4a8e933462209a204f87c02e41e88e99541ccb85964a22d9762f443cf19af409

Analysis

max time kernel
151s
max time network
49s
platform
windows7_x64
resource
win7v20210408
submitted
08-07-2021 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
Size

206KB
MD5

70c771952bc897446d3ddad90541a1e6
SHA1

b00b50a893e4552651c4a5c38cf4bb9aed7a101e
SHA256

aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337
SHA512

33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Executes dropped EXE 11 IoCs

Processes:

aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exesihost32.exeServices32.exeservices32.exe icsys.icn.exeexplorer.exe

pid	process
1448	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1988	icsys.icn.exe
604	explorer.exe
1552	spoolsv.exe
1864	svchost.exe
1800	spoolsv.exe
900	sihost32.exe
1380	Services32.exe
1580	services32.exe
1200	icsys.icn.exe
1544	explorer.exe

Loads dropped DLL 9 IoCs

Processes:

aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exeaefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe Services32.exe

pid	process
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1988	icsys.icn.exe
604	explorer.exe
1552	spoolsv.exe
1864	svchost.exe
1448	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1380	Services32.exe
1380	Services32.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exeicsys.icn.exeexplorer.exespoolsv.exeServices32.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Services32.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1020 schtasks.exe
944 schtasks.exe
316 schtasks.exe
1652 schtasks.exe
1316 schtasks.exe

pid	process
1020	schtasks.exe
944	schtasks.exe
316	schtasks.exe
1652	schtasks.exe
1316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exepowershell.exepowershell.exepowershell.exepowershell.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1608	powershell.exe
1608	powershell.exe
1292	powershell.exe
1292	powershell.exe
920	powershell.exe
920	powershell.exe
260	powershell.exe
260	powershell.exe
1988	icsys.icn.exe
1988	icsys.icn.exe
1988	icsys.icn.exe
1988	icsys.icn.exe
1988	icsys.icn.exe
1988	icsys.icn.exe
1988	icsys.icn.exe
1988	icsys.icn.exe
1988	icsys.icn.exe
1988	icsys.icn.exe
1988	icsys.icn.exe
1988	icsys.icn.exe
1988	icsys.icn.exe
1988	icsys.icn.exe
1988	icsys.icn.exe
1988	icsys.icn.exe
1988	icsys.icn.exe
604	explorer.exe
604	explorer.exe
604	explorer.exe
604	explorer.exe
604	explorer.exe
604	explorer.exe
604	explorer.exe
604	explorer.exe
604	explorer.exe
604	explorer.exe
604	explorer.exe
604	explorer.exe
604	explorer.exe
604	explorer.exe
604	explorer.exe
604	explorer.exe
1864	svchost.exe
1864	svchost.exe
1864	svchost.exe
1864	svchost.exe
1864	svchost.exe
1864	svchost.exe
1864	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

604 explorer.exe
1864 svchost.exe

pid	process
604	explorer.exe
1864	svchost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeaefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeservices32.exe powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	260	powershell.exe
Token: SeDebugPrivilege	1448	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	1580	services32.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeServices32.exeicsys.icn.exeexplorer.exe

pid	process
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
1988	icsys.icn.exe
1988	icsys.icn.exe
604	explorer.exe
604	explorer.exe
1552	spoolsv.exe
1552	spoolsv.exe
1864	svchost.exe
1864	svchost.exe
1800	spoolsv.exe
1800	spoolsv.exe
1380	Services32.exe
1380	Services32.exe
1200	icsys.icn.exe
1200	icsys.icn.exe
1544	explorer.exe
1544	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exeaefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe cmd.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.execmd.exeServices32.exe

description	pid	process	target process
PID 1832 wrote to memory of 1448	1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
PID 1832 wrote to memory of 1448	1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
PID 1832 wrote to memory of 1448	1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
PID 1832 wrote to memory of 1448	1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
PID 1448 wrote to memory of 1672	1448	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	cmd.exe
PID 1448 wrote to memory of 1672	1448	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	cmd.exe
PID 1448 wrote to memory of 1672	1448	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	cmd.exe
PID 1672 wrote to memory of 1608	1672	cmd.exe	powershell.exe
PID 1672 wrote to memory of 1608	1672	cmd.exe	powershell.exe
PID 1672 wrote to memory of 1608	1672	cmd.exe	powershell.exe
PID 1672 wrote to memory of 1292	1672	cmd.exe	powershell.exe
PID 1672 wrote to memory of 1292	1672	cmd.exe	powershell.exe
PID 1672 wrote to memory of 1292	1672	cmd.exe	powershell.exe
PID 1672 wrote to memory of 920	1672	cmd.exe	powershell.exe
PID 1672 wrote to memory of 920	1672	cmd.exe	powershell.exe
PID 1672 wrote to memory of 920	1672	cmd.exe	powershell.exe
PID 1672 wrote to memory of 260	1672	cmd.exe	powershell.exe
PID 1672 wrote to memory of 260	1672	cmd.exe	powershell.exe
PID 1672 wrote to memory of 260	1672	cmd.exe	powershell.exe
PID 1832 wrote to memory of 1988	1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	icsys.icn.exe
PID 1832 wrote to memory of 1988	1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	icsys.icn.exe
PID 1832 wrote to memory of 1988	1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	icsys.icn.exe
PID 1832 wrote to memory of 1988	1832	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	icsys.icn.exe
PID 1988 wrote to memory of 604	1988	icsys.icn.exe	explorer.exe
PID 1988 wrote to memory of 604	1988	icsys.icn.exe	explorer.exe
PID 1988 wrote to memory of 604	1988	icsys.icn.exe	explorer.exe
PID 1988 wrote to memory of 604	1988	icsys.icn.exe	explorer.exe
PID 604 wrote to memory of 1552	604	explorer.exe	spoolsv.exe
PID 604 wrote to memory of 1552	604	explorer.exe	spoolsv.exe
PID 604 wrote to memory of 1552	604	explorer.exe	spoolsv.exe
PID 604 wrote to memory of 1552	604	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 1864	1552	spoolsv.exe	svchost.exe
PID 1552 wrote to memory of 1864	1552	spoolsv.exe	svchost.exe
PID 1552 wrote to memory of 1864	1552	spoolsv.exe	svchost.exe
PID 1552 wrote to memory of 1864	1552	spoolsv.exe	svchost.exe
PID 1864 wrote to memory of 1800	1864	svchost.exe	spoolsv.exe
PID 1864 wrote to memory of 1800	1864	svchost.exe	spoolsv.exe
PID 1864 wrote to memory of 1800	1864	svchost.exe	spoolsv.exe
PID 1864 wrote to memory of 1800	1864	svchost.exe	spoolsv.exe
PID 604 wrote to memory of 1624	604	explorer.exe	Explorer.exe
PID 604 wrote to memory of 1624	604	explorer.exe	Explorer.exe
PID 604 wrote to memory of 1624	604	explorer.exe	Explorer.exe
PID 604 wrote to memory of 1624	604	explorer.exe	Explorer.exe
PID 1864 wrote to memory of 1020	1864	svchost.exe	schtasks.exe
PID 1864 wrote to memory of 1020	1864	svchost.exe	schtasks.exe
PID 1864 wrote to memory of 1020	1864	svchost.exe	schtasks.exe
PID 1864 wrote to memory of 1020	1864	svchost.exe	schtasks.exe
PID 1448 wrote to memory of 1564	1448	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	cmd.exe
PID 1448 wrote to memory of 1564	1448	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	cmd.exe
PID 1448 wrote to memory of 1564	1448	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	cmd.exe
PID 1564 wrote to memory of 944	1564	cmd.exe	schtasks.exe
PID 1564 wrote to memory of 944	1564	cmd.exe	schtasks.exe
PID 1564 wrote to memory of 944	1564	cmd.exe	schtasks.exe
PID 1448 wrote to memory of 900	1448	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	sihost32.exe
PID 1448 wrote to memory of 900	1448	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	sihost32.exe
PID 1448 wrote to memory of 900	1448	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	sihost32.exe
PID 1448 wrote to memory of 1380	1448	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	Services32.exe
PID 1448 wrote to memory of 1380	1448	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	Services32.exe
PID 1448 wrote to memory of 1380	1448	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	Services32.exe
PID 1448 wrote to memory of 1380	1448	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	Services32.exe
PID 1380 wrote to memory of 1580	1380	Services32.exe	services32.exe
PID 1380 wrote to memory of 1580	1380	Services32.exe	services32.exe
PID 1380 wrote to memory of 1580	1380	Services32.exe	services32.exe
PID 1380 wrote to memory of 1580	1380	Services32.exe	services32.exe

C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
"C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832

\??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"
4⤵
- Creates scheduled task(s)
PID:944

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
3⤵
- Executes dropped EXE
PID:900

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
4⤵
PID:1384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Users\Admin\AppData\Local\Temp\Services32.exe
"C:\Users\Admin\AppData\Local\Temp\Services32.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380

\??\c:\users\admin\appdata\local\temp\services32.exe
c:\users\admin\appdata\local\temp\services32.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit
5⤵
PID:1268

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"
6⤵
- Creates scheduled task(s)
PID:316

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1200

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1544

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:604

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:06 /f
6⤵
- Creates scheduled task(s)
PID:1020

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:07 /f
6⤵
- Creates scheduled task(s)
PID:1652

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 09:08 /f
6⤵
- Creates scheduled task(s)
PID:1316

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
4⤵
PID:1624

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
1⤵
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0c700710-19bd-4cbc-bb0d-177e8138058c
MD5
faa37917b36371249ac9fcf93317bf97

SHA1
a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4

SHA256
b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132

SHA512
614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_36fe3446-9fd2-46b8-a05b-397c04229954
MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6412e505-fc2c-416c-8df2-48c2384208f0
MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_747bdf1d-1046-4eeb-9947-1d87226e5203
MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9bd3a235-800a-4d6a-ba93-a1170c58da7e
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_de0afcc7-7a35-41e7-8005-d4eaefcb8ae4
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fba6c941-cf5b-4667-a9d6-b38365da9280
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
109ddd9d9274fc7a0f98d903cb9cc1fe

SHA1
8745aa9a57c1b752e83387745c2b1bc43bb3626b

SHA256
4e80b55a36c690fdc45f066cc78b73ac855f4afe9d7e7affd61b5e1fcf0969fe

SHA512
9f1b687288290e1bc5826f2a715a190d2cf0a57e605805d2b24a808d19501520f583f1314227a1cb9416a96bd94bc321ddff57b1ace31f03632ef5d101665542

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services32.exe
MD5
70c771952bc897446d3ddad90541a1e6

SHA1
b00b50a893e4552651c4a5c38cf4bb9aed7a101e

SHA256
aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337

SHA512
33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
MD5
5552f88a40afa2e2fef5acbd590ac812

SHA1
5afef5451811830c1ec3108cd7ee66a0418a6186

SHA256
9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f

SHA512
6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

Download Submit
C:\Users\Admin\AppData\Local\Temp\services32.exe
MD5
5552f88a40afa2e2fef5acbd590ac812

SHA1
5afef5451811830c1ec3108cd7ee66a0418a6186

SHA256
9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f

SHA512
6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
d1f4a92a1672d7d22a90e2567523d03e

SHA1
a1683621e2103e1df1ce22def923e4ef62ddcd11

SHA256
48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b

SHA512
2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
d1f4a92a1672d7d22a90e2567523d03e

SHA1
a1683621e2103e1df1ce22def923e4ef62ddcd11

SHA256
48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b

SHA512
2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
54d6cc008e989cf18fd62e341eba0274

SHA1
cefd027fac1c5bc86bd6ea8cb1e7cb234384864f

SHA256
a497743b7fc76e901e2ddb1b03fbad6311022ed6dc46676e5e2601bc6e1df8b8

SHA512
bb574760900f59e8bb35362664f284428d3d31328a1660546950cb7df7177f19d6e6de47da7c6286488c375a7779ea11c90d35eb3a2d6fa255bbc28430a433e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
54d6cc008e989cf18fd62e341eba0274

SHA1
cefd027fac1c5bc86bd6ea8cb1e7cb234384864f

SHA256
a497743b7fc76e901e2ddb1b03fbad6311022ed6dc46676e5e2601bc6e1df8b8

SHA512
bb574760900f59e8bb35362664f284428d3d31328a1660546950cb7df7177f19d6e6de47da7c6286488c375a7779ea11c90d35eb3a2d6fa255bbc28430a433e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
530394d7fd15e8365d1ba1789015102c

SHA1
051bef53bb017c7f70c694eab2c57f6a4654b3e6

SHA256
6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832

SHA512
5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
54d6cc008e989cf18fd62e341eba0274

SHA1
cefd027fac1c5bc86bd6ea8cb1e7cb234384864f

SHA256
a497743b7fc76e901e2ddb1b03fbad6311022ed6dc46676e5e2601bc6e1df8b8

SHA512
bb574760900f59e8bb35362664f284428d3d31328a1660546950cb7df7177f19d6e6de47da7c6286488c375a7779ea11c90d35eb3a2d6fa255bbc28430a433e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
54d6cc008e989cf18fd62e341eba0274

SHA1
cefd027fac1c5bc86bd6ea8cb1e7cb234384864f

SHA256
a497743b7fc76e901e2ddb1b03fbad6311022ed6dc46676e5e2601bc6e1df8b8

SHA512
bb574760900f59e8bb35362664f284428d3d31328a1660546950cb7df7177f19d6e6de47da7c6286488c375a7779ea11c90d35eb3a2d6fa255bbc28430a433e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
530394d7fd15e8365d1ba1789015102c

SHA1
051bef53bb017c7f70c694eab2c57f6a4654b3e6

SHA256
6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832

SHA512
5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
530394d7fd15e8365d1ba1789015102c

SHA1
051bef53bb017c7f70c694eab2c57f6a4654b3e6

SHA256
6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832

SHA512
5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
530394d7fd15e8365d1ba1789015102c

SHA1
051bef53bb017c7f70c694eab2c57f6a4654b3e6

SHA256
6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832

SHA512
5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
530394d7fd15e8365d1ba1789015102c

SHA1
051bef53bb017c7f70c694eab2c57f6a4654b3e6

SHA256
6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832

SHA512
5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
530394d7fd15e8365d1ba1789015102c

SHA1
051bef53bb017c7f70c694eab2c57f6a4654b3e6

SHA256
6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832

SHA512
5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
530394d7fd15e8365d1ba1789015102c

SHA1
051bef53bb017c7f70c694eab2c57f6a4654b3e6

SHA256
6524cbff5c3088b2e8d17bedc3c041bbc63ba4f74f07101b091c0356e5b4e832

SHA512
5821f6556d4095a2de3079286a770a85e43aaceaf7edbfa480092ad75f522a8573b1367b5754cba8e2320a45c4ac4ac8a82dcb658d64176b5ea582a3dc5e9534

Download Submit
C:\Windows\Resources\Themes\explorer.exe
MD5
b5ce94bc12efa5a9f28b93a525edd1d3

SHA1
d19f64fcc6e9a66e9a1d97f3fd0a14696b4ddb2d

SHA256
ceb1a7ddce0530cd0b16d14e81980953a5bf7000a967ee6e5bc36be72216a64a

SHA512
5f43b874b1e31c69d41da2e510ffdaebbaa5972f31596ad9eb378fc96c4905c6d7dd1eb55fe3ffa5d12b756390c5e27c2cf10bfed062f001b77b9bb8057bb281

Download Submit
C:\Windows\Resources\Themes\explorer.exe
MD5
b5ce94bc12efa5a9f28b93a525edd1d3

SHA1
d19f64fcc6e9a66e9a1d97f3fd0a14696b4ddb2d

SHA256
ceb1a7ddce0530cd0b16d14e81980953a5bf7000a967ee6e5bc36be72216a64a

SHA512
5f43b874b1e31c69d41da2e510ffdaebbaa5972f31596ad9eb378fc96c4905c6d7dd1eb55fe3ffa5d12b756390c5e27c2cf10bfed062f001b77b9bb8057bb281

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
MD5
f2667d617c1c5156004ea365bc759c1c

SHA1
10592eb1cd290802867f1fa13470717fa5643f59

SHA256
e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792

SHA512
1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
MD5
f2667d617c1c5156004ea365bc759c1c

SHA1
10592eb1cd290802867f1fa13470717fa5643f59

SHA256
e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792

SHA512
1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

Download Submit
C:\Windows\Resources\spoolsv.exe
MD5
161db796a25cf2bbd19f18d438400cf9

SHA1
b42436bece3a15771cb54f60d4a47e0469660c02

SHA256
60bbd8f97d7b8bc3b2561162e8722cf41367dddb93b633da9a859708c953885a

SHA512
76919760ef88397423c36aeffc2cd0324d13efbe9031c1463bbe9233b1d1831e79cd37b9eed5e1859002899e79dddfcd64a1f7de79d077981e5e4c945db9aa32

Download Submit
C:\Windows\Resources\spoolsv.exe
MD5
161db796a25cf2bbd19f18d438400cf9

SHA1
b42436bece3a15771cb54f60d4a47e0469660c02

SHA256
60bbd8f97d7b8bc3b2561162e8722cf41367dddb93b633da9a859708c953885a

SHA512
76919760ef88397423c36aeffc2cd0324d13efbe9031c1463bbe9233b1d1831e79cd37b9eed5e1859002899e79dddfcd64a1f7de79d077981e5e4c945db9aa32

Download Submit
C:\Windows\Resources\svchost.exe
MD5
96002ea74ef7086cabcd0b74b6eae617

SHA1
c251574fecf4d1453c01c0d36d02ead805d14eb7

SHA256
7d386f44a0d69da1cba031ec573d8361dff08bb5841c205556a466b085020cab

SHA512
f2b26df1b6c6be69a7c930fa271b75e73638f6e166462036dea24eb8436e5d495388c766f9154c53c81c3b685e48ee9d805769c1dc7917be87b50e47b8c593c7

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
MD5
5552f88a40afa2e2fef5acbd590ac812

SHA1
5afef5451811830c1ec3108cd7ee66a0418a6186

SHA256
9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f

SHA512
6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

Download Submit
\??\c:\users\admin\appdata\local\temp\services32.exe
MD5
70c771952bc897446d3ddad90541a1e6

SHA1
b00b50a893e4552651c4a5c38cf4bb9aed7a101e

SHA256
aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337

SHA512
33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d

Download Submit
\??\c:\users\admin\appdata\local\temp\services32.exe
MD5
5552f88a40afa2e2fef5acbd590ac812

SHA1
5afef5451811830c1ec3108cd7ee66a0418a6186

SHA256
9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f

SHA512
6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

Download Submit
\??\c:\windows\resources\spoolsv.exe
MD5
161db796a25cf2bbd19f18d438400cf9

SHA1
b42436bece3a15771cb54f60d4a47e0469660c02

SHA256
60bbd8f97d7b8bc3b2561162e8722cf41367dddb93b633da9a859708c953885a

SHA512
76919760ef88397423c36aeffc2cd0324d13efbe9031c1463bbe9233b1d1831e79cd37b9eed5e1859002899e79dddfcd64a1f7de79d077981e5e4c945db9aa32

Download Submit
\??\c:\windows\resources\svchost.exe
MD5
96002ea74ef7086cabcd0b74b6eae617

SHA1
c251574fecf4d1453c01c0d36d02ead805d14eb7

SHA256
7d386f44a0d69da1cba031ec573d8361dff08bb5841c205556a466b085020cab

SHA512
f2b26df1b6c6be69a7c930fa271b75e73638f6e166462036dea24eb8436e5d495388c766f9154c53c81c3b685e48ee9d805769c1dc7917be87b50e47b8c593c7

Download Submit
\??\c:\windows\resources\themes\explorer.exe
MD5
b5ce94bc12efa5a9f28b93a525edd1d3

SHA1
d19f64fcc6e9a66e9a1d97f3fd0a14696b4ddb2d

SHA256
ceb1a7ddce0530cd0b16d14e81980953a5bf7000a967ee6e5bc36be72216a64a

SHA512
5f43b874b1e31c69d41da2e510ffdaebbaa5972f31596ad9eb378fc96c4905c6d7dd1eb55fe3ffa5d12b756390c5e27c2cf10bfed062f001b77b9bb8057bb281

Download Submit
\??\c:\windows\resources\themes\icsys.icn.exe
MD5
f2667d617c1c5156004ea365bc759c1c

SHA1
10592eb1cd290802867f1fa13470717fa5643f59

SHA256
e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792

SHA512
1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

Download Submit
\??\c:\windows\resources\themes\icsys.icn.exe
MD5
f2667d617c1c5156004ea365bc759c1c

SHA1
10592eb1cd290802867f1fa13470717fa5643f59

SHA256
e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792

SHA512
1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

Download Submit
\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
MD5
5552f88a40afa2e2fef5acbd590ac812

SHA1
5afef5451811830c1ec3108cd7ee66a0418a6186

SHA256
9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f

SHA512
6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

Download Submit
\Users\Admin\AppData\Local\Temp\services32.exe
MD5
5552f88a40afa2e2fef5acbd590ac812

SHA1
5afef5451811830c1ec3108cd7ee66a0418a6186

SHA256
9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f

SHA512
6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
d1f4a92a1672d7d22a90e2567523d03e

SHA1
a1683621e2103e1df1ce22def923e4ef62ddcd11

SHA256
48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b

SHA512
2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a

Download Submit
\Windows\Resources\Themes\explorer.exe
MD5
b5ce94bc12efa5a9f28b93a525edd1d3

SHA1
d19f64fcc6e9a66e9a1d97f3fd0a14696b4ddb2d

SHA256
ceb1a7ddce0530cd0b16d14e81980953a5bf7000a967ee6e5bc36be72216a64a

SHA512
5f43b874b1e31c69d41da2e510ffdaebbaa5972f31596ad9eb378fc96c4905c6d7dd1eb55fe3ffa5d12b756390c5e27c2cf10bfed062f001b77b9bb8057bb281

Download Submit
\Windows\Resources\Themes\icsys.icn.exe
MD5
f2667d617c1c5156004ea365bc759c1c

SHA1
10592eb1cd290802867f1fa13470717fa5643f59

SHA256
e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792

SHA512
1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

Download Submit
\Windows\Resources\Themes\icsys.icn.exe
MD5
f2667d617c1c5156004ea365bc759c1c

SHA1
10592eb1cd290802867f1fa13470717fa5643f59

SHA256
e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792

SHA512
1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

Download Submit
\Windows\Resources\spoolsv.exe
MD5
161db796a25cf2bbd19f18d438400cf9

SHA1
b42436bece3a15771cb54f60d4a47e0469660c02

SHA256
60bbd8f97d7b8bc3b2561162e8722cf41367dddb93b633da9a859708c953885a

SHA512
76919760ef88397423c36aeffc2cd0324d13efbe9031c1463bbe9233b1d1831e79cd37b9eed5e1859002899e79dddfcd64a1f7de79d077981e5e4c945db9aa32

Download Submit
\Windows\Resources\spoolsv.exe
MD5
161db796a25cf2bbd19f18d438400cf9

SHA1
b42436bece3a15771cb54f60d4a47e0469660c02

SHA256
60bbd8f97d7b8bc3b2561162e8722cf41367dddb93b633da9a859708c953885a

SHA512
76919760ef88397423c36aeffc2cd0324d13efbe9031c1463bbe9233b1d1831e79cd37b9eed5e1859002899e79dddfcd64a1f7de79d077981e5e4c945db9aa32

Download Submit
\Windows\Resources\svchost.exe
MD5
96002ea74ef7086cabcd0b74b6eae617

SHA1
c251574fecf4d1453c01c0d36d02ead805d14eb7

SHA256
7d386f44a0d69da1cba031ec573d8361dff08bb5841c205556a466b085020cab

SHA512
f2b26df1b6c6be69a7c930fa271b75e73638f6e166462036dea24eb8436e5d495388c766f9154c53c81c3b685e48ee9d805769c1dc7917be87b50e47b8c593c7

Download Submit
memory/260-121-0x0000000000000000-mapping.dmp

Download
memory/260-127-0x000000001A920000-0x000000001A922000-memory.dmp

Filesize
8KB

Download
memory/260-128-0x000000001A924000-0x000000001A926000-memory.dmp

Filesize
8KB

Download
memory/316-218-0x0000000000000000-mapping.dmp

Download
memory/584-191-0x000000001ACF0000-0x000000001ACF2000-memory.dmp

Filesize
8KB

Download
memory/584-192-0x000000001ACF4000-0x000000001ACF6000-memory.dmp

Filesize
8KB

Download
memory/584-188-0x0000000000000000-mapping.dmp

Download
memory/604-138-0x0000000000000000-mapping.dmp

Download
memory/792-220-0x0000000000000000-mapping.dmp

Download
memory/792-224-0x000000001AA54000-0x000000001AA56000-memory.dmp

Filesize
8KB

Download
memory/792-223-0x000000001AA50000-0x000000001AA52000-memory.dmp

Filesize
8KB

Download
memory/900-176-0x000000013F560000-0x000000013F561000-memory.dmp

Filesize
4KB

Download
memory/900-172-0x0000000000000000-mapping.dmp

Download
memory/920-112-0x0000000000000000-mapping.dmp

Download
memory/920-119-0x000000001AB30000-0x000000001AB32000-memory.dmp

Filesize
8KB

Download
memory/920-120-0x000000001AB34000-0x000000001AB36000-memory.dmp

Filesize
8KB

Download
memory/944-170-0x0000000000000000-mapping.dmp

Download
memory/1020-166-0x0000000000000000-mapping.dmp

Download
memory/1140-200-0x000000001AE44000-0x000000001AE46000-memory.dmp

Filesize
8KB

Download
memory/1140-199-0x000000001AE40000-0x000000001AE42000-memory.dmp

Filesize
8KB

Download
memory/1140-197-0x0000000000000000-mapping.dmp

Download
memory/1200-206-0x0000000000000000-mapping.dmp

Download
memory/1268-217-0x0000000000000000-mapping.dmp

Download
memory/1292-100-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1292-101-0x000000001AB80000-0x000000001AB82000-memory.dmp

Filesize
8KB

Download
memory/1292-95-0x0000000000000000-mapping.dmp

Download
memory/1292-98-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1292-99-0x000000001AC00000-0x000000001AC01000-memory.dmp

Filesize
4KB

Download
memory/1292-102-0x000000001AB84000-0x000000001AB86000-memory.dmp

Filesize
8KB

Download
memory/1292-103-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1316-234-0x0000000000000000-mapping.dmp

Download
memory/1364-201-0x0000000000000000-mapping.dmp

Download
memory/1364-203-0x000000001AD20000-0x000000001AD22000-memory.dmp

Filesize
8KB

Download
memory/1364-204-0x000000001AD24000-0x000000001AD26000-memory.dmp

Filesize
8KB

Download
memory/1380-175-0x0000000000000000-mapping.dmp

Download
memory/1384-211-0x0000000000000000-mapping.dmp

Download
memory/1448-168-0x000000001B810000-0x000000001B812000-memory.dmp

Filesize
8KB

Download
memory/1448-167-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/1448-67-0x000000013FBC0000-0x000000013FBC1000-memory.dmp

Filesize
4KB

Download
memory/1448-64-0x0000000000000000-mapping.dmp

Download
memory/1452-212-0x0000000000000000-mapping.dmp

Download
memory/1452-215-0x000000001ADA0000-0x000000001ADA2000-memory.dmp

Filesize
8KB

Download
memory/1452-216-0x000000001ADA4000-0x000000001ADA6000-memory.dmp

Filesize
8KB

Download
memory/1544-209-0x0000000000000000-mapping.dmp

Download
memory/1552-145-0x0000000000000000-mapping.dmp

Download
memory/1564-169-0x0000000000000000-mapping.dmp

Download
memory/1568-187-0x0000000000000000-mapping.dmp

Download
memory/1580-214-0x000000001ABB0000-0x000000001ABB2000-memory.dmp

Filesize
8KB

Download
memory/1580-184-0x0000000000000000-mapping.dmp

Download
memory/1608-93-0x000000001B450000-0x000000001B451000-memory.dmp

Filesize
4KB

Download
memory/1608-73-0x000000001AA30000-0x000000001AA31000-memory.dmp

Filesize
4KB

Download
memory/1608-78-0x000000001B3C0000-0x000000001B3C1000-memory.dmp

Filesize
4KB

Download
memory/1608-81-0x000000001B3F0000-0x000000001B3F1000-memory.dmp

Filesize
4KB

Download
memory/1608-94-0x000000001B460000-0x000000001B461000-memory.dmp

Filesize
4KB

Download
memory/1608-76-0x000000001A9B0000-0x000000001A9B2000-memory.dmp

Filesize
8KB

Download
memory/1608-77-0x000000001A9B4000-0x000000001A9B6000-memory.dmp

Filesize
8KB

Download
memory/1608-70-0x0000000000000000-mapping.dmp

Download
memory/1608-71-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp

Filesize
8KB

Download
memory/1608-75-0x000000001A990000-0x000000001A991000-memory.dmp

Filesize
4KB

Download
memory/1608-72-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/1608-74-0x000000001A760000-0x000000001A761000-memory.dmp

Filesize
4KB

Download
memory/1624-164-0x0000000000000000-mapping.dmp

Download
memory/1648-227-0x000000001ABF0000-0x000000001ABF2000-memory.dmp

Filesize
8KB

Download
memory/1648-228-0x000000001ABF4000-0x000000001ABF6000-memory.dmp

Filesize
8KB

Download
memory/1648-225-0x0000000000000000-mapping.dmp

Download
memory/1652-219-0x0000000000000000-mapping.dmp

Download
memory/1672-69-0x0000000000000000-mapping.dmp

Download
memory/1800-159-0x0000000000000000-mapping.dmp

Download
memory/1864-152-0x0000000000000000-mapping.dmp

Download
memory/1976-229-0x0000000000000000-mapping.dmp

Download
memory/1976-232-0x000000001AC70000-0x000000001AC72000-memory.dmp

Filesize
8KB

Download
memory/1976-233-0x000000001AC74000-0x000000001AC76000-memory.dmp

Filesize
8KB

Download
memory/1988-131-0x0000000000000000-mapping.dmp

Download
memory/1992-193-0x0000000000000000-mapping.dmp

Download
memory/1992-196-0x000000001AC74000-0x000000001AC76000-memory.dmp

Filesize
8KB

Download
memory/1992-195-0x000000001AC70000-0x000000001AC72000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads