a767e51969687a33b48b2b54a808bbf3e243b76b1a786f15d51555d9a511792b

Resubmissions

08/08/2024, 15:31

240808-sygclsygpa 10

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpooferVMax.exe
Size

901KB
MD5

9d27cf68e91591f7d309804d6acbfd2c
SHA1

17a3925299986736ac36d52d8c64a0b62cefd8ca
SHA256

a767e51969687a33b48b2b54a808bbf3e243b76b1a786f15d51555d9a511792b
SHA512

64db332202fe3dae971a8012747e971289fbcf43a2aafdb48fd584a6c7a2036a36d1cf4760456bbdacb3ac0a670daceb0d8fe146af7c55ca95967d132e6e6811
SSDEEP

12288:PFUNDa9TqgN1VtmVejrZIsjHIzx7XGjmkFg8vjlqacc7ONg+dJgy:PFOa9e6BtNI2HuxCmkFgojcaYO+ky

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 6 IoCs

pid	Process
2620	spoofervmax.exe
2824	icsys.icn.exe
2516	explorer.exe
2008	spoolsv.exe
2760	svchost.exe
1272	spoolsv.exe

Loads dropped DLL 7 IoCs

pid	Process
2852	SpooferVMax.exe
2852	SpooferVMax.exe
2808	Process not Found
2824	icsys.icn.exe
2516	explorer.exe
2008	spoolsv.exe
2760	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs

pid	Process
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe
2620	spoofervmax.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	SpooferVMax.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpooferVMax.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2276	schtasks.exe
2204	schtasks.exe
884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2852	SpooferVMax.exe
2852	SpooferVMax.exe
2852	SpooferVMax.exe
2852	SpooferVMax.exe
2852	SpooferVMax.exe
2852	SpooferVMax.exe
2852	SpooferVMax.exe
2852	SpooferVMax.exe
2852	SpooferVMax.exe
2852	SpooferVMax.exe
2852	SpooferVMax.exe
2852	SpooferVMax.exe
2852	SpooferVMax.exe
2852	SpooferVMax.exe
2852	SpooferVMax.exe
2852	SpooferVMax.exe
2824	icsys.icn.exe
2824	icsys.icn.exe
2824	icsys.icn.exe
2824	icsys.icn.exe
2824	icsys.icn.exe
2824	icsys.icn.exe
2824	icsys.icn.exe
2824	icsys.icn.exe
2824	icsys.icn.exe
2824	icsys.icn.exe
2824	icsys.icn.exe
2824	icsys.icn.exe
2824	icsys.icn.exe
2824	icsys.icn.exe
2824	icsys.icn.exe
2824	icsys.icn.exe
2824	icsys.icn.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2516	explorer.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe
2760	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2516	explorer.exe
2760	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2536	WMIC.exe
Token: SeSecurityPrivilege	2536	WMIC.exe
Token: SeTakeOwnershipPrivilege	2536	WMIC.exe
Token: SeLoadDriverPrivilege	2536	WMIC.exe
Token: SeSystemProfilePrivilege	2536	WMIC.exe
Token: SeSystemtimePrivilege	2536	WMIC.exe
Token: SeProfSingleProcessPrivilege	2536	WMIC.exe
Token: SeIncBasePriorityPrivilege	2536	WMIC.exe
Token: SeCreatePagefilePrivilege	2536	WMIC.exe
Token: SeBackupPrivilege	2536	WMIC.exe
Token: SeRestorePrivilege	2536	WMIC.exe
Token: SeShutdownPrivilege	2536	WMIC.exe
Token: SeDebugPrivilege	2536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2536	WMIC.exe
Token: SeRemoteShutdownPrivilege	2536	WMIC.exe
Token: SeUndockPrivilege	2536	WMIC.exe
Token: SeManageVolumePrivilege	2536	WMIC.exe
Token: 33	2536	WMIC.exe
Token: 34	2536	WMIC.exe
Token: 35	2536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2536	WMIC.exe
Token: SeSecurityPrivilege	2536	WMIC.exe
Token: SeTakeOwnershipPrivilege	2536	WMIC.exe
Token: SeLoadDriverPrivilege	2536	WMIC.exe
Token: SeSystemProfilePrivilege	2536	WMIC.exe
Token: SeSystemtimePrivilege	2536	WMIC.exe
Token: SeProfSingleProcessPrivilege	2536	WMIC.exe
Token: SeIncBasePriorityPrivilege	2536	WMIC.exe
Token: SeCreatePagefilePrivilege	2536	WMIC.exe
Token: SeBackupPrivilege	2536	WMIC.exe
Token: SeRestorePrivilege	2536	WMIC.exe
Token: SeShutdownPrivilege	2536	WMIC.exe
Token: SeDebugPrivilege	2536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2536	WMIC.exe
Token: SeRemoteShutdownPrivilege	2536	WMIC.exe
Token: SeUndockPrivilege	2536	WMIC.exe
Token: SeManageVolumePrivilege	2536	WMIC.exe
Token: 33	2536	WMIC.exe
Token: 34	2536	WMIC.exe
Token: 35	2536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2772	WMIC.exe
Token: SeSecurityPrivilege	2772	WMIC.exe
Token: SeTakeOwnershipPrivilege	2772	WMIC.exe
Token: SeLoadDriverPrivilege	2772	WMIC.exe
Token: SeSystemProfilePrivilege	2772	WMIC.exe
Token: SeSystemtimePrivilege	2772	WMIC.exe
Token: SeProfSingleProcessPrivilege	2772	WMIC.exe
Token: SeIncBasePriorityPrivilege	2772	WMIC.exe
Token: SeCreatePagefilePrivilege	2772	WMIC.exe
Token: SeBackupPrivilege	2772	WMIC.exe
Token: SeRestorePrivilege	2772	WMIC.exe
Token: SeShutdownPrivilege	2772	WMIC.exe
Token: SeDebugPrivilege	2772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2772	WMIC.exe
Token: SeRemoteShutdownPrivilege	2772	WMIC.exe
Token: SeUndockPrivilege	2772	WMIC.exe
Token: SeManageVolumePrivilege	2772	WMIC.exe
Token: 33	2772	WMIC.exe
Token: 34	2772	WMIC.exe
Token: 35	2772	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2772	WMIC.exe
Token: SeSecurityPrivilege	2772	WMIC.exe
Token: SeTakeOwnershipPrivilege	2772	WMIC.exe
Token: SeLoadDriverPrivilege	2772	WMIC.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2852	SpooferVMax.exe
2852	SpooferVMax.exe
2824	icsys.icn.exe
2824	icsys.icn.exe
2516	explorer.exe
2516	explorer.exe
2008	spoolsv.exe
2008	spoolsv.exe
2760	svchost.exe
2760	svchost.exe
1272	spoolsv.exe
1272	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2620	2852	SpooferVMax.exe	30
PID 2852 wrote to memory of 2620	2852	SpooferVMax.exe	30
PID 2852 wrote to memory of 2620	2852	SpooferVMax.exe	30
PID 2852 wrote to memory of 2620	2852	SpooferVMax.exe	30
PID 2852 wrote to memory of 2824	2852	SpooferVMax.exe	32
PID 2852 wrote to memory of 2824	2852	SpooferVMax.exe	32
PID 2852 wrote to memory of 2824	2852	SpooferVMax.exe	32
PID 2852 wrote to memory of 2824	2852	SpooferVMax.exe	32
PID 2824 wrote to memory of 2516	2824	icsys.icn.exe	33
PID 2824 wrote to memory of 2516	2824	icsys.icn.exe	33
PID 2824 wrote to memory of 2516	2824	icsys.icn.exe	33
PID 2824 wrote to memory of 2516	2824	icsys.icn.exe	33
PID 2620 wrote to memory of 2332	2620	spoofervmax.exe	34
PID 2620 wrote to memory of 2332	2620	spoofervmax.exe	34
PID 2620 wrote to memory of 2332	2620	spoofervmax.exe	34
PID 2516 wrote to memory of 2008	2516	explorer.exe	35
PID 2516 wrote to memory of 2008	2516	explorer.exe	35
PID 2516 wrote to memory of 2008	2516	explorer.exe	35
PID 2516 wrote to memory of 2008	2516	explorer.exe	35
PID 2332 wrote to memory of 2536	2332	cmd.exe	36
PID 2332 wrote to memory of 2536	2332	cmd.exe	36
PID 2332 wrote to memory of 2536	2332	cmd.exe	36
PID 2008 wrote to memory of 2760	2008	spoolsv.exe	37
PID 2008 wrote to memory of 2760	2008	spoolsv.exe	37
PID 2008 wrote to memory of 2760	2008	spoolsv.exe	37
PID 2008 wrote to memory of 2760	2008	spoolsv.exe	37
PID 2760 wrote to memory of 1272	2760	svchost.exe	38
PID 2760 wrote to memory of 1272	2760	svchost.exe	38
PID 2760 wrote to memory of 1272	2760	svchost.exe	38
PID 2760 wrote to memory of 1272	2760	svchost.exe	38
PID 2516 wrote to memory of 2912	2516	explorer.exe	40
PID 2516 wrote to memory of 2912	2516	explorer.exe	40
PID 2516 wrote to memory of 2912	2516	explorer.exe	40
PID 2516 wrote to memory of 2912	2516	explorer.exe	40
PID 2760 wrote to memory of 2276	2760	svchost.exe	41
PID 2760 wrote to memory of 2276	2760	svchost.exe	41
PID 2760 wrote to memory of 2276	2760	svchost.exe	41
PID 2760 wrote to memory of 2276	2760	svchost.exe	41
PID 2620 wrote to memory of 3020	2620	spoofervmax.exe	43
PID 2620 wrote to memory of 3020	2620	spoofervmax.exe	43
PID 2620 wrote to memory of 3020	2620	spoofervmax.exe	43
PID 3020 wrote to memory of 2772	3020	cmd.exe	44
PID 3020 wrote to memory of 2772	3020	cmd.exe	44
PID 3020 wrote to memory of 2772	3020	cmd.exe	44
PID 2620 wrote to memory of 2496	2620	spoofervmax.exe	45
PID 2620 wrote to memory of 2496	2620	spoofervmax.exe	45
PID 2620 wrote to memory of 2496	2620	spoofervmax.exe	45
PID 2496 wrote to memory of 1496	2496	cmd.exe	46
PID 2496 wrote to memory of 1496	2496	cmd.exe	46
PID 2496 wrote to memory of 1496	2496	cmd.exe	46
PID 2496 wrote to memory of 2908	2496	cmd.exe	47
PID 2496 wrote to memory of 2908	2496	cmd.exe	47
PID 2496 wrote to memory of 2908	2496	cmd.exe	47
PID 2496 wrote to memory of 1480	2496	cmd.exe	48
PID 2496 wrote to memory of 1480	2496	cmd.exe	48
PID 2496 wrote to memory of 1480	2496	cmd.exe	48
PID 2760 wrote to memory of 2204	2760	svchost.exe	50
PID 2760 wrote to memory of 2204	2760	svchost.exe	50
PID 2760 wrote to memory of 2204	2760	svchost.exe	50
PID 2760 wrote to memory of 2204	2760	svchost.exe	50
PID 2760 wrote to memory of 884	2760	svchost.exe	52
PID 2760 wrote to memory of 884	2760	svchost.exe	52
PID 2760 wrote to memory of 884	2760	svchost.exe	52
PID 2760 wrote to memory of 884	2760	svchost.exe	52

C:\Users\Admin\AppData\Local\Temp\SpooferVMax.exe
"C:\Users\Admin\AppData\Local\Temp\SpooferVMax.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852
- \??\c:\users\admin\appdata\local\temp\spoofervmax.exe
  c:\users\admin\appdata\local\temp\spoofervmax.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "c:\users\admin\appdata\local\temp\spoofervmax.exe " MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "c:\users\admin\appdata\local\temp\spoofervmax.exe " MD5
      4⤵
      PID:1496
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:2908
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:1480
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2824
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2008
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1272
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:34 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2276
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:35 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2204
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:36 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:884
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\spoofervmax.exe

Filesize
766KB

MD5
78647214b07ec8450dbe8ec6cfb08e3f

SHA1
ce354517235c771e323eaebabe92e86b01c41933

SHA256
a17aa4306f7bb84cde6754e7408fdffa7500b7daf3a9c04431c2656603a57eaf

SHA512
16b3da4e2338eae39c012dd2b0a969d4da39f2eb751e9a51ffc57b36eedb073a8b4ade65a47a5b46f05c87ba0d97a3d150374ed177fcf700e09d87670c93c2f2

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
4d1a83b75f7c3ab650a38cada4066346

SHA1
4f3d4d2fdecbe6d355c0115beb6efd701b0aaf1d

SHA256
6250a2633605e5eedc1fed3e07e6f9af72ea909144bc2adaaf6232863c9aae77

SHA512
d5aa60d6b1e167d1f62bdbfb22553ea81c449efb0b26e1fda8561d4110d68678384d718fd80725caa50dca3014ce7ec828d4338a10584c3edd41a28373aecb3e

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
02d4de52edefa3f671dd7cf1da710e72

SHA1
4d7bf878c6dbe792064aaf9d0ccbd1cda9ae2dd6

SHA256
eff90c0ca049d3e47b4251c7cfecbd887433a26a7a9089c51b939515b60c09c3

SHA512
b6cf17fdf6f346f0e7c71a0e765c2fdcb457926dd10a21e2d792ddadac83cb9f3bdbdd389d3192376b1f4159425653f0c2fb8adc6a7ea69320a2c4d69db0ab45

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
58482cd55bdcf5328e770a5da259ad50

SHA1
a4c4f0c67d4d994c073fd6dc0226f81dc9519578

SHA256
979d186c61932660a72e0b4517b3c649cd7a271d3d2832bea00bc799cf8c5ff3

SHA512
e769a4ab050345121aa77e728a440775e58faaccf941ddf4e50dfe3e3cebdd6899d5e40e19610456f58741ac388fa6b0990520a94062e534eaf1d76950f0f0c2

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
377eb9b62d041d8bce0de473287e8291

SHA1
f952185e564b8fa528481a97681bf348c0662444

SHA256
4538e3ca72e6ccf3a2be2df452f7bc1eacadbfc7af2fc9e364abd32306d5410a

SHA512
2933b84ec7549fac5c774973e299482c7f1e7b829e25a9bd0fafd709e45f95b5613e5e559f4b7cdd079cfd1aed0b0e8927d05233a0f30278882d77526b45ac6a

Download Submit
memory/1272-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2008-40-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2008-45-0x00000000002F0000-0x000000000030F000-memory.dmp

Filesize
124KB

Download
memory/2008-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2760-50-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2760-55-0x0000000000420000-0x000000000043F000-memory.dmp

Filesize
124KB

Download
memory/2824-25-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2824-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2852-13-0x0000000000280000-0x000000000029F000-memory.dmp

Filesize
124KB

Download
memory/2852-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2852-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download