r77 | f2c407fd5807bfef519782f4a1ddb692e517253458038af8cb95afa1c9d12867

Analysis

max time kernel
120s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 00:58 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

983feeba8559708cdf24ccfe95e6b500N.exe
Size

1.4MB
MD5

983feeba8559708cdf24ccfe95e6b500
SHA1

0284cd93330c39a56517c0524b58f99bae212e05
SHA256

f2c407fd5807bfef519782f4a1ddb692e517253458038af8cb95afa1c9d12867
SHA512

f69524363cd51da69ca2cc46f83b8cfb743aa3db1eff0041a0e3106ac2a1f40e7886a21813bb23f45fef46777c490dacfc20cce76ca6b76738786785045884a1
SSDEEP

24576:cFOa8YUyYp231mT6lq7UM4nM2dNR0iTgk22FyDbJ7wDS+eUZ:smwmTSWUMIM2p0iTgkf4V7rUZ

Score

10^/10

r77 discovery evasion persistence rootkit

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

r77
r77 is an open-source, userland rootkit.
rootkit r77

r77 rootkit payload 1 IoCs

Detects the payload of the r77 rootkit.

resource	yara_rule
behavioral2/files/0x0007000000023500-7.dat	r77_payload

Executes dropped EXE 6 IoCs

pid	Process
2796	983feeba8559708cdf24ccfe95e6b500n.exe
5096	icsys.icn.exe
3284	explorer.exe
2684	spoolsv.exe
348	svchost.exe
3556	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	983feeba8559708cdf24ccfe95e6b500N.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	983feeba8559708cdf24ccfe95e6b500N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
5096	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3284	explorer.exe
348	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	983feeba8559708cdf24ccfe95e6b500n.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3056	983feeba8559708cdf24ccfe95e6b500N.exe
3056	983feeba8559708cdf24ccfe95e6b500N.exe
5096	icsys.icn.exe
5096	icsys.icn.exe
3284	explorer.exe
3284	explorer.exe
2684	spoolsv.exe
2684	spoolsv.exe
348	svchost.exe
348	svchost.exe
3556	spoolsv.exe
3556	spoolsv.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2796	3056	983feeba8559708cdf24ccfe95e6b500N.exe	87
PID 3056 wrote to memory of 2796	3056	983feeba8559708cdf24ccfe95e6b500N.exe	87
PID 3056 wrote to memory of 5096	3056	983feeba8559708cdf24ccfe95e6b500N.exe	88
PID 3056 wrote to memory of 5096	3056	983feeba8559708cdf24ccfe95e6b500N.exe	88
PID 3056 wrote to memory of 5096	3056	983feeba8559708cdf24ccfe95e6b500N.exe	88
PID 5096 wrote to memory of 3284	5096	icsys.icn.exe	89
PID 5096 wrote to memory of 3284	5096	icsys.icn.exe	89
PID 5096 wrote to memory of 3284	5096	icsys.icn.exe	89
PID 3284 wrote to memory of 2684	3284	explorer.exe	91
PID 3284 wrote to memory of 2684	3284	explorer.exe	91
PID 3284 wrote to memory of 2684	3284	explorer.exe	91
PID 2684 wrote to memory of 348	2684	spoolsv.exe	92
PID 2684 wrote to memory of 348	2684	spoolsv.exe	92
PID 2684 wrote to memory of 348	2684	spoolsv.exe	92
PID 348 wrote to memory of 3556	348	svchost.exe	93
PID 348 wrote to memory of 3556	348	svchost.exe	93
PID 348 wrote to memory of 3556	348	svchost.exe	93

C:\Users\Admin\AppData\Local\Temp\983feeba8559708cdf24ccfe95e6b500N.exe
"C:\Users\Admin\AppData\Local\Temp\983feeba8559708cdf24ccfe95e6b500N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- \??\c:\users\admin\appdata\local\temp\983feeba8559708cdf24ccfe95e6b500n.exe
  c:\users\admin\appdata\local\temp\983feeba8559708cdf24ccfe95e6b500n.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5096
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2684
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:348
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3556

Network

DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

23.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.159.190.20.in-addr.arpa

IN PTR

Response
DNS

flingtrainer.com

983feeba8559708cdf24ccfe95e6b500n.exe

Remote address:

8.8.8.8:53

Request

flingtrainer.com

IN A

Response

flingtrainer.com

IN A

104.26.14.72

flingtrainer.com

IN A

104.26.15.72

flingtrainer.com

IN A

172.67.73.26
GET

https://flingtrainer.com/wp-content/check-for-trainer-update/resident-evil-3-trainer

983feeba8559708cdf24ccfe95e6b500n.exe

Remote address:

104.26.14.72:443

Request

GET /wp-content/check-for-trainer-update/resident-evil-3-trainer HTTP/1.1
User-Agent: FLiNGTrainer
Host: flingtrainer.com

Response

HTTP/1.1 200 OK

Date: Sun, 08 Sep 2024 00:58:42 GMT
Content-Length: 11
Connection: keep-alive
vary: User-Agent
last-modified: Wed, 22 Jun 2022 06:45:32 GMT
etag: "b-5e203aefabb00"
accept-ranges: bytes
Cache-Control: no-cache, no-store, must-revalidate
pragma: no-cache
expires: 0
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZWIV6eo1fvBVWzpROuqwvISw4qs1fGJOqy2muYx%2Fvr97S%2Fq0W2jSgZXCqjrj09GXBSBplzvnNeGLZljNiziXABwPETrLsmqIwDWRuXBwhRR1MCm5eEPqlSEs0J3hv3sl2SA%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8bfafddd7cbe9571-LHR
DNS

c.pki.goog

983feeba8559708cdf24ccfe95e6b500n.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.27.94
GET

http://c.pki.goog/r/gsr1.crl

983feeba8559708cdf24ccfe95e6b500n.exe

Remote address:

142.250.27.94:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sun, 08 Sep 2024 00:09:21 GMT
Expires: Sun, 08 Sep 2024 00:59:21 GMT
Cache-Control: public, max-age=3000
Age: 2960
Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

983feeba8559708cdf24ccfe95e6b500n.exe

Remote address:

142.250.27.94:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sun, 08 Sep 2024 00:34:12 GMT
Expires: Sun, 08 Sep 2024 01:24:12 GMT
Cache-Control: public, max-age=3000
Age: 1470
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

72.14.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.14.26.104.in-addr.arpa

IN PTR

Response
DNS

94.27.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

94.27.250.142.in-addr.arpa

IN PTR

Response

94.27.250.142.in-addr.arpa

IN PTR

ra-in-f941e100net
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

13.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.227.111.52.in-addr.arpa

IN PTR

Response

104.26.14.72:443

https://flingtrainer.com/wp-content/check-for-trainer-update/resident-evil-3-trainer

tls, http

983feeba8559708cdf24ccfe95e6b500n.exe

880 B
4.5kB
10
8

HTTP Request

GET https://flingtrainer.com/wp-content/check-for-trainer-update/resident-evil-3-trainer

HTTP Response

200
142.250.27.94:80

http://c.pki.goog/r/r4.crl

http

983feeba8559708cdf24ccfe95e6b500n.exe

648 B
3.9kB
9
8

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200

8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

23.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.159.190.20.in-addr.arpa
8.8.8.8:53

flingtrainer.com

dns

983feeba8559708cdf24ccfe95e6b500n.exe

62 B
110 B
1
1

DNS Request

flingtrainer.com

DNS Response

104.26.14.72

104.26.15.72

172.67.73.26
8.8.8.8:53

c.pki.goog

dns

983feeba8559708cdf24ccfe95e6b500n.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.27.94
8.8.8.8:53

72.14.26.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

72.14.26.104.in-addr.arpa
8.8.8.8:53

94.27.250.142.in-addr.arpa

dns

72 B
105 B
1
1

DNS Request

94.27.250.142.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

13.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\983feeba8559708cdf24ccfe95e6b500n.exe

Filesize
1.3MB

MD5
2619a95b7823ba7d7061723fb24899ff

SHA1
a0f8509a84b80e740e9010f2caebdb366d765026

SHA256
2f7d0647c2643ebed6a9c84b7bf5f22e8daf38f53376428c82993a2438abe4ec

SHA512
83c7f59860ea57379f6f114cfbc671f8a7d8d7495ab0c74d6cf0b73b4449c213305d19a9f6a68090774511254f1e314038fcc0c1a4f14427c1b258b282396fb6

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
3622ddde7c96b8117a84547fddd5032f

SHA1
a74fee6c50ddf71745f2b208e7c7db1ad66841ca

SHA256
1dd25d200de965098a7420078c7748d99397a104ad91ee763205eda6f5638fb4

SHA512
940bfe09e17d6612652e03a5881dc961a42ef14e9039dc12626265ffa6a21f2fc16851f776da04d83085aa045c59cd24c8dfec44ae14b6e45e6498ab00912f45

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
eb26863ba35c122485365deb42a871d7

SHA1
a60c83d2744059df05d8706c55a10e09861357ce

SHA256
8df9bfbe2e8c53f196fdb0d9a43d117a54a89a6d3dffb41140973fe78e8b8bee

SHA512
c872c1bde7408cfe2f8e3f80a173a1d0a74fbb1a2de81d889b354fc7f06cb129d92a0087c415e94f1621324f2d5795a15adfcc02e1244200e0dd5d20aba7781d

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
7cdbd6eab4c515a5741f0eb1bd4279d9

SHA1
1b755d0807a5d2f04325000b23083011d7abd811

SHA256
93b37b86ed6249418d0ddd256ec2d0648ef30a8b7ad2c5b9dbe2eaa76a4a12ce

SHA512
b31e2e7b097b59438478c49467444fcb73c30df61c066bdd050b9d801399bbfa3ecc01293bcd9486e80ca915c825ed23fe23ff2303aaa3a2b6f0fae250a9c9b7

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
27e57f9dda22ef60cb121d57aa5a32ec

SHA1
7b4203a88a9eceb22412e7844f8e7e16372bd8fe

SHA256
390030cc666f7026fd31e3dccf7aa4e8add46630a16d6f363bf0b915eab2c11b

SHA512
d03f7e9b85ee21ef2e14c4bc1b76c5e6dd106213e9b1655b1e51a102bbda866157584ac0ba133c2d3489f6860c2c4d18047218080dabbdd21c5da98523a0f9ba

Download Submit
memory/348-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/348-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2684-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2796-62-0x00007FFE4FF50000-0x00007FFE50A11000-memory.dmp

Filesize
10.8MB

Download
memory/2796-13-0x00007FFE4FF50000-0x00007FFE50A11000-memory.dmp

Filesize
10.8MB

Download
memory/2796-10-0x000002D78A4D0000-0x000002D78A502000-memory.dmp

Filesize
200KB

Download
memory/2796-9-0x00007FFE4FF53000-0x00007FFE4FF55000-memory.dmp

Filesize
8KB

Download
memory/2796-64-0x00007FFE4FF50000-0x00007FFE50A11000-memory.dmp

Filesize
10.8MB

Download
memory/2796-63-0x00007FFE4FF50000-0x00007FFE50A11000-memory.dmp

Filesize
10.8MB

Download
memory/3056-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3284-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3556-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3556-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5096-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5096-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.