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\resources\themes\explorer.exe 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2160 schtasks.exe 1052 schtasks.exe 2456 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exeexplorer.exesvchost.exepid process 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1144 explorer.exe 1144 explorer.exe 1144 explorer.exe 1144 explorer.exe 1144 explorer.exe 1144 explorer.exe 1144 explorer.exe 1144 explorer.exe 1144 explorer.exe 1144 explorer.exe 1144 explorer.exe 1144 explorer.exe 1144 explorer.exe 1144 explorer.exe 1144 explorer.exe 1144 explorer.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 2752 svchost.exe 1144 explorer.exe 1144 explorer.exe 1144 explorer.exe 1144 explorer.exe 2752 svchost.exe 2752 svchost.exe 1144 explorer.exe 2752 svchost.exe 1144 explorer.exe 2752 svchost.exe 1144 explorer.exe 2752 svchost.exe 1144 explorer.exe 2752 svchost.exe 1144 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 1144 explorer.exe 2752 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe 1144 explorer.exe 1144 explorer.exe 2600 spoolsv.exe 2600 spoolsv.exe 2752 svchost.exe 2752 svchost.exe 2936 spoolsv.exe 2936 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 1576 wrote to memory of 1144 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe explorer.exe PID 1576 wrote to memory of 1144 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe explorer.exe PID 1576 wrote to memory of 1144 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe explorer.exe PID 1576 wrote to memory of 1144 1576 8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe explorer.exe PID 1144 wrote to memory of 2600 1144 explorer.exe spoolsv.exe PID 1144 wrote to memory of 2600 1144 explorer.exe spoolsv.exe PID 1144 wrote to memory of 2600 1144 explorer.exe spoolsv.exe PID 1144 wrote to memory of 2600 1144 explorer.exe spoolsv.exe PID 2600 wrote to memory of 2752 2600 spoolsv.exe svchost.exe PID 2600 wrote to memory of 2752 2600 spoolsv.exe svchost.exe PID 2600 wrote to memory of 2752 2600 spoolsv.exe svchost.exe PID 2600 wrote to memory of 2752 2600 spoolsv.exe svchost.exe PID 2752 wrote to memory of 2936 2752 svchost.exe spoolsv.exe PID 2752 wrote to memory of 2936 2752 svchost.exe spoolsv.exe PID 2752 wrote to memory of 2936 2752 svchost.exe spoolsv.exe PID 2752 wrote to memory of 2936 2752 svchost.exe spoolsv.exe PID 1144 wrote to memory of 2644 1144 explorer.exe Explorer.exe PID 1144 wrote to memory of 2644 1144 explorer.exe Explorer.exe PID 1144 wrote to memory of 2644 1144 explorer.exe Explorer.exe PID 1144 wrote to memory of 2644 1144 explorer.exe Explorer.exe PID 2752 wrote to memory of 2160 2752 svchost.exe schtasks.exe PID 2752 wrote to memory of 2160 2752 svchost.exe schtasks.exe PID 2752 wrote to memory of 2160 2752 svchost.exe schtasks.exe PID 2752 wrote to memory of 2160 2752 svchost.exe schtasks.exe PID 2752 wrote to memory of 1052 2752 svchost.exe schtasks.exe PID 2752 wrote to memory of 1052 2752 svchost.exe schtasks.exe PID 2752 wrote to memory of 1052 2752 svchost.exe schtasks.exe PID 2752 wrote to memory of 1052 2752 svchost.exe schtasks.exe PID 2752 wrote to memory of 2456 2752 svchost.exe schtasks.exe PID 2752 wrote to memory of 2456 2752 svchost.exe schtasks.exe PID 2752 wrote to memory of 2456 2752 svchost.exe schtasks.exe PID 2752 wrote to memory of 2456 2752 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe"C:\Users\Admin\AppData\Local\Temp\8f13b266dba9ff242106a321be847263bd5b9f8c50109abb02e182b09fb722fd.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2936 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:50 /f5⤵
- Creates scheduled task(s)
PID:2160 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:51 /f5⤵
- Creates scheduled task(s)
PID:1052 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:52 /f5⤵
- Creates scheduled task(s)
PID:2456 -
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2644
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5e80641e491fd0882bbfd7baaaf81e249
SHA1a6ba085de48628abdde89886c65988a6cac39f58
SHA2562d8dc214a051c8eacd7bd3879fc177d1a3c2a55cdaa782c1683339bce9919c85
SHA5128d37f1d87c1ad68fe38bf4ba8c3927fc9dbde568300020478a060919783204cb146af85c008a69f3eaaef5150211066b6af090c58cdf56bfb13dc9497f49a166
-
Filesize
2.5MB
MD5a64df44eabb624fd052168842f7d5029
SHA170bf29220126216e2a6d9b424e325a206614c9bc
SHA256850b2e4d049005f92a9e3e31f1a5e39ac51a602868c39b2f5ef1394e592a786e
SHA512b4298bc4a0f53deb16bb08b1c45da6d3a730b9d452630d6f4d9fb32e5df42d3d2faeef0f1d6e406668ac9a864a10edf8c6e30cb12bdd73b1be011b765a15e64d
-
Filesize
2.5MB
MD56e28cc56fc81181c8e36bcb3d952d947
SHA1e6bca1de0464a580cf2662f0f9b0be93a59c2beb
SHA25680c1eadd5a2f1c412f14cb67bfd9244303f728dcd065b5fce6e52a4e53d207ae
SHA512c25b323d1999e062032c25c1adb5a4e18d9283c4f617bc6d9cacb83b848319d4a3b1d6d943cef33ca4f7861ed03cbf0012ce778d0ca4a4a68829e1165c6256e1