xmrig | 4a8e933462209a204f87c02e41e88e99541ccb85964a22d9762f443cf19af409

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
08-07-2021 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
Size

206KB
MD5

70c771952bc897446d3ddad90541a1e6
SHA1

b00b50a893e4552651c4a5c38cf4bb9aed7a101e
SHA256

aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337
SHA512

33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Executes dropped EXE 11 IoCs

Processes:

aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exesihost32.exeServices32.exeservices32.exe icsys.icn.exeexplorer.exe

pid	process
1404	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
3940	icsys.icn.exe
1776	explorer.exe
3016	spoolsv.exe
3604	svchost.exe
4012	spoolsv.exe
2388	sihost32.exe
2232	Services32.exe
2164	services32.exe
2632	icsys.icn.exe
2056	explorer.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exeServices32.exeaefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Services32.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1724 schtasks.exe
2696 schtasks.exe

pid	process
1724	schtasks.exe
2696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exepowershell.exepowershell.exepowershell.exepowershell.exeicsys.icn.exe

pid	process
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2496	powershell.exe
2496	powershell.exe
2496	powershell.exe
3680	powershell.exe
3680	powershell.exe
3680	powershell.exe
404	powershell.exe
404	powershell.exe
404	powershell.exe
3052	powershell.exe
3052	powershell.exe
3052	powershell.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
3940	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1776 explorer.exe
3604 svchost.exe

pid	process
1776	explorer.exe
3604	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeIncreaseQuotaPrivilege	2496	powershell.exe
Token: SeSecurityPrivilege	2496	powershell.exe
Token: SeTakeOwnershipPrivilege	2496	powershell.exe
Token: SeLoadDriverPrivilege	2496	powershell.exe
Token: SeSystemProfilePrivilege	2496	powershell.exe
Token: SeSystemtimePrivilege	2496	powershell.exe
Token: SeProfSingleProcessPrivilege	2496	powershell.exe
Token: SeIncBasePriorityPrivilege	2496	powershell.exe
Token: SeCreatePagefilePrivilege	2496	powershell.exe
Token: SeBackupPrivilege	2496	powershell.exe
Token: SeRestorePrivilege	2496	powershell.exe
Token: SeShutdownPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeSystemEnvironmentPrivilege	2496	powershell.exe
Token: SeRemoteShutdownPrivilege	2496	powershell.exe
Token: SeUndockPrivilege	2496	powershell.exe
Token: SeManageVolumePrivilege	2496	powershell.exe
Token: 33	2496	powershell.exe
Token: 34	2496	powershell.exe
Token: 35	2496	powershell.exe
Token: 36	2496	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeIncreaseQuotaPrivilege	3680	powershell.exe
Token: SeSecurityPrivilege	3680	powershell.exe
Token: SeTakeOwnershipPrivilege	3680	powershell.exe
Token: SeLoadDriverPrivilege	3680	powershell.exe
Token: SeSystemProfilePrivilege	3680	powershell.exe
Token: SeSystemtimePrivilege	3680	powershell.exe
Token: SeProfSingleProcessPrivilege	3680	powershell.exe
Token: SeIncBasePriorityPrivilege	3680	powershell.exe
Token: SeCreatePagefilePrivilege	3680	powershell.exe
Token: SeBackupPrivilege	3680	powershell.exe
Token: SeRestorePrivilege	3680	powershell.exe
Token: SeShutdownPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeSystemEnvironmentPrivilege	3680	powershell.exe
Token: SeRemoteShutdownPrivilege	3680	powershell.exe
Token: SeUndockPrivilege	3680	powershell.exe
Token: SeManageVolumePrivilege	3680	powershell.exe
Token: 33	3680	powershell.exe
Token: 34	3680	powershell.exe
Token: 35	3680	powershell.exe
Token: 36	3680	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeIncreaseQuotaPrivilege	404	powershell.exe
Token: SeSecurityPrivilege	404	powershell.exe
Token: SeTakeOwnershipPrivilege	404	powershell.exe
Token: SeLoadDriverPrivilege	404	powershell.exe
Token: SeSystemProfilePrivilege	404	powershell.exe
Token: SeSystemtimePrivilege	404	powershell.exe
Token: SeProfSingleProcessPrivilege	404	powershell.exe
Token: SeIncBasePriorityPrivilege	404	powershell.exe
Token: SeCreatePagefilePrivilege	404	powershell.exe
Token: SeBackupPrivilege	404	powershell.exe
Token: SeRestorePrivilege	404	powershell.exe
Token: SeShutdownPrivilege	404	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeSystemEnvironmentPrivilege	404	powershell.exe
Token: SeRemoteShutdownPrivilege	404	powershell.exe
Token: SeUndockPrivilege	404	powershell.exe
Token: SeManageVolumePrivilege	404	powershell.exe
Token: 33	404	powershell.exe
Token: 34	404	powershell.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeServices32.exeicsys.icn.exeexplorer.exe

pid	process
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
3940	icsys.icn.exe
3940	icsys.icn.exe
1776	explorer.exe
1776	explorer.exe
3016	spoolsv.exe
3016	spoolsv.exe
3604	svchost.exe
3604	svchost.exe
4012	spoolsv.exe
4012	spoolsv.exe
2232	Services32.exe
2232	Services32.exe
2632	icsys.icn.exe
2632	icsys.icn.exe
2056	explorer.exe
2056	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exeaefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe cmd.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.execmd.exesihost32.execmd.exeServices32.exeservices32.exe cmd.exeicsys.icn.exe

description	pid	process	target process
PID 2752 wrote to memory of 1404	2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
PID 2752 wrote to memory of 1404	2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
PID 1404 wrote to memory of 2152	1404	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	cmd.exe
PID 1404 wrote to memory of 2152	1404	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	cmd.exe
PID 2152 wrote to memory of 2496	2152	cmd.exe	powershell.exe
PID 2152 wrote to memory of 2496	2152	cmd.exe	powershell.exe
PID 2152 wrote to memory of 3680	2152	cmd.exe	powershell.exe
PID 2152 wrote to memory of 3680	2152	cmd.exe	powershell.exe
PID 2152 wrote to memory of 404	2152	cmd.exe	powershell.exe
PID 2152 wrote to memory of 404	2152	cmd.exe	powershell.exe
PID 2152 wrote to memory of 3052	2152	cmd.exe	powershell.exe
PID 2152 wrote to memory of 3052	2152	cmd.exe	powershell.exe
PID 2752 wrote to memory of 3940	2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	icsys.icn.exe
PID 2752 wrote to memory of 3940	2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	icsys.icn.exe
PID 2752 wrote to memory of 3940	2752	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	icsys.icn.exe
PID 3940 wrote to memory of 1776	3940	icsys.icn.exe	explorer.exe
PID 3940 wrote to memory of 1776	3940	icsys.icn.exe	explorer.exe
PID 3940 wrote to memory of 1776	3940	icsys.icn.exe	explorer.exe
PID 1776 wrote to memory of 3016	1776	explorer.exe	spoolsv.exe
PID 1776 wrote to memory of 3016	1776	explorer.exe	spoolsv.exe
PID 1776 wrote to memory of 3016	1776	explorer.exe	spoolsv.exe
PID 3016 wrote to memory of 3604	3016	spoolsv.exe	svchost.exe
PID 3016 wrote to memory of 3604	3016	spoolsv.exe	svchost.exe
PID 3016 wrote to memory of 3604	3016	spoolsv.exe	svchost.exe
PID 3604 wrote to memory of 4012	3604	svchost.exe	spoolsv.exe
PID 3604 wrote to memory of 4012	3604	svchost.exe	spoolsv.exe
PID 3604 wrote to memory of 4012	3604	svchost.exe	spoolsv.exe
PID 1404 wrote to memory of 740	1404	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	cmd.exe
PID 1404 wrote to memory of 740	1404	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	cmd.exe
PID 740 wrote to memory of 1724	740	cmd.exe	schtasks.exe
PID 740 wrote to memory of 1724	740	cmd.exe	schtasks.exe
PID 1404 wrote to memory of 2388	1404	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	sihost32.exe
PID 1404 wrote to memory of 2388	1404	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	sihost32.exe
PID 1404 wrote to memory of 2232	1404	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	Services32.exe
PID 1404 wrote to memory of 2232	1404	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	Services32.exe
PID 1404 wrote to memory of 2232	1404	aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe	Services32.exe
PID 2388 wrote to memory of 3968	2388	sihost32.exe	cmd.exe
PID 2388 wrote to memory of 3968	2388	sihost32.exe	cmd.exe
PID 3968 wrote to memory of 576	3968	cmd.exe	powershell.exe
PID 3968 wrote to memory of 576	3968	cmd.exe	powershell.exe
PID 2232 wrote to memory of 2164	2232	Services32.exe	services32.exe
PID 2232 wrote to memory of 2164	2232	Services32.exe	services32.exe
PID 2164 wrote to memory of 2424	2164	services32.exe	cmd.exe
PID 2164 wrote to memory of 2424	2164	services32.exe	cmd.exe
PID 2424 wrote to memory of 648	2424	cmd.exe	powershell.exe
PID 2424 wrote to memory of 648	2424	cmd.exe	powershell.exe
PID 3968 wrote to memory of 348	3968	cmd.exe	powershell.exe
PID 3968 wrote to memory of 348	3968	cmd.exe	powershell.exe
PID 2424 wrote to memory of 2152	2424	cmd.exe	powershell.exe
PID 2424 wrote to memory of 2152	2424	cmd.exe	powershell.exe
PID 3968 wrote to memory of 4012	3968	cmd.exe	powershell.exe
PID 3968 wrote to memory of 4012	3968	cmd.exe	powershell.exe
PID 2424 wrote to memory of 3728	2424	cmd.exe	powershell.exe
PID 2424 wrote to memory of 3728	2424	cmd.exe	powershell.exe
PID 3968 wrote to memory of 956	3968	cmd.exe	powershell.exe
PID 3968 wrote to memory of 956	3968	cmd.exe	powershell.exe
PID 2424 wrote to memory of 2636	2424	cmd.exe	powershell.exe
PID 2424 wrote to memory of 2636	2424	cmd.exe	powershell.exe
PID 2232 wrote to memory of 2632	2232	Services32.exe	icsys.icn.exe
PID 2232 wrote to memory of 2632	2232	Services32.exe	icsys.icn.exe
PID 2232 wrote to memory of 2632	2232	Services32.exe	icsys.icn.exe
PID 2632 wrote to memory of 2056	2632	icsys.icn.exe	explorer.exe
PID 2632 wrote to memory of 2056	2632	icsys.icn.exe	explorer.exe
PID 2632 wrote to memory of 2056	2632	icsys.icn.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
"C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752

\??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"
4⤵
- Creates scheduled task(s)
PID:1724

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry'
5⤵
PID:576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
5⤵
PID:348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
5⤵
PID:4012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
5⤵
PID:956

C:\Users\Admin\AppData\Local\Temp\Services32.exe
"C:\Users\Admin\AppData\Local\Temp\Services32.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232

\??\c:\users\admin\appdata\local\temp\services32.exe
c:\users\admin\appdata\local\temp\services32.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
6⤵
PID:648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
6⤵
PID:2152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
6⤵
PID:3728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
6⤵
PID:2636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit
5⤵
PID:1600

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"
6⤵
- Creates scheduled task(s)
PID:2696

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2056

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3940

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3604

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4012

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1e1c8f4ed558ffc8b479cce11ed3c8e2

SHA1
37cf5d103fa8465467517e345cc8fbbcc4835933

SHA256
5f0c871466028fd9f52eeed68748be6a0d17f24e78fbd2642f66619564726732

SHA512
0e8e629d5074568021d87da89776bbcd929385771f4b9aa1c0dcf12c9482996855c7eff465ca34810b11991b664cda7e59eccca14191a266fa6fddbea59f9ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7c1532f9ede6c767ac7199fd70b42eaf

SHA1
c56b395f50026b752112a384e5a4a18059208f59

SHA256
084e30202b9584447cf3a1bfb62327c09e6de0767d3382e81e91ee27a2ba0ca6

SHA512
2eb24c33b7ba04c700c33913a435d4a444a96bb01560ab11ad5530190cdbc93c34a3776ebbbf847d5dff78872bab6200ea0de9cc9cda6cef4c7fe2eb2c7b0737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
26d9025cd2f398aa93206c09c5c57349

SHA1
4b6bb3337f49c87075bf6b5f4387cb07d0f83108

SHA256
1804b8978794439e91a2641edc987af0c99bcae704878ce10d76b32926f6afb4

SHA512
079f1ea53e053cec86ed06e70e1b92b0c0347da77269dc0eb7f81cab10f41c0f9fdbb4c02220eb2f1b0e1ad49760b04fd95551ca4df37a14224abb711141795d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fa704b7db8cf07dbb9e0b17a53bbc4e5

SHA1
f74e668e9b89d62ffb1464271aba4a675a9d357f

SHA256
c97b89ce970dfb0761e0b690be2950cfff4c34c254c472e13556ce3863ccbdb7

SHA512
7e58504658aefcc3bb122d03f5e19c5ca860f1fbdd3ca276cfade4c523d8ac1982d5cf0fc3e1e47b088050637f580f255206486aa6162ece8f82d5cfb36cec61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
51ba6bed5b573b201974d4edc76ffe8d

SHA1
a6f6dd957338717ea9385f7aef2c1aeb250322fc

SHA256
497be848da48076dce041f961e120e79541f554f8ef0e927f0e25594170ea3b9

SHA512
640b6084944c67358984f34ff2b6504f73e54ea221ed697ef7703b6013a8192959a62d1e20516155802c18b20ac8a4812f2192ceaa4b40582d2df9efbcf00622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f2b69ffd60cc6e42514f2d6380e08771

SHA1
7d45cb8247c01a1cb1c5d48f12318823a72331f9

SHA256
4194bf9e10cc331cfdb2625bd0c0a22c7e46975797ebe2c7f155e92941431f84

SHA512
fcd37ea57654c0eb1dfcc777ae9f66a0cb322da9bc7bcbb8a8e6e2ebf5bceafefbffa41eb277e430ee44712a7233709138503d51e3e8618bd0e95a8e321d370f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8b64e8a76227430c2295a4530f2091df

SHA1
aa60958291be00727dc3d38e869eb9eae4434482

SHA256
50edab164b713502876a21af92297c768b8a14671b2fe119a119788aec4ca20d

SHA512
addd2dce133719b8e19224f533b2f4ec48bd51d0508796e6bc681f4f63c55bdd43da7aec5aa56da305f17362c7aa9ad708a426430d5531df63b5a6c350717d16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7ecbde2e98a22aacba0d18e3729f668a

SHA1
c4a99ac958d5f01944cb5fe90bcebdb136155f2f

SHA256
a93bd244f711d641dd2d0969460d3f53bb166f484d558fd34e30895732840cbe

SHA512
7783624627818b8c36771c03dd5fb141380e90ceade194f2e7394862895c173b1e667721b726acc8e501e7e9aaf8e53a1aca94e41f4dd45fef3733abeaa1bcfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
31216586aa0b3d3e0fd86175e8f8d8d2

SHA1
64710bad30ccca835a45875fdd6a669cb253a206

SHA256
ea6e656c7d3f23cae36e4b17276d96724d39b10da526af426dd1fcfd2df3d694

SHA512
544ab93598da507bceee8a31e087232a816d14c9b35d531aedc1b119a808634b2cd11d996fd78f7a8876fa4de8fe18d96ca72f378c42dbbfb3cdef641776721c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
33d7d3d68d5d35984eea73d0aaaed7eb

SHA1
965e66f8a3e098fd291c7c02b71eb8623162674c

SHA256
76f8eb458f16482d03f7d10d340696781aa6ac42e7a366530739675dc3451baf

SHA512
7d81ededb6965fddcc81c44bf538890638517139afbbfb15a1cf86caec3eeea82499d61f23d2a9593cd7f5c9a0027b179f3178e5a48e086f764de85331f277c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
291ebcf65c502bf17368d64ce32bb818

SHA1
97543eb41c5a7c5e1ec626fb397c03356a9c92f8

SHA256
8a41006fc58d8e56aeabbf52af497f8e7f4f407406f4e287a7618af151e65e3d

SHA512
626408b49b9e43e0bdfc97d35bc0cdc98ef5be96250d863395e020562c0ca1d824f2be8fc6c0ae813ec605c5555995a7a5a434adf0bbc810845696f73ed4d473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services32.exe
MD5
70c771952bc897446d3ddad90541a1e6

SHA1
b00b50a893e4552651c4a5c38cf4bb9aed7a101e

SHA256
aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337

SHA512
33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Services32.exe
MD5
70c771952bc897446d3ddad90541a1e6

SHA1
b00b50a893e4552651c4a5c38cf4bb9aed7a101e

SHA256
aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337

SHA512
33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
MD5
5552f88a40afa2e2fef5acbd590ac812

SHA1
5afef5451811830c1ec3108cd7ee66a0418a6186

SHA256
9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f

SHA512
6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

Download Submit
C:\Users\Admin\AppData\Local\Temp\services32.exe
MD5
5552f88a40afa2e2fef5acbd590ac812

SHA1
5afef5451811830c1ec3108cd7ee66a0418a6186

SHA256
9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f

SHA512
6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
d1f4a92a1672d7d22a90e2567523d03e

SHA1
a1683621e2103e1df1ce22def923e4ef62ddcd11

SHA256
48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b

SHA512
2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
d1f4a92a1672d7d22a90e2567523d03e

SHA1
a1683621e2103e1df1ce22def923e4ef62ddcd11

SHA256
48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b

SHA512
2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a

Download Submit
C:\Windows\Resources\Themes\explorer.exe
MD5
8c8438cf2ec0e6ea7435c2618b656a62

SHA1
268c7d79daa1b2442f660e18d444075684c498bd

SHA256
bf49d5c2e0a1a32d4227cb7c2b1f0a35c0fe88c4db79d68ac30c0434f74b4c3d

SHA512
26344174d508cab5be5315133ca721eb0b57ccaa9ff894744d8c3af3b9821822b03d0f7c2ee9bd3f4246b1bc98fbf4a7ecf2f64c2ecbd827ef565e91d474dab4

Download Submit
C:\Windows\Resources\Themes\explorer.exe
MD5
8c8438cf2ec0e6ea7435c2618b656a62

SHA1
268c7d79daa1b2442f660e18d444075684c498bd

SHA256
bf49d5c2e0a1a32d4227cb7c2b1f0a35c0fe88c4db79d68ac30c0434f74b4c3d

SHA512
26344174d508cab5be5315133ca721eb0b57ccaa9ff894744d8c3af3b9821822b03d0f7c2ee9bd3f4246b1bc98fbf4a7ecf2f64c2ecbd827ef565e91d474dab4

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
MD5
f2667d617c1c5156004ea365bc759c1c

SHA1
10592eb1cd290802867f1fa13470717fa5643f59

SHA256
e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792

SHA512
1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
MD5
f2667d617c1c5156004ea365bc759c1c

SHA1
10592eb1cd290802867f1fa13470717fa5643f59

SHA256
e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792

SHA512
1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
MD5
f2667d617c1c5156004ea365bc759c1c

SHA1
10592eb1cd290802867f1fa13470717fa5643f59

SHA256
e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792

SHA512
1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

Download Submit
C:\Windows\Resources\spoolsv.exe
MD5
028df5bfcc82c179f9b1688a19e4d317

SHA1
64a183b9387a553e882da758157ed30bd60bd780

SHA256
5cae94b5e3c460a80022de232d0c2dfc5fbb22975c28e119dd0f46735126be3b

SHA512
11d3e360bd99af00029ab5d8655a5bfad28565ba12723e0aea72861fcc6f570e8e2648c99bd44bdd020daf91dea81c6e0def5da8c167b4a9cff81829affa2bb1

Download Submit
C:\Windows\Resources\spoolsv.exe
MD5
028df5bfcc82c179f9b1688a19e4d317

SHA1
64a183b9387a553e882da758157ed30bd60bd780

SHA256
5cae94b5e3c460a80022de232d0c2dfc5fbb22975c28e119dd0f46735126be3b

SHA512
11d3e360bd99af00029ab5d8655a5bfad28565ba12723e0aea72861fcc6f570e8e2648c99bd44bdd020daf91dea81c6e0def5da8c167b4a9cff81829affa2bb1

Download Submit
C:\Windows\Resources\svchost.exe
MD5
099b18a50e7a607d5d5e54cc6c5b4b1d

SHA1
36f44282c93d1ef39ae1bab0021c7f668852e5d3

SHA256
d5f3e5dce09fb66311d6edfef19dc6053b2fa79a9256dfdde1b914b39f2e88f2

SHA512
a8e9bec3d4d8bfb6f8a2592283ce20e10684784ac9101dd54ff92dc78ab5c20068984343416cf62df381701468a01fc894825bda8a74329c60e9591bdc403e24

Download Submit
\??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
MD5
5552f88a40afa2e2fef5acbd590ac812

SHA1
5afef5451811830c1ec3108cd7ee66a0418a6186

SHA256
9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f

SHA512
6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

Download Submit
\??\c:\users\admin\appdata\local\temp\services32.exe
MD5
5552f88a40afa2e2fef5acbd590ac812

SHA1
5afef5451811830c1ec3108cd7ee66a0418a6186

SHA256
9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f

SHA512
6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

Download Submit
\??\c:\windows\resources\spoolsv.exe
MD5
028df5bfcc82c179f9b1688a19e4d317

SHA1
64a183b9387a553e882da758157ed30bd60bd780

SHA256
5cae94b5e3c460a80022de232d0c2dfc5fbb22975c28e119dd0f46735126be3b

SHA512
11d3e360bd99af00029ab5d8655a5bfad28565ba12723e0aea72861fcc6f570e8e2648c99bd44bdd020daf91dea81c6e0def5da8c167b4a9cff81829affa2bb1

Download Submit
\??\c:\windows\resources\svchost.exe
MD5
099b18a50e7a607d5d5e54cc6c5b4b1d

SHA1
36f44282c93d1ef39ae1bab0021c7f668852e5d3

SHA256
d5f3e5dce09fb66311d6edfef19dc6053b2fa79a9256dfdde1b914b39f2e88f2

SHA512
a8e9bec3d4d8bfb6f8a2592283ce20e10684784ac9101dd54ff92dc78ab5c20068984343416cf62df381701468a01fc894825bda8a74329c60e9591bdc403e24

Download Submit
\??\c:\windows\resources\themes\explorer.exe
MD5
8c8438cf2ec0e6ea7435c2618b656a62

SHA1
268c7d79daa1b2442f660e18d444075684c498bd

SHA256
bf49d5c2e0a1a32d4227cb7c2b1f0a35c0fe88c4db79d68ac30c0434f74b4c3d

SHA512
26344174d508cab5be5315133ca721eb0b57ccaa9ff894744d8c3af3b9821822b03d0f7c2ee9bd3f4246b1bc98fbf4a7ecf2f64c2ecbd827ef565e91d474dab4

Download Submit
\??\c:\windows\resources\themes\icsys.icn.exe
MD5
f2667d617c1c5156004ea365bc759c1c

SHA1
10592eb1cd290802867f1fa13470717fa5643f59

SHA256
e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792

SHA512
1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

Download Submit
memory/348-247-0x000002D36C110000-0x000002D36C112000-memory.dmp

Filesize
8KB

Download
memory/348-250-0x000002D36C116000-0x000002D36C118000-memory.dmp

Filesize
8KB

Download
memory/348-241-0x0000000000000000-mapping.dmp

Download
memory/348-248-0x000002D36C113000-0x000002D36C115000-memory.dmp

Filesize
8KB

Download
memory/348-259-0x000002D36C118000-0x000002D36C119000-memory.dmp

Filesize
4KB

Download
memory/404-192-0x0000000000000000-mapping.dmp

Download
memory/404-200-0x0000016EB8F28000-0x0000016EB8F29000-memory.dmp

Filesize
4KB

Download
memory/404-199-0x0000016EB8F26000-0x0000016EB8F28000-memory.dmp

Filesize
8KB

Download
memory/404-197-0x0000016EB8F23000-0x0000016EB8F25000-memory.dmp

Filesize
8KB

Download
memory/404-196-0x0000016EB8F20000-0x0000016EB8F22000-memory.dmp

Filesize
8KB

Download
memory/576-237-0x0000012878BB0000-0x0000012878BB2000-memory.dmp

Filesize
8KB

Download
memory/576-230-0x0000000000000000-mapping.dmp

Download
memory/576-244-0x0000012878BB6000-0x0000012878BB8000-memory.dmp

Filesize
8KB

Download
memory/576-246-0x0000012878BB8000-0x0000012878BB9000-memory.dmp

Filesize
4KB

Download
memory/576-238-0x0000012878BB3000-0x0000012878BB5000-memory.dmp

Filesize
8KB

Download
memory/648-236-0x0000000000000000-mapping.dmp

Download
memory/648-249-0x00000292F6DF8000-0x00000292F6DF9000-memory.dmp

Filesize
4KB

Download
memory/648-240-0x00000292F6DF3000-0x00000292F6DF5000-memory.dmp

Filesize
8KB

Download
memory/648-245-0x00000292F6DF6000-0x00000292F6DF8000-memory.dmp

Filesize
8KB

Download
memory/648-239-0x00000292F6DF0000-0x00000292F6DF2000-memory.dmp

Filesize
8KB

Download
memory/740-221-0x0000000000000000-mapping.dmp

Download
memory/956-266-0x0000000000000000-mapping.dmp

Download
memory/956-273-0x000001FD228F8000-0x000001FD228F9000-memory.dmp

Filesize
4KB

Download
memory/956-272-0x000001FD228F0000-0x000001FD228F2000-memory.dmp

Filesize
8KB

Download
memory/956-274-0x000001FD228F3000-0x000001FD228F5000-memory.dmp

Filesize
8KB

Download
memory/956-276-0x000001FD228F6000-0x000001FD228F8000-memory.dmp

Filesize
8KB

Download
memory/1404-120-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1404-220-0x000000001C9C0000-0x000000001C9C2000-memory.dmp

Filesize
8KB

Download
memory/1404-117-0x0000000000000000-mapping.dmp

Download
memory/1600-288-0x0000000000000000-mapping.dmp

Download
memory/1724-222-0x0000000000000000-mapping.dmp

Download
memory/1776-209-0x0000000000000000-mapping.dmp

Download
memory/2056-285-0x0000000000000000-mapping.dmp

Download
memory/2152-258-0x000002B1A46B6000-0x000002B1A46B8000-memory.dmp

Filesize
8KB

Download
memory/2152-252-0x000002B1A46B0000-0x000002B1A46B2000-memory.dmp

Filesize
8KB

Download
memory/2152-243-0x0000000000000000-mapping.dmp

Download
memory/2152-262-0x000002B1A46B8000-0x000002B1A46B9000-memory.dmp

Filesize
4KB

Download
memory/2152-122-0x0000000000000000-mapping.dmp

Download
memory/2152-253-0x000002B1A46B3000-0x000002B1A46B5000-memory.dmp

Filesize
8KB

Download
memory/2164-231-0x0000000000000000-mapping.dmp

Download
memory/2164-287-0x0000000001450000-0x0000000001452000-memory.dmp

Filesize
8KB

Download
memory/2232-226-0x0000000000000000-mapping.dmp

Download
memory/2388-223-0x0000000000000000-mapping.dmp

Download
memory/2424-234-0x0000000000000000-mapping.dmp

Download
memory/2496-153-0x000001E6AD803000-0x000001E6AD805000-memory.dmp

Filesize
8KB

Download
memory/2496-170-0x000001E6AD808000-0x000001E6AD809000-memory.dmp

Filesize
4KB

Download
memory/2496-154-0x000001E6AD806000-0x000001E6AD808000-memory.dmp

Filesize
8KB

Download
memory/2496-128-0x000001E6AF260000-0x000001E6AF261000-memory.dmp

Filesize
4KB

Download
memory/2496-132-0x000001E6C7AB0000-0x000001E6C7AB1000-memory.dmp

Filesize
4KB

Download
memory/2496-152-0x000001E6AD800000-0x000001E6AD802000-memory.dmp

Filesize
8KB

Download
memory/2496-123-0x0000000000000000-mapping.dmp

Download
memory/2632-282-0x0000000000000000-mapping.dmp

Download
memory/2636-281-0x000001A4AE7D8000-0x000001A4AE7D9000-memory.dmp

Filesize
4KB

Download
memory/2636-277-0x000001A4AE7D0000-0x000001A4AE7D2000-memory.dmp

Filesize
8KB

Download
memory/2636-279-0x000001A4AE7D6000-0x000001A4AE7D8000-memory.dmp

Filesize
8KB

Download
memory/2636-278-0x000001A4AE7D3000-0x000001A4AE7D5000-memory.dmp

Filesize
8KB

Download
memory/2636-268-0x0000000000000000-mapping.dmp

Download
memory/2696-289-0x0000000000000000-mapping.dmp

Download
memory/3016-212-0x0000000000000000-mapping.dmp

Download
memory/3052-204-0x0000025EA8F06000-0x0000025EA8F08000-memory.dmp

Filesize
8KB

Download
memory/3052-198-0x0000000000000000-mapping.dmp

Download
memory/3052-205-0x0000025EA8F08000-0x0000025EA8F09000-memory.dmp

Filesize
4KB

Download
memory/3052-202-0x0000025EA8F03000-0x0000025EA8F05000-memory.dmp

Filesize
8KB

Download
memory/3052-201-0x0000025EA8F00000-0x0000025EA8F02000-memory.dmp

Filesize
8KB

Download
memory/3604-215-0x0000000000000000-mapping.dmp

Download
memory/3680-174-0x000002E39AB13000-0x000002E39AB15000-memory.dmp

Filesize
8KB

Download
memory/3680-162-0x0000000000000000-mapping.dmp

Download
memory/3680-195-0x000002E39AB18000-0x000002E39AB19000-memory.dmp

Filesize
4KB

Download
memory/3680-194-0x000002E39AB16000-0x000002E39AB18000-memory.dmp

Filesize
8KB

Download
memory/3680-172-0x000002E39AB10000-0x000002E39AB12000-memory.dmp

Filesize
8KB

Download
memory/3728-265-0x000001E7B49C3000-0x000001E7B49C5000-memory.dmp

Filesize
8KB

Download
memory/3728-275-0x000001E7B49C8000-0x000001E7B49C9000-memory.dmp

Filesize
4KB

Download
memory/3728-264-0x000001E7B49C0000-0x000001E7B49C2000-memory.dmp

Filesize
8KB

Download
memory/3728-270-0x000001E7B49C6000-0x000001E7B49C8000-memory.dmp

Filesize
8KB

Download
memory/3728-256-0x0000000000000000-mapping.dmp

Download
memory/3940-206-0x0000000000000000-mapping.dmp

Download
memory/3968-227-0x0000000000000000-mapping.dmp

Download
memory/4012-271-0x0000020768098000-0x0000020768099000-memory.dmp

Filesize
4KB

Download
memory/4012-254-0x0000000000000000-mapping.dmp

Download
memory/4012-260-0x0000020768090000-0x0000020768092000-memory.dmp

Filesize
8KB

Download
memory/4012-261-0x0000020768093000-0x0000020768095000-memory.dmp

Filesize
8KB

Download
memory/4012-218-0x0000000000000000-mapping.dmp

Download
memory/4012-263-0x0000020768096000-0x0000020768098000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads