61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba

Analysis

max time kernel
150s
max time network
44s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
Size

243KB
MD5

d9c47086d5ef9774c6e6a78695b224c2
SHA1

dfa323b0e0319a895b217988895dcbac2cadee25
SHA256

61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba
SHA512

ad479b4c9797a853b7edf989f05914849f9a074d7dbcb77aedb5250dc76b6dfe74bf7297adb8c8faa4e921094eef5db6c9fa4347cdae3aa907907e08d9bb619e

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Executes dropped EXE 6 IoCs

Processes:

61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1732	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1744	icsys.icn.exe
1216	explorer.exe
1132	spoolsv.exe
664	svchost.exe
756	spoolsv.exe

Loads dropped DLL 7 IoCs

Processes:

61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid	process
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1744	icsys.icn.exe
1216	explorer.exe
1132	spoolsv.exe
664	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exeexplorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Drops file in Windows directory 5 IoCs

Processes:

explorer.exespoolsv.exe61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exeicsys.icn.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

996 schtasks.exe
1220 schtasks.exe
604 schtasks.exe

pid	process
996	schtasks.exe
1220	schtasks.exe
604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1744	icsys.icn.exe
1744	icsys.icn.exe
1744	icsys.icn.exe
1744	icsys.icn.exe
1744	icsys.icn.exe
1744	icsys.icn.exe
1744	icsys.icn.exe
1744	icsys.icn.exe
1744	icsys.icn.exe
1744	icsys.icn.exe
1744	icsys.icn.exe
1744	icsys.icn.exe
1744	icsys.icn.exe
1744	icsys.icn.exe
1744	icsys.icn.exe
1744	icsys.icn.exe
1744	icsys.icn.exe
1216	explorer.exe
1216	explorer.exe
1216	explorer.exe
1216	explorer.exe
1216	explorer.exe
1216	explorer.exe
1216	explorer.exe
1216	explorer.exe
1216	explorer.exe
1216	explorer.exe
1216	explorer.exe
1216	explorer.exe
1216	explorer.exe
1216	explorer.exe
1216	explorer.exe
1216	explorer.exe
664	svchost.exe
664	svchost.exe
664	svchost.exe
664	svchost.exe
664	svchost.exe
664	svchost.exe
664	svchost.exe
664	svchost.exe
664	svchost.exe
664	svchost.exe
664	svchost.exe
664	svchost.exe
664	svchost.exe
664	svchost.exe
664	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1216 explorer.exe
664 svchost.exe

pid	process
1216	explorer.exe
664	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
1744	icsys.icn.exe
1744	icsys.icn.exe
1216	explorer.exe
1216	explorer.exe
1132	spoolsv.exe
1132	spoolsv.exe
664	svchost.exe
664	svchost.exe
756	spoolsv.exe
756	spoolsv.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe icsys.icn.execmd.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1516 wrote to memory of 1732	1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
PID 1516 wrote to memory of 1732	1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
PID 1516 wrote to memory of 1732	1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
PID 1516 wrote to memory of 1732	1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
PID 1516 wrote to memory of 1744	1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	icsys.icn.exe
PID 1516 wrote to memory of 1744	1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	icsys.icn.exe
PID 1516 wrote to memory of 1744	1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	icsys.icn.exe
PID 1516 wrote to memory of 1744	1516	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	icsys.icn.exe
PID 1732 wrote to memory of 968	1732	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 1732 wrote to memory of 968	1732	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 1732 wrote to memory of 968	1732	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 1732 wrote to memory of 968	1732	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 1732 wrote to memory of 2020	1732	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 1732 wrote to memory of 2020	1732	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 1732 wrote to memory of 2020	1732	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 1732 wrote to memory of 2020	1732	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 1744 wrote to memory of 1216	1744	icsys.icn.exe	explorer.exe
PID 1744 wrote to memory of 1216	1744	icsys.icn.exe	explorer.exe
PID 1744 wrote to memory of 1216	1744	icsys.icn.exe	explorer.exe
PID 1744 wrote to memory of 1216	1744	icsys.icn.exe	explorer.exe
PID 1732 wrote to memory of 2036	1732	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 1732 wrote to memory of 2036	1732	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 1732 wrote to memory of 2036	1732	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 1732 wrote to memory of 2036	1732	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 2036 wrote to memory of 328	2036	cmd.exe	attrib.exe
PID 2036 wrote to memory of 328	2036	cmd.exe	attrib.exe
PID 2036 wrote to memory of 328	2036	cmd.exe	attrib.exe
PID 2036 wrote to memory of 328	2036	cmd.exe	attrib.exe
PID 1216 wrote to memory of 1132	1216	explorer.exe	spoolsv.exe
PID 1216 wrote to memory of 1132	1216	explorer.exe	spoolsv.exe
PID 1216 wrote to memory of 1132	1216	explorer.exe	spoolsv.exe
PID 1216 wrote to memory of 1132	1216	explorer.exe	spoolsv.exe
PID 1132 wrote to memory of 664	1132	spoolsv.exe	svchost.exe
PID 1132 wrote to memory of 664	1132	spoolsv.exe	svchost.exe
PID 1132 wrote to memory of 664	1132	spoolsv.exe	svchost.exe
PID 1132 wrote to memory of 664	1132	spoolsv.exe	svchost.exe
PID 664 wrote to memory of 756	664	svchost.exe	spoolsv.exe
PID 664 wrote to memory of 756	664	svchost.exe	spoolsv.exe
PID 664 wrote to memory of 756	664	svchost.exe	spoolsv.exe
PID 664 wrote to memory of 756	664	svchost.exe	spoolsv.exe
PID 1216 wrote to memory of 696	1216	explorer.exe	Explorer.exe
PID 1216 wrote to memory of 696	1216	explorer.exe	Explorer.exe
PID 1216 wrote to memory of 696	1216	explorer.exe	Explorer.exe
PID 1216 wrote to memory of 696	1216	explorer.exe	Explorer.exe
PID 664 wrote to memory of 996	664	svchost.exe	schtasks.exe
PID 664 wrote to memory of 996	664	svchost.exe	schtasks.exe
PID 664 wrote to memory of 996	664	svchost.exe	schtasks.exe
PID 664 wrote to memory of 996	664	svchost.exe	schtasks.exe
PID 1732 wrote to memory of 1396	1732	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 1732 wrote to memory of 1396	1732	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 1732 wrote to memory of 1396	1732	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 1732 wrote to memory of 1396	1732	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 664 wrote to memory of 1220	664	svchost.exe	schtasks.exe
PID 664 wrote to memory of 1220	664	svchost.exe	schtasks.exe
PID 664 wrote to memory of 1220	664	svchost.exe	schtasks.exe
PID 664 wrote to memory of 1220	664	svchost.exe	schtasks.exe
PID 664 wrote to memory of 604	664	svchost.exe	schtasks.exe
PID 664 wrote to memory of 604	664	svchost.exe	schtasks.exe
PID 664 wrote to memory of 604	664	svchost.exe	schtasks.exe
PID 664 wrote to memory of 604	664	svchost.exe	schtasks.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

328 attrib.exe

pid	process
328	attrib.exe

C:\Users\Admin\AppData\Local\Temp\61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
"C:\Users\Admin\AppData\Local\Temp\61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516

\??\c:\users\admin\appdata\local\temp\61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
c:\users\admin\appdata\local\temp\61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
3⤵
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"
3⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
3⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
4⤵
- Views/modifies file attributes
PID:328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1396

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1216

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:664

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:756

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:02 /f
6⤵
- Creates scheduled task(s)
PID:996

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:03 /f
6⤵
- Creates scheduled task(s)
PID:1220

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 01:04 /f
6⤵
- Creates scheduled task(s)
PID:604

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
4⤵
PID:696

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
Filesize
108KB

MD5
b90b0d18391a3f0971dd03f3945718f7

SHA1
99335914aeb9bc7691ba2cfc2133b9b297ecfb9b

SHA256
3dcf8bcf3606652429c9a49bfd6f7a2c2dcd6ec01717de7b5f806c254b1382a8

SHA512
c98e2dd8f115cc43947d4390ca070630471814492c7a18c72fb5d4e19fe98822dd1d142771be383194c3db1d0d018406c49ce77aaf00703773a2fd1793211fbe

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
53ccd62b2dd881eb4c58b47ca4a62e53

SHA1
4a133328a1c4e2f3d8d7e8546b6f1dbe0f6985ee

SHA256
6d041ad6e848467931138730e2591945324818315b0ac24e11f68c01ad75df87

SHA512
50c2a96ac33e88a688981622f274c8032f54cd9ce1202faa29b9c4562c2a9837af143a74dc49c40a6e7f556397e0298cb75cfbd133484807e743e733c8c5448d

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
cad4a5347fdc759b7cc35996eea6c16f

SHA1
3a8ae75c5f73a796e27b5a740259f17e26ba0754

SHA256
f4b04aad2e6da8b93046396335f8ea80227b893add11de5d79c33bab40112ad3

SHA512
cfdd44c47847997d3894a4d54014db501cc74fc2651031ed695b56ae014ec41fd346d31d1ea546ab0d1c9e4e24df18b8b3396f2f9eee976383a24c369099cecd

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
8c3dbd52b825d79e31cadfcae608f03d

SHA1
fb82188230f0d4b63f145b3afa752948a2117d87

SHA256
de30d915a5d64b3baa7c4c3757a4868a712509c5bdbcaecf27fa20a38c0577e7

SHA512
6762a624083b0f0760d7ce8fe965d4d84da519bc1ff9aa75613f17bd581211a915635842a2cb193932fe79e124ea7b8b9693bf3f36bb2816ab800e18c6989428

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
8c3dbd52b825d79e31cadfcae608f03d

SHA1
fb82188230f0d4b63f145b3afa752948a2117d87

SHA256
de30d915a5d64b3baa7c4c3757a4868a712509c5bdbcaecf27fa20a38c0577e7

SHA512
6762a624083b0f0760d7ce8fe965d4d84da519bc1ff9aa75613f17bd581211a915635842a2cb193932fe79e124ea7b8b9693bf3f36bb2816ab800e18c6989428

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
135KB

MD5
c70665be1397519ca31d25ebf3067371

SHA1
12b3316b7cfcf33bddbda3f95a54db652109891c

SHA256
ebadbf37148751afe64ff4fcca5a09fa43d3d27bd22dd154dd243b9f4512e843

SHA512
fc0378ba5b4ce2e72ce2e952737d733a7d591e746851efd23ea5ce68d7fcf0b52e266a85c885b89349db79a638d351babc45c8cbf5b20df966afebcd8378a2ba

Download Submit
\??\c:\users\admin\appdata\local\temp\61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
Filesize
108KB

MD5
b90b0d18391a3f0971dd03f3945718f7

SHA1
99335914aeb9bc7691ba2cfc2133b9b297ecfb9b

SHA256
3dcf8bcf3606652429c9a49bfd6f7a2c2dcd6ec01717de7b5f806c254b1382a8

SHA512
c98e2dd8f115cc43947d4390ca070630471814492c7a18c72fb5d4e19fe98822dd1d142771be383194c3db1d0d018406c49ce77aaf00703773a2fd1793211fbe

Download Submit
\??\c:\windows\resources\spoolsv.exe
Filesize
135KB

MD5
8c3dbd52b825d79e31cadfcae608f03d

SHA1
fb82188230f0d4b63f145b3afa752948a2117d87

SHA256
de30d915a5d64b3baa7c4c3757a4868a712509c5bdbcaecf27fa20a38c0577e7

SHA512
6762a624083b0f0760d7ce8fe965d4d84da519bc1ff9aa75613f17bd581211a915635842a2cb193932fe79e124ea7b8b9693bf3f36bb2816ab800e18c6989428

Download Submit
\??\c:\windows\resources\svchost.exe
Filesize
135KB

MD5
c70665be1397519ca31d25ebf3067371

SHA1
12b3316b7cfcf33bddbda3f95a54db652109891c

SHA256
ebadbf37148751afe64ff4fcca5a09fa43d3d27bd22dd154dd243b9f4512e843

SHA512
fc0378ba5b4ce2e72ce2e952737d733a7d591e746851efd23ea5ce68d7fcf0b52e266a85c885b89349db79a638d351babc45c8cbf5b20df966afebcd8378a2ba

Download Submit
\??\c:\windows\resources\themes\explorer.exe
Filesize
135KB

MD5
53ccd62b2dd881eb4c58b47ca4a62e53

SHA1
4a133328a1c4e2f3d8d7e8546b6f1dbe0f6985ee

SHA256
6d041ad6e848467931138730e2591945324818315b0ac24e11f68c01ad75df87

SHA512
50c2a96ac33e88a688981622f274c8032f54cd9ce1202faa29b9c4562c2a9837af143a74dc49c40a6e7f556397e0298cb75cfbd133484807e743e733c8c5448d

Download Submit
\??\c:\windows\resources\themes\icsys.icn.exe
Filesize
135KB

MD5
cad4a5347fdc759b7cc35996eea6c16f

SHA1
3a8ae75c5f73a796e27b5a740259f17e26ba0754

SHA256
f4b04aad2e6da8b93046396335f8ea80227b893add11de5d79c33bab40112ad3

SHA512
cfdd44c47847997d3894a4d54014db501cc74fc2651031ed695b56ae014ec41fd346d31d1ea546ab0d1c9e4e24df18b8b3396f2f9eee976383a24c369099cecd

Download Submit
\Users\Admin\AppData\Local\Temp\61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
Filesize
108KB

MD5
b90b0d18391a3f0971dd03f3945718f7

SHA1
99335914aeb9bc7691ba2cfc2133b9b297ecfb9b

SHA256
3dcf8bcf3606652429c9a49bfd6f7a2c2dcd6ec01717de7b5f806c254b1382a8

SHA512
c98e2dd8f115cc43947d4390ca070630471814492c7a18c72fb5d4e19fe98822dd1d142771be383194c3db1d0d018406c49ce77aaf00703773a2fd1793211fbe

Download Submit
\Users\Admin\AppData\Local\Temp\61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
Filesize
108KB

MD5
b90b0d18391a3f0971dd03f3945718f7

SHA1
99335914aeb9bc7691ba2cfc2133b9b297ecfb9b

SHA256
3dcf8bcf3606652429c9a49bfd6f7a2c2dcd6ec01717de7b5f806c254b1382a8

SHA512
c98e2dd8f115cc43947d4390ca070630471814492c7a18c72fb5d4e19fe98822dd1d142771be383194c3db1d0d018406c49ce77aaf00703773a2fd1793211fbe

Download Submit
\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
53ccd62b2dd881eb4c58b47ca4a62e53

SHA1
4a133328a1c4e2f3d8d7e8546b6f1dbe0f6985ee

SHA256
6d041ad6e848467931138730e2591945324818315b0ac24e11f68c01ad75df87

SHA512
50c2a96ac33e88a688981622f274c8032f54cd9ce1202faa29b9c4562c2a9837af143a74dc49c40a6e7f556397e0298cb75cfbd133484807e743e733c8c5448d

Download Submit
\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
cad4a5347fdc759b7cc35996eea6c16f

SHA1
3a8ae75c5f73a796e27b5a740259f17e26ba0754

SHA256
f4b04aad2e6da8b93046396335f8ea80227b893add11de5d79c33bab40112ad3

SHA512
cfdd44c47847997d3894a4d54014db501cc74fc2651031ed695b56ae014ec41fd346d31d1ea546ab0d1c9e4e24df18b8b3396f2f9eee976383a24c369099cecd

Download Submit
\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
8c3dbd52b825d79e31cadfcae608f03d

SHA1
fb82188230f0d4b63f145b3afa752948a2117d87

SHA256
de30d915a5d64b3baa7c4c3757a4868a712509c5bdbcaecf27fa20a38c0577e7

SHA512
6762a624083b0f0760d7ce8fe965d4d84da519bc1ff9aa75613f17bd581211a915635842a2cb193932fe79e124ea7b8b9693bf3f36bb2816ab800e18c6989428

Download Submit
\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
8c3dbd52b825d79e31cadfcae608f03d

SHA1
fb82188230f0d4b63f145b3afa752948a2117d87

SHA256
de30d915a5d64b3baa7c4c3757a4868a712509c5bdbcaecf27fa20a38c0577e7

SHA512
6762a624083b0f0760d7ce8fe965d4d84da519bc1ff9aa75613f17bd581211a915635842a2cb193932fe79e124ea7b8b9693bf3f36bb2816ab800e18c6989428

Download Submit
\Windows\Resources\svchost.exe
Filesize
135KB

MD5
c70665be1397519ca31d25ebf3067371

SHA1
12b3316b7cfcf33bddbda3f95a54db652109891c

SHA256
ebadbf37148751afe64ff4fcca5a09fa43d3d27bd22dd154dd243b9f4512e843

SHA512
fc0378ba5b4ce2e72ce2e952737d733a7d591e746851efd23ea5ce68d7fcf0b52e266a85c885b89349db79a638d351babc45c8cbf5b20df966afebcd8378a2ba

Download Submit
memory/328-77-0x0000000000000000-mapping.dmp

Download
memory/604-109-0x0000000000000000-mapping.dmp

Download
memory/664-87-0x0000000000000000-mapping.dmp

Download
memory/696-102-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/696-101-0x0000000000000000-mapping.dmp

Download
memory/756-94-0x0000000000000000-mapping.dmp

Download
memory/756-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/968-68-0x0000000000000000-mapping.dmp

Download
memory/996-105-0x0000000000000000-mapping.dmp

Download
memory/1132-100-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1132-80-0x0000000000000000-mapping.dmp

Download
memory/1216-71-0x0000000000000000-mapping.dmp

Download
memory/1216-110-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1220-108-0x0000000000000000-mapping.dmp

Download
memory/1396-107-0x0000000000000000-mapping.dmp

Download
memory/1516-103-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-59-0x0000000000000000-mapping.dmp

Download
memory/1744-104-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-62-0x0000000000000000-mapping.dmp

Download
memory/2020-70-0x0000000000000000-mapping.dmp

Download
memory/2036-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads