8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed

Analysis

max time kernel
151s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
Size

1016KB
MD5

bb80bec60840b8f1b3c8a9510fef4613
SHA1

370d906cbdf5a220ca57b19a33651c96c4cba16e
SHA256

8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed
SHA512

472d4002cb4b44dd264ddf3c1a3bccc7674eb430a3e73c401b7617a0a09597ce8d00a2a9bc9b35e459de075fa57938547a98aac6c5c5f26c591d362025113c87

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Executes dropped EXE 6 IoCs

Processes:

8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2036	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
1720	icsys.icn.exe
1980	explorer.exe
1776	spoolsv.exe
612	svchost.exe
1400	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 11 IoCs

Processes:

8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid	process
1596	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
1596	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
1596	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
1720	icsys.icn.exe
1720	icsys.icn.exe
1980	explorer.exe
1980	explorer.exe
1776	spoolsv.exe
1776	spoolsv.exe
612	svchost.exe
612	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exe

pid	process
1720	icsys.icn.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
612	svchost.exe
612	svchost.exe
1980	explorer.exe
1980	explorer.exe
612	svchost.exe
612	svchost.exe
1980	explorer.exe
1980	explorer.exe
612	svchost.exe
612	svchost.exe
1980	explorer.exe
1980	explorer.exe
612	svchost.exe
1980	explorer.exe
612	svchost.exe
1980	explorer.exe
612	svchost.exe
1980	explorer.exe
612	svchost.exe
612	svchost.exe
1980	explorer.exe
612	svchost.exe
1980	explorer.exe
612	svchost.exe
1980	explorer.exe
612	svchost.exe
1980	explorer.exe
612	svchost.exe
1980	explorer.exe
612	svchost.exe
1980	explorer.exe
612	svchost.exe
1980	explorer.exe
1980	explorer.exe
612	svchost.exe
612	svchost.exe
1980	explorer.exe
1980	explorer.exe
612	svchost.exe
1980	explorer.exe
612	svchost.exe
1980	explorer.exe
612	svchost.exe
1980	explorer.exe
612	svchost.exe
1980	explorer.exe
612	svchost.exe
1980	explorer.exe
612	svchost.exe
612	svchost.exe
1980	explorer.exe
1980	explorer.exe
612	svchost.exe
612	svchost.exe
1980	explorer.exe
612	svchost.exe
1980	explorer.exe
612	svchost.exe
1980	explorer.exe
1980	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe explorer.exesvchost.exe

pid process

2036 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
1980 explorer.exe
612 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe

pid process

2036 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe

pid process

2036 8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1596	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
1596	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
2036	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
1720	icsys.icn.exe
1720	icsys.icn.exe
1980	explorer.exe
1980	explorer.exe
1776	spoolsv.exe
1776	spoolsv.exe
612	svchost.exe
612	svchost.exe
1400	spoolsv.exe
1400	spoolsv.exe
1980	explorer.exe
1980	explorer.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1596 wrote to memory of 2036	1596	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
PID 1596 wrote to memory of 2036	1596	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
PID 1596 wrote to memory of 2036	1596	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
PID 1596 wrote to memory of 2036	1596	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
PID 1596 wrote to memory of 1720	1596	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe	icsys.icn.exe
PID 1596 wrote to memory of 1720	1596	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe	icsys.icn.exe
PID 1596 wrote to memory of 1720	1596	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe	icsys.icn.exe
PID 1596 wrote to memory of 1720	1596	8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe	icsys.icn.exe
PID 1720 wrote to memory of 1980	1720	icsys.icn.exe	explorer.exe
PID 1720 wrote to memory of 1980	1720	icsys.icn.exe	explorer.exe
PID 1720 wrote to memory of 1980	1720	icsys.icn.exe	explorer.exe
PID 1720 wrote to memory of 1980	1720	icsys.icn.exe	explorer.exe
PID 1980 wrote to memory of 1776	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 1776	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 1776	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 1776	1980	explorer.exe	spoolsv.exe
PID 1776 wrote to memory of 612	1776	spoolsv.exe	svchost.exe
PID 1776 wrote to memory of 612	1776	spoolsv.exe	svchost.exe
PID 1776 wrote to memory of 612	1776	spoolsv.exe	svchost.exe
PID 1776 wrote to memory of 612	1776	spoolsv.exe	svchost.exe
PID 612 wrote to memory of 1400	612	svchost.exe	spoolsv.exe
PID 612 wrote to memory of 1400	612	svchost.exe	spoolsv.exe
PID 612 wrote to memory of 1400	612	svchost.exe	spoolsv.exe
PID 612 wrote to memory of 1400	612	svchost.exe	spoolsv.exe
PID 612 wrote to memory of 596	612	svchost.exe	at.exe
PID 612 wrote to memory of 596	612	svchost.exe	at.exe
PID 612 wrote to memory of 596	612	svchost.exe	at.exe
PID 612 wrote to memory of 596	612	svchost.exe	at.exe
PID 612 wrote to memory of 1228	612	svchost.exe	at.exe
PID 612 wrote to memory of 1228	612	svchost.exe	at.exe
PID 612 wrote to memory of 1228	612	svchost.exe	at.exe
PID 612 wrote to memory of 1228	612	svchost.exe	at.exe
PID 612 wrote to memory of 940	612	svchost.exe	at.exe
PID 612 wrote to memory of 940	612	svchost.exe	at.exe
PID 612 wrote to memory of 940	612	svchost.exe	at.exe
PID 612 wrote to memory of 940	612	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
"C:\Users\Admin\AppData\Local\Temp\8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596

\??\c:\users\admin\appdata\local\temp\8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
c:\users\admin\appdata\local\temp\8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Windows\SysWOW64\at.exe
at 00:17 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:596

C:\Windows\SysWOW64\at.exe
at 00:18 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1228

C:\Windows\SysWOW64\at.exe
at 00:19 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:940

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
Filesize
809KB

MD5
28a6e4b12a94d3e766626a5a3546ca67

SHA1
fe8cd64f503452fe9c00c47f26f4e4f98425dcfb

SHA256
cf965fa2f4f18d3aba24c692565507a41836aa0508906a5ee8f9612a5b2bfc16

SHA512
1d8175942db1ff1aa049ceffe0a2e1f257f38b396eb557b0ebe20197c0d92818d498853fc7d177a2d0bdc496ff99c9de8bb09a18ecd005e0dc29328f2cb7109e

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
207KB

MD5
eaacda946e481850c7b876ccdb8b8868

SHA1
e8d1a667d951c96d3d397e1ffa249f1af543faf0

SHA256
a2cc43959de842eb8c6ec85271058aa154ce317025e62626d0f80fd8dced8a01

SHA512
6dd67ff9349e1c181e0b83120c65e66479be2ba47fcba23cffaa67d215432c0c9b1b4e5de0938aca88f3aa275a158625b352a881dbe36a9ca3f259a06e7e6780

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
206KB

MD5
5326f55eeaa913ca7fbfb677683f0be2

SHA1
81fef3a1af3e98fd58c1a2bcf035d3fa4390ddd5

SHA256
20bf30ae27d39473e2b0d285cf05ea0c842feecb23a04f883091801fc979623b

SHA512
e4040c03847e0dd689b791297e1f554d211ea5a50cda72404f0bcc4a11b6f8abe974328531c8968f4ceca1095c38c0679b737aa19043b7c365edee9fa86fe7da

Download Submit
C:\Windows\system\explorer.exe
Filesize
206KB

MD5
d0546b068c3241b7a71645ebe2c9b6fd

SHA1
ee6f820bf6b2d2ab92187e0dcb9375dbcd5657c2

SHA256
f0491b0379952989285ca8161aad6f41838a572819f5b3d121f003dcbff8e0d5

SHA512
98db1b9bedbf3abab6c24dad013dea8be27f401fb2d823a0308d37fa68ff8f1bb43e42a0908e2a6b176a40ad8dbc16f3af0798bbe283be8b8bb52a42117cd47e

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
206KB

MD5
4ec9aae9e491ebace9ae602e3a80bdef

SHA1
04282b449acbc65056d0fc4e50ee6052ce41e372

SHA256
62622ce209372b79d76e0f6ee47ef9f2f020b7be0c2d98b111badfa07263a3c8

SHA512
217246edff16fb162b0c1d4c3270081ef0b1e65d254ad84e77d61aa4f6cf27ecabc29ee2a0127072d5fc00587033cf53fabbc00f04e9f2c23cc35839c3c58001

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
206KB

MD5
4ec9aae9e491ebace9ae602e3a80bdef

SHA1
04282b449acbc65056d0fc4e50ee6052ce41e372

SHA256
62622ce209372b79d76e0f6ee47ef9f2f020b7be0c2d98b111badfa07263a3c8

SHA512
217246edff16fb162b0c1d4c3270081ef0b1e65d254ad84e77d61aa4f6cf27ecabc29ee2a0127072d5fc00587033cf53fabbc00f04e9f2c23cc35839c3c58001

Download Submit
C:\Windows\system\svchost.exe
Filesize
206KB

MD5
b4beb43c13c0e38bf0a48616734d5dd7

SHA1
4942c3c5e8e1f60a967e57b8a1a0e03315bec6fd

SHA256
a84fbfb6e14b667e7463a1b0361f45042b387fa03f31b7d9b238b30ea329f366

SHA512
697759a9ad0e7e401b62066f05e5be145cbaa33a1a23a101c721501960d8e278e535eeb371e7dd571cb1625b39983b2bbaf5f788501d7d713e11653f7d1b6c7f

Download Submit
\??\PIPE\atsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\users\admin\appdata\local\icsys.icn.exe
Filesize
207KB

MD5
eaacda946e481850c7b876ccdb8b8868

SHA1
e8d1a667d951c96d3d397e1ffa249f1af543faf0

SHA256
a2cc43959de842eb8c6ec85271058aa154ce317025e62626d0f80fd8dced8a01

SHA512
6dd67ff9349e1c181e0b83120c65e66479be2ba47fcba23cffaa67d215432c0c9b1b4e5de0938aca88f3aa275a158625b352a881dbe36a9ca3f259a06e7e6780

Download Submit
\??\c:\windows\system\explorer.exe
Filesize
206KB

MD5
d0546b068c3241b7a71645ebe2c9b6fd

SHA1
ee6f820bf6b2d2ab92187e0dcb9375dbcd5657c2

SHA256
f0491b0379952989285ca8161aad6f41838a572819f5b3d121f003dcbff8e0d5

SHA512
98db1b9bedbf3abab6c24dad013dea8be27f401fb2d823a0308d37fa68ff8f1bb43e42a0908e2a6b176a40ad8dbc16f3af0798bbe283be8b8bb52a42117cd47e

Download Submit
\??\c:\windows\system\spoolsv.exe
Filesize
206KB

MD5
4ec9aae9e491ebace9ae602e3a80bdef

SHA1
04282b449acbc65056d0fc4e50ee6052ce41e372

SHA256
62622ce209372b79d76e0f6ee47ef9f2f020b7be0c2d98b111badfa07263a3c8

SHA512
217246edff16fb162b0c1d4c3270081ef0b1e65d254ad84e77d61aa4f6cf27ecabc29ee2a0127072d5fc00587033cf53fabbc00f04e9f2c23cc35839c3c58001

Download Submit
\??\c:\windows\system\svchost.exe
Filesize
206KB

MD5
b4beb43c13c0e38bf0a48616734d5dd7

SHA1
4942c3c5e8e1f60a967e57b8a1a0e03315bec6fd

SHA256
a84fbfb6e14b667e7463a1b0361f45042b387fa03f31b7d9b238b30ea329f366

SHA512
697759a9ad0e7e401b62066f05e5be145cbaa33a1a23a101c721501960d8e278e535eeb371e7dd571cb1625b39983b2bbaf5f788501d7d713e11653f7d1b6c7f

Download Submit
\Users\Admin\AppData\Local\Temp\8f02bc4665601683aab6ab9c825d0c4002cfe531c0f74020cf5fb02199bdf4ed.exe
Filesize
809KB

MD5
28a6e4b12a94d3e766626a5a3546ca67

SHA1
fe8cd64f503452fe9c00c47f26f4e4f98425dcfb

SHA256
cf965fa2f4f18d3aba24c692565507a41836aa0508906a5ee8f9612a5b2bfc16

SHA512
1d8175942db1ff1aa049ceffe0a2e1f257f38b396eb557b0ebe20197c0d92818d498853fc7d177a2d0bdc496ff99c9de8bb09a18ecd005e0dc29328f2cb7109e

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
207KB

MD5
eaacda946e481850c7b876ccdb8b8868

SHA1
e8d1a667d951c96d3d397e1ffa249f1af543faf0

SHA256
a2cc43959de842eb8c6ec85271058aa154ce317025e62626d0f80fd8dced8a01

SHA512
6dd67ff9349e1c181e0b83120c65e66479be2ba47fcba23cffaa67d215432c0c9b1b4e5de0938aca88f3aa275a158625b352a881dbe36a9ca3f259a06e7e6780

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
207KB

MD5
eaacda946e481850c7b876ccdb8b8868

SHA1
e8d1a667d951c96d3d397e1ffa249f1af543faf0

SHA256
a2cc43959de842eb8c6ec85271058aa154ce317025e62626d0f80fd8dced8a01

SHA512
6dd67ff9349e1c181e0b83120c65e66479be2ba47fcba23cffaa67d215432c0c9b1b4e5de0938aca88f3aa275a158625b352a881dbe36a9ca3f259a06e7e6780

Download Submit
\Windows\system\explorer.exe
Filesize
206KB

MD5
d0546b068c3241b7a71645ebe2c9b6fd

SHA1
ee6f820bf6b2d2ab92187e0dcb9375dbcd5657c2

SHA256
f0491b0379952989285ca8161aad6f41838a572819f5b3d121f003dcbff8e0d5

SHA512
98db1b9bedbf3abab6c24dad013dea8be27f401fb2d823a0308d37fa68ff8f1bb43e42a0908e2a6b176a40ad8dbc16f3af0798bbe283be8b8bb52a42117cd47e

Download Submit
\Windows\system\explorer.exe
Filesize
206KB

MD5
d0546b068c3241b7a71645ebe2c9b6fd

SHA1
ee6f820bf6b2d2ab92187e0dcb9375dbcd5657c2

SHA256
f0491b0379952989285ca8161aad6f41838a572819f5b3d121f003dcbff8e0d5

SHA512
98db1b9bedbf3abab6c24dad013dea8be27f401fb2d823a0308d37fa68ff8f1bb43e42a0908e2a6b176a40ad8dbc16f3af0798bbe283be8b8bb52a42117cd47e

Download Submit
\Windows\system\spoolsv.exe
Filesize
206KB

MD5
4ec9aae9e491ebace9ae602e3a80bdef

SHA1
04282b449acbc65056d0fc4e50ee6052ce41e372

SHA256
62622ce209372b79d76e0f6ee47ef9f2f020b7be0c2d98b111badfa07263a3c8

SHA512
217246edff16fb162b0c1d4c3270081ef0b1e65d254ad84e77d61aa4f6cf27ecabc29ee2a0127072d5fc00587033cf53fabbc00f04e9f2c23cc35839c3c58001

Download Submit
\Windows\system\spoolsv.exe
Filesize
206KB

MD5
4ec9aae9e491ebace9ae602e3a80bdef

SHA1
04282b449acbc65056d0fc4e50ee6052ce41e372

SHA256
62622ce209372b79d76e0f6ee47ef9f2f020b7be0c2d98b111badfa07263a3c8

SHA512
217246edff16fb162b0c1d4c3270081ef0b1e65d254ad84e77d61aa4f6cf27ecabc29ee2a0127072d5fc00587033cf53fabbc00f04e9f2c23cc35839c3c58001

Download Submit
\Windows\system\spoolsv.exe
Filesize
206KB

MD5
4ec9aae9e491ebace9ae602e3a80bdef

SHA1
04282b449acbc65056d0fc4e50ee6052ce41e372

SHA256
62622ce209372b79d76e0f6ee47ef9f2f020b7be0c2d98b111badfa07263a3c8

SHA512
217246edff16fb162b0c1d4c3270081ef0b1e65d254ad84e77d61aa4f6cf27ecabc29ee2a0127072d5fc00587033cf53fabbc00f04e9f2c23cc35839c3c58001

Download Submit
\Windows\system\spoolsv.exe
Filesize
206KB

MD5
4ec9aae9e491ebace9ae602e3a80bdef

SHA1
04282b449acbc65056d0fc4e50ee6052ce41e372

SHA256
62622ce209372b79d76e0f6ee47ef9f2f020b7be0c2d98b111badfa07263a3c8

SHA512
217246edff16fb162b0c1d4c3270081ef0b1e65d254ad84e77d61aa4f6cf27ecabc29ee2a0127072d5fc00587033cf53fabbc00f04e9f2c23cc35839c3c58001

Download Submit
\Windows\system\svchost.exe
Filesize
206KB

MD5
b4beb43c13c0e38bf0a48616734d5dd7

SHA1
4942c3c5e8e1f60a967e57b8a1a0e03315bec6fd

SHA256
a84fbfb6e14b667e7463a1b0361f45042b387fa03f31b7d9b238b30ea329f366

SHA512
697759a9ad0e7e401b62066f05e5be145cbaa33a1a23a101c721501960d8e278e535eeb371e7dd571cb1625b39983b2bbaf5f788501d7d713e11653f7d1b6c7f

Download Submit
\Windows\system\svchost.exe
Filesize
206KB

MD5
b4beb43c13c0e38bf0a48616734d5dd7

SHA1
4942c3c5e8e1f60a967e57b8a1a0e03315bec6fd

SHA256
a84fbfb6e14b667e7463a1b0361f45042b387fa03f31b7d9b238b30ea329f366

SHA512
697759a9ad0e7e401b62066f05e5be145cbaa33a1a23a101c721501960d8e278e535eeb371e7dd571cb1625b39983b2bbaf5f788501d7d713e11653f7d1b6c7f

Download Submit
memory/596-105-0x0000000000000000-mapping.dmp

Download
memory/612-91-0x0000000000000000-mapping.dmp

Download
memory/940-110-0x0000000000000000-mapping.dmp

Download
memory/1228-108-0x0000000000000000-mapping.dmp

Download
memory/1400-100-0x0000000000000000-mapping.dmp

Download
memory/1596-57-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1720-64-0x0000000000000000-mapping.dmp

Download
memory/1776-82-0x0000000000000000-mapping.dmp

Download
memory/1980-73-0x0000000000000000-mapping.dmp

Download
memory/2036-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads