floxif | d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
Size

4.7MB
MD5

d3b99efd2be70b804ab187899b8ea8a2
SHA1

5a50287619cbdb06c923a2e0e59b130c92435972
SHA256

d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd
SHA512

1be63a37e4cc331c8bfe1bd6ef5fa937205f8b7b0c36ce2d60c4fc322703c3c32a20d73afd195cf63ce79f3088c13e559bfb0eaff9baf526d88a71a5ec95bd48
SSDEEP

49152:tWKGNq7FBhpRWa3viMRIcDdxw6dXF3W1QrL1UDq3P8mlp4DOXUx4:zGejpRWafEkRW6OHmrZX5

Score

10^/10

floxif backdoor discovery evasion persistence trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x0008000000023bd5-11.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023bd5-11.dat	acprotect

Executes dropped EXE 8 IoCs

pid	Process
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
1408	icsys.icn.exe
748	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
3028	explorer.exe
2376	spoolsv.exe
3148	icsys.icn.exe
2188	svchost.exe
4364	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
748	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2672-14-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/files/0x0008000000023bd5-11.dat	upx
behavioral2/memory/748-33-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/748-61-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2672-73-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3028	explorer.exe
2188	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
Token: SeDebugPrivilege	748	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
1408	icsys.icn.exe
1408	icsys.icn.exe
3028	explorer.exe
3028	explorer.exe
748	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
748	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
2376	spoolsv.exe
2376	spoolsv.exe
2188	svchost.exe
2188	svchost.exe
3148	icsys.icn.exe
3148	icsys.icn.exe
4364	spoolsv.exe
4364	spoolsv.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 2672	4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe	83
PID 4444 wrote to memory of 2672	4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe	83
PID 4444 wrote to memory of 2672	4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe	83
PID 4444 wrote to memory of 1408	4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe	84
PID 4444 wrote to memory of 1408	4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe	84
PID 4444 wrote to memory of 1408	4444	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe	84
PID 2672 wrote to memory of 748	2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe	85
PID 2672 wrote to memory of 748	2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe	85
PID 2672 wrote to memory of 748	2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe	85
PID 1408 wrote to memory of 3028	1408	icsys.icn.exe	86
PID 1408 wrote to memory of 3028	1408	icsys.icn.exe	86
PID 1408 wrote to memory of 3028	1408	icsys.icn.exe	86
PID 3028 wrote to memory of 2376	3028	explorer.exe	87
PID 3028 wrote to memory of 2376	3028	explorer.exe	87
PID 3028 wrote to memory of 2376	3028	explorer.exe	87
PID 2672 wrote to memory of 3148	2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe	88
PID 2672 wrote to memory of 3148	2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe	88
PID 2672 wrote to memory of 3148	2672	d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe	88
PID 2376 wrote to memory of 2188	2376	spoolsv.exe	89
PID 2376 wrote to memory of 2188	2376	spoolsv.exe	89
PID 2376 wrote to memory of 2188	2376	spoolsv.exe	89
PID 2188 wrote to memory of 4364	2188	svchost.exe	90
PID 2188 wrote to memory of 4364	2188	svchost.exe	90
PID 2188 wrote to memory of 4364	2188	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
"C:\Users\Admin\AppData\Local\Temp\d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4444
- \??\c:\users\admin\appdata\local\temp\d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
  c:\users\admin\appdata\local\temp\d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2672
- - \??\c:\users\admin\appdata\local\temp\d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
    c:\users\admin\appdata\local\temp\d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:748
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3148
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1408
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2376
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\9D6911CCA70.tmp

Filesize
4.5MB

MD5
d0b61f13372768a96e0ee733ab0cb6a3

SHA1
da5acc25417fb085e67194396a30b53cc19a3129

SHA256
988285dea2de7a1b98412e9560c2059cf8f457eaffad8228f0fea65cdd7b1bf0

SHA512
6b7797b9e26a4dc22c4ea783b6e1c93a763d7ec0c377c8b7cc65ee4a9c6af968046e2846e45e08e99d53dd135d6d14ec2608eb5e5e2e98d1000ae84ea6d984cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4280f4d3a5b55db372dbf46200db3cf9afb851aaa7c4961376cc877d1f45bdd.exe

Filesize
4.5MB

MD5
f2f663d7125fae108dfe569404386854

SHA1
8d4da074f301b3027b7870b6c405f33a4a5639c9

SHA256
f5e62104cb8cce33331d05a246a432dc04b99ea398dbb70bdce7867e291b6f00

SHA512
295074178be41f1849ae12068cdaf62dcb160773d4c4135ae5f1f91c13bc69fc7722abe814794c16efc0467ceeb29ec0c4501dad0799aaf07d3632cdff3a0cef

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
adbbca247246a651f730703d3e23da14

SHA1
224c6929b43e9dba89da5c53991e2b0b496e43aa

SHA256
907f298125a2be17ad42672fc39f48a2ed686da2115c16c61bbc5585a1058924

SHA512
12f7e1809bc2ed8bbb41249928aefcf30dc5721559d7f68328222e9144fc2fba2e513cddc0039e873154bf4d09622b560b19be264e94f00637efb34aa67bd7d2

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
98d095085879b39b71ae70f8a3a28af7

SHA1
aafce79183935ebbb476775f520439cd3c0b3ae9

SHA256
5b7dd8fcf7a866c0ae6e2cc858d67e108516031f9ef0ccdb88dd026f225e2bfe

SHA512
9e6869e4a7990dbe332364baa31a2bec730ac4f5bd3a15d31da1e5b7f8e7d5cf16996bfc2d3555a9f31fc7bb8756af5a91401a4f722f64ebfc92586b8ac9c5d6

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
dca021bfc6e11ced1891aebdab8ef069

SHA1
1c966a2968eaaa40fa32ba954c97144dd5a2a28d

SHA256
49b7c50cc081051f80fa56bed1539bb8dbf90cfb36042a810d95edf37765947b

SHA512
a39030d8138a63de5b3643eb3b60c8cfacff521732d4c81f355c978736af8b5f386d3153a6e52ab54b0727a5c037f1abc8b7874567ece1e5faca25af7454a3ec

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
226f60a541f5b7923a225e6629183ca1

SHA1
687af10a4a375ab52b2fba1482f59c6a7b261a68

SHA256
6a547e6d43850291d84d53bade391b246cfaf27be395212b3078b51d286f39de

SHA512
c33cd312b4f1e0ca90de436d7fb406acd58238a38ed063a74082040d3cc3b9121f741153beef140310a6f907b29fcbe91feea8cc81f49ebb92be42f0751bd3bc

Download Submit
memory/748-33-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/748-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/748-61-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/748-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1408-25-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1408-78-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2188-81-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2376-77-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2672-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2672-73-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2672-72-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2672-14-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3028-80-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3148-69-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4364-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4444-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4444-79-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download