guloader | f8abb401812eafff1ca24fbafc67d5cdb34ba384da284b55d5350a5300fb7757

Analysis

max time kernel
150s
max time network
11s
platform
windows7_x64
resource
win7v20210410
submitted
19-04-2021 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
Size

438KB
MD5

c82d1d8b8fc5cbbf8ee05bee229a3a76
SHA1

eeaba79a2d490544ccf4c75f93e6456ab474f800
SHA256

f8abb401812eafff1ca24fbafc67d5cdb34ba384da284b55d5350a5300fb7757
SHA512

01bd7148e3befa03dd6e548c2c0784849f730165b43dec14f18262b1ee0e592b0e4132f0acf01f9b4d9d46074f0c2b26b5e626cd54d39f88113d10bd684387dc

Score

10^/10

guloader downloader evasion guloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Guloader Payload 1 IoCs

guloader

Processes:

resource	yara_rule
behavioral1/memory/1028-116-0x0000000000390000-0x000000000039F000-memory.dmp	family_guloader

Executes dropped EXE 6 IoCs

Processes:

c82d1d8b8fc5cbbf8ee05bee229a3a76.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

1028 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
292 icsys.icn.exe
1096 explorer.exe
1004 spoolsv.exe
920 svchost.exe
1172 spoolsv.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
1028	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
292	icsys.icn.exe
1096	explorer.exe
1004	spoolsv.exe
920	svchost.exe
1172	spoolsv.exe

Loads dropped DLL 12 IoCs

Processes:

c82d1d8b8fc5cbbf8ee05bee229a3a76.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid	process
1420	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
1420	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
1420	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
1420	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
292	icsys.icn.exe
292	icsys.icn.exe
1096	explorer.exe
1096	explorer.exe
1004	spoolsv.exe
1004	spoolsv.exe
920	svchost.exe
920	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exeexplorer.exeicsys.icn.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exe

pid	process
292	icsys.icn.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
1096	explorer.exe
920	svchost.exe
920	svchost.exe
920	svchost.exe
1096	explorer.exe
1096	explorer.exe
920	svchost.exe
1096	explorer.exe
920	svchost.exe
920	svchost.exe
1096	explorer.exe
1096	explorer.exe
920	svchost.exe
920	svchost.exe
1096	explorer.exe
1096	explorer.exe
920	svchost.exe
920	svchost.exe
1096	explorer.exe
1096	explorer.exe
920	svchost.exe
1096	explorer.exe
920	svchost.exe
920	svchost.exe
1096	explorer.exe
1096	explorer.exe
920	svchost.exe
920	svchost.exe
1096	explorer.exe
1096	explorer.exe
920	svchost.exe
920	svchost.exe
1096	explorer.exe
1096	explorer.exe
920	svchost.exe
920	svchost.exe
1096	explorer.exe
1096	explorer.exe
920	svchost.exe
920	svchost.exe
1096	explorer.exe
1096	explorer.exe
920	svchost.exe
920	svchost.exe
1096	explorer.exe
920	svchost.exe
1096	explorer.exe
1096	explorer.exe
920	svchost.exe
1096	explorer.exe
920	svchost.exe
920	svchost.exe
1096	explorer.exe
920	svchost.exe
1096	explorer.exe
1096	explorer.exe
920	svchost.exe
920	svchost.exe
1096	explorer.exe
1096	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1096 explorer.exe
920 svchost.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c82d1d8b8fc5cbbf8ee05bee229a3a76.exe

description pid process

Token: SeShutdownPrivilege 1028 c82d1d8b8fc5cbbf8ee05bee229a3a76.exe

pid	process
1096	explorer.exe
920	svchost.exe

description	pid	process
Token: SeShutdownPrivilege	1028	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

c82d1d8b8fc5cbbf8ee05bee229a3a76.exec82d1d8b8fc5cbbf8ee05bee229a3a76.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1420	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
1420	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
1028	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
292	icsys.icn.exe
292	icsys.icn.exe
1096	explorer.exe
1096	explorer.exe
1004	spoolsv.exe
1004	spoolsv.exe
920	svchost.exe
920	svchost.exe
1172	spoolsv.exe
1172	spoolsv.exe
1096	explorer.exe
1096	explorer.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

c82d1d8b8fc5cbbf8ee05bee229a3a76.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1420 wrote to memory of 1028	1420	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
PID 1420 wrote to memory of 1028	1420	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
PID 1420 wrote to memory of 1028	1420	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
PID 1420 wrote to memory of 1028	1420	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
PID 1420 wrote to memory of 292	1420	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	icsys.icn.exe
PID 1420 wrote to memory of 292	1420	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	icsys.icn.exe
PID 1420 wrote to memory of 292	1420	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	icsys.icn.exe
PID 1420 wrote to memory of 292	1420	c82d1d8b8fc5cbbf8ee05bee229a3a76.exe	icsys.icn.exe
PID 292 wrote to memory of 1096	292	icsys.icn.exe	explorer.exe
PID 292 wrote to memory of 1096	292	icsys.icn.exe	explorer.exe
PID 292 wrote to memory of 1096	292	icsys.icn.exe	explorer.exe
PID 292 wrote to memory of 1096	292	icsys.icn.exe	explorer.exe
PID 1096 wrote to memory of 1004	1096	explorer.exe	spoolsv.exe
PID 1096 wrote to memory of 1004	1096	explorer.exe	spoolsv.exe
PID 1096 wrote to memory of 1004	1096	explorer.exe	spoolsv.exe
PID 1096 wrote to memory of 1004	1096	explorer.exe	spoolsv.exe
PID 1004 wrote to memory of 920	1004	spoolsv.exe	svchost.exe
PID 1004 wrote to memory of 920	1004	spoolsv.exe	svchost.exe
PID 1004 wrote to memory of 920	1004	spoolsv.exe	svchost.exe
PID 1004 wrote to memory of 920	1004	spoolsv.exe	svchost.exe
PID 920 wrote to memory of 1172	920	svchost.exe	spoolsv.exe
PID 920 wrote to memory of 1172	920	svchost.exe	spoolsv.exe
PID 920 wrote to memory of 1172	920	svchost.exe	spoolsv.exe
PID 920 wrote to memory of 1172	920	svchost.exe	spoolsv.exe
PID 920 wrote to memory of 532	920	svchost.exe	at.exe
PID 920 wrote to memory of 532	920	svchost.exe	at.exe
PID 920 wrote to memory of 532	920	svchost.exe	at.exe
PID 920 wrote to memory of 532	920	svchost.exe	at.exe
PID 920 wrote to memory of 1896	920	svchost.exe	at.exe
PID 920 wrote to memory of 1896	920	svchost.exe	at.exe
PID 920 wrote to memory of 1896	920	svchost.exe	at.exe
PID 920 wrote to memory of 1896	920	svchost.exe	at.exe
PID 920 wrote to memory of 1556	920	svchost.exe	at.exe
PID 920 wrote to memory of 1556	920	svchost.exe	at.exe
PID 920 wrote to memory of 1556	920	svchost.exe	at.exe
PID 920 wrote to memory of 1556	920	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
"C:\Users\Admin\AppData\Local\Temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420

\??\c:\users\admin\appdata\local\temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
c:\users\admin\appdata\local\temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1028

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:292

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1172

C:\Windows\SysWOW64\at.exe
at 17:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:532

C:\Windows\SysWOW64\at.exe
at 17:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1896

C:\Windows\SysWOW64\at.exe
at 17:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1556

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
MD5
81f33af36aa74b241608c2f1ae494ab9

SHA1
057a50d03af170a3137ba1a94db45dcc1898e708

SHA256
ec7f08251e8c211eeb82ae9f8e7fb044b1797a05aca2367aa6a82ca10ba24b90

SHA512
c0639cc171f5e84975e46de8675ebe6d4200ba6ea7bc269ad8c5ca8c4e14eb8b47da89f12c4b4ce2972acc61970fff309e8f4cd4d267a8c7a7759c486b8d4e6f

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
MD5
455c155a23342f28b1cdbfd5d620f129

SHA1
89b1c98e97e29e178cb7433f801dc4fb7b2d4e03

SHA256
86c97c81d0b34a4fdf188047505cea3d48f4586c8cc8ae3860e1e3adbcb59c15

SHA512
00bd563eb6fbc64e9bd94b22491213375163823c3842bed35d177f8a9fd7580ca12af5edc5b476af6b1facec4b2b50df8f427a679ccb00281a35ff2fbd8c27e8

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe
MD5
e13e685b42fe92e6d508acc8b1bb74c5

SHA1
c5d7b519667caf79402a378563ff33e7fcaf467a

SHA256
f0fc30672f0076626d22c87ffe2a4a604cc21fb5d04c6cce695f8dc32daffa1b

SHA512
c3e90685558eeda52cfe8d914bff93fe3b45bc321fc0d6c568ef1378807afc08c2af9811d7d7615fca99d89a22a4e831d57a57b78bc60d469c0e0765b1ac04a2

Download Submit
C:\Windows\system\explorer.exe
MD5
8987500f6cdc5d541eec941a635dc409

SHA1
583c2489c2d704a945be20cd9db960e4cd2c8e49

SHA256
8532ddf615434e1e667ba5a04907e0f2914298feb1f6983bf01e23fbec523be0

SHA512
9acc28a3d98f01f3026909b79b3fda30538e3bc2a757104c04da205749aaf604bea9b006413e29ad403c8dd8c35bb036f685752e04fbde89ce012bb5835e3b8b

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5228673a6ad611a68cbc5a37b5cee1e6

SHA1
3f1cb53905f6431c87faeef763af5032cd9269b6

SHA256
e9bd8c14c3f3d04a5df90dc331a6e6ff82c07c7fe41e2449e5455bf48e33e17f

SHA512
76624c2eeba4d8e16863fb19151f09a0ee36661bc582806719d207338d0f00ed8d66b276fb80c6d9bdc926ae05bd670565831ad332be3f23d8f8bed9f222552b

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5228673a6ad611a68cbc5a37b5cee1e6

SHA1
3f1cb53905f6431c87faeef763af5032cd9269b6

SHA256
e9bd8c14c3f3d04a5df90dc331a6e6ff82c07c7fe41e2449e5455bf48e33e17f

SHA512
76624c2eeba4d8e16863fb19151f09a0ee36661bc582806719d207338d0f00ed8d66b276fb80c6d9bdc926ae05bd670565831ad332be3f23d8f8bed9f222552b

Download Submit
C:\Windows\system\svchost.exe
MD5
abc770e0ef4cee1f8e3030e8915c2559

SHA1
01ef2752ee75bcb95247dae2f93441ce896a993a

SHA256
f92bb361f149fde5ab8f133f5be0e0b18072d4395efd8d9c6010dcf027f3e025

SHA512
780c5437b5e65ca665551823ba3ea54262e28b699935da0ec303de850a187295209de0a73bc34120a94a7a292005daa776a532ffdc7224cd73f7f78fb0de817c

Download Submit
\??\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\users\admin\appdata\local\icsys.icn.exe
MD5
455c155a23342f28b1cdbfd5d620f129

SHA1
89b1c98e97e29e178cb7433f801dc4fb7b2d4e03

SHA256
86c97c81d0b34a4fdf188047505cea3d48f4586c8cc8ae3860e1e3adbcb59c15

SHA512
00bd563eb6fbc64e9bd94b22491213375163823c3842bed35d177f8a9fd7580ca12af5edc5b476af6b1facec4b2b50df8f427a679ccb00281a35ff2fbd8c27e8

Download Submit
\??\c:\windows\system\explorer.exe
MD5
8987500f6cdc5d541eec941a635dc409

SHA1
583c2489c2d704a945be20cd9db960e4cd2c8e49

SHA256
8532ddf615434e1e667ba5a04907e0f2914298feb1f6983bf01e23fbec523be0

SHA512
9acc28a3d98f01f3026909b79b3fda30538e3bc2a757104c04da205749aaf604bea9b006413e29ad403c8dd8c35bb036f685752e04fbde89ce012bb5835e3b8b

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
5228673a6ad611a68cbc5a37b5cee1e6

SHA1
3f1cb53905f6431c87faeef763af5032cd9269b6

SHA256
e9bd8c14c3f3d04a5df90dc331a6e6ff82c07c7fe41e2449e5455bf48e33e17f

SHA512
76624c2eeba4d8e16863fb19151f09a0ee36661bc582806719d207338d0f00ed8d66b276fb80c6d9bdc926ae05bd670565831ad332be3f23d8f8bed9f222552b

Download Submit
\??\c:\windows\system\svchost.exe
MD5
abc770e0ef4cee1f8e3030e8915c2559

SHA1
01ef2752ee75bcb95247dae2f93441ce896a993a

SHA256
f92bb361f149fde5ab8f133f5be0e0b18072d4395efd8d9c6010dcf027f3e025

SHA512
780c5437b5e65ca665551823ba3ea54262e28b699935da0ec303de850a187295209de0a73bc34120a94a7a292005daa776a532ffdc7224cd73f7f78fb0de817c

Download Submit
\Users\Admin\AppData\Local\Temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
MD5
81f33af36aa74b241608c2f1ae494ab9

SHA1
057a50d03af170a3137ba1a94db45dcc1898e708

SHA256
ec7f08251e8c211eeb82ae9f8e7fb044b1797a05aca2367aa6a82ca10ba24b90

SHA512
c0639cc171f5e84975e46de8675ebe6d4200ba6ea7bc269ad8c5ca8c4e14eb8b47da89f12c4b4ce2972acc61970fff309e8f4cd4d267a8c7a7759c486b8d4e6f

Download Submit
\Users\Admin\AppData\Local\Temp\c82d1d8b8fc5cbbf8ee05bee229a3a76.exe
MD5
81f33af36aa74b241608c2f1ae494ab9

SHA1
057a50d03af170a3137ba1a94db45dcc1898e708

SHA256
ec7f08251e8c211eeb82ae9f8e7fb044b1797a05aca2367aa6a82ca10ba24b90

SHA512
c0639cc171f5e84975e46de8675ebe6d4200ba6ea7bc269ad8c5ca8c4e14eb8b47da89f12c4b4ce2972acc61970fff309e8f4cd4d267a8c7a7759c486b8d4e6f

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe
MD5
455c155a23342f28b1cdbfd5d620f129

SHA1
89b1c98e97e29e178cb7433f801dc4fb7b2d4e03

SHA256
86c97c81d0b34a4fdf188047505cea3d48f4586c8cc8ae3860e1e3adbcb59c15

SHA512
00bd563eb6fbc64e9bd94b22491213375163823c3842bed35d177f8a9fd7580ca12af5edc5b476af6b1facec4b2b50df8f427a679ccb00281a35ff2fbd8c27e8

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe
MD5
455c155a23342f28b1cdbfd5d620f129

SHA1
89b1c98e97e29e178cb7433f801dc4fb7b2d4e03

SHA256
86c97c81d0b34a4fdf188047505cea3d48f4586c8cc8ae3860e1e3adbcb59c15

SHA512
00bd563eb6fbc64e9bd94b22491213375163823c3842bed35d177f8a9fd7580ca12af5edc5b476af6b1facec4b2b50df8f427a679ccb00281a35ff2fbd8c27e8

Download Submit
\Windows\system\explorer.exe
MD5
8987500f6cdc5d541eec941a635dc409

SHA1
583c2489c2d704a945be20cd9db960e4cd2c8e49

SHA256
8532ddf615434e1e667ba5a04907e0f2914298feb1f6983bf01e23fbec523be0

SHA512
9acc28a3d98f01f3026909b79b3fda30538e3bc2a757104c04da205749aaf604bea9b006413e29ad403c8dd8c35bb036f685752e04fbde89ce012bb5835e3b8b

Download Submit
\Windows\system\explorer.exe
MD5
8987500f6cdc5d541eec941a635dc409

SHA1
583c2489c2d704a945be20cd9db960e4cd2c8e49

SHA256
8532ddf615434e1e667ba5a04907e0f2914298feb1f6983bf01e23fbec523be0

SHA512
9acc28a3d98f01f3026909b79b3fda30538e3bc2a757104c04da205749aaf604bea9b006413e29ad403c8dd8c35bb036f685752e04fbde89ce012bb5835e3b8b

Download Submit
\Windows\system\spoolsv.exe
MD5
5228673a6ad611a68cbc5a37b5cee1e6

SHA1
3f1cb53905f6431c87faeef763af5032cd9269b6

SHA256
e9bd8c14c3f3d04a5df90dc331a6e6ff82c07c7fe41e2449e5455bf48e33e17f

SHA512
76624c2eeba4d8e16863fb19151f09a0ee36661bc582806719d207338d0f00ed8d66b276fb80c6d9bdc926ae05bd670565831ad332be3f23d8f8bed9f222552b

Download Submit
\Windows\system\spoolsv.exe
MD5
5228673a6ad611a68cbc5a37b5cee1e6

SHA1
3f1cb53905f6431c87faeef763af5032cd9269b6

SHA256
e9bd8c14c3f3d04a5df90dc331a6e6ff82c07c7fe41e2449e5455bf48e33e17f

SHA512
76624c2eeba4d8e16863fb19151f09a0ee36661bc582806719d207338d0f00ed8d66b276fb80c6d9bdc926ae05bd670565831ad332be3f23d8f8bed9f222552b

Download Submit
\Windows\system\spoolsv.exe
MD5
5228673a6ad611a68cbc5a37b5cee1e6

SHA1
3f1cb53905f6431c87faeef763af5032cd9269b6

SHA256
e9bd8c14c3f3d04a5df90dc331a6e6ff82c07c7fe41e2449e5455bf48e33e17f

SHA512
76624c2eeba4d8e16863fb19151f09a0ee36661bc582806719d207338d0f00ed8d66b276fb80c6d9bdc926ae05bd670565831ad332be3f23d8f8bed9f222552b

Download Submit
\Windows\system\spoolsv.exe
MD5
5228673a6ad611a68cbc5a37b5cee1e6

SHA1
3f1cb53905f6431c87faeef763af5032cd9269b6

SHA256
e9bd8c14c3f3d04a5df90dc331a6e6ff82c07c7fe41e2449e5455bf48e33e17f

SHA512
76624c2eeba4d8e16863fb19151f09a0ee36661bc582806719d207338d0f00ed8d66b276fb80c6d9bdc926ae05bd670565831ad332be3f23d8f8bed9f222552b

Download Submit
\Windows\system\svchost.exe
MD5
abc770e0ef4cee1f8e3030e8915c2559

SHA1
01ef2752ee75bcb95247dae2f93441ce896a993a

SHA256
f92bb361f149fde5ab8f133f5be0e0b18072d4395efd8d9c6010dcf027f3e025

SHA512
780c5437b5e65ca665551823ba3ea54262e28b699935da0ec303de850a187295209de0a73bc34120a94a7a292005daa776a532ffdc7224cd73f7f78fb0de817c

Download Submit
\Windows\system\svchost.exe
MD5
abc770e0ef4cee1f8e3030e8915c2559

SHA1
01ef2752ee75bcb95247dae2f93441ce896a993a

SHA256
f92bb361f149fde5ab8f133f5be0e0b18072d4395efd8d9c6010dcf027f3e025

SHA512
780c5437b5e65ca665551823ba3ea54262e28b699935da0ec303de850a187295209de0a73bc34120a94a7a292005daa776a532ffdc7224cd73f7f78fb0de817c

Download Submit
memory/292-72-0x0000000000000000-mapping.dmp

Download
memory/532-113-0x0000000000000000-mapping.dmp

Download
memory/920-99-0x0000000000000000-mapping.dmp

Download
memory/1004-90-0x0000000000000000-mapping.dmp

Download
memory/1028-116-0x0000000000390000-0x000000000039F000-memory.dmp

Filesize
60KB

Download
memory/1028-66-0x0000000000000000-mapping.dmp

Download
memory/1096-81-0x0000000000000000-mapping.dmp

Download
memory/1172-108-0x0000000000000000-mapping.dmp

Download
memory/1420-63-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1556-119-0x0000000000000000-mapping.dmp

Download
memory/1896-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads