61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
20-05-2022 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
Size

243KB
MD5

d9c47086d5ef9774c6e6a78695b224c2
SHA1

dfa323b0e0319a895b217988895dcbac2cadee25
SHA256

61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba
SHA512

ad479b4c9797a853b7edf989f05914849f9a074d7dbcb77aedb5250dc76b6dfe74bf7297adb8c8faa4e921094eef5db6c9fa4347cdae3aa907907e08d9bb619e

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Executes dropped EXE 6 IoCs

Processes:

61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
3136	icsys.icn.exe
2336	explorer.exe
2436	spoolsv.exe
3340	svchost.exe
3952	spoolsv.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exeicsys.icn.exe

pid	process
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
3136	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

2336 explorer.exe
3340 svchost.exe

pid	process
2336	explorer.exe
3340	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
3136	icsys.icn.exe
3136	icsys.icn.exe
2336	explorer.exe
2336	explorer.exe
2436	spoolsv.exe
2436	spoolsv.exe
3340	svchost.exe
3340	svchost.exe
3952	spoolsv.exe
3952	spoolsv.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe icsys.icn.execmd.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 5072 wrote to memory of 4476	5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
PID 5072 wrote to memory of 4476	5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
PID 5072 wrote to memory of 4476	5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
PID 5072 wrote to memory of 3136	5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	icsys.icn.exe
PID 5072 wrote to memory of 3136	5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	icsys.icn.exe
PID 5072 wrote to memory of 3136	5072	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	icsys.icn.exe
PID 4476 wrote to memory of 1812	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 1812	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 1812	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 2720	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 2720	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 2720	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 3136 wrote to memory of 2336	3136	icsys.icn.exe	explorer.exe
PID 3136 wrote to memory of 2336	3136	icsys.icn.exe	explorer.exe
PID 3136 wrote to memory of 2336	3136	icsys.icn.exe	explorer.exe
PID 4476 wrote to memory of 1520	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 1520	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 1520	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 1520 wrote to memory of 3696	1520	cmd.exe	attrib.exe
PID 1520 wrote to memory of 3696	1520	cmd.exe	attrib.exe
PID 1520 wrote to memory of 3696	1520	cmd.exe	attrib.exe
PID 2336 wrote to memory of 2436	2336	explorer.exe	spoolsv.exe
PID 2336 wrote to memory of 2436	2336	explorer.exe	spoolsv.exe
PID 2336 wrote to memory of 2436	2336	explorer.exe	spoolsv.exe
PID 4476 wrote to memory of 3440	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 3440	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 3440	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 2436 wrote to memory of 3340	2436	spoolsv.exe	svchost.exe
PID 2436 wrote to memory of 3340	2436	spoolsv.exe	svchost.exe
PID 2436 wrote to memory of 3340	2436	spoolsv.exe	svchost.exe
PID 3340 wrote to memory of 3952	3340	svchost.exe	spoolsv.exe
PID 3340 wrote to memory of 3952	3340	svchost.exe	spoolsv.exe
PID 3340 wrote to memory of 3952	3340	svchost.exe	spoolsv.exe
PID 4476 wrote to memory of 2124	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 2124	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 2124	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 4304	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 4304	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 4304	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 3380	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 3380	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 3380	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 4596	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 4596	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 4596	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 4528	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 4528	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 4528	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 3308	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 3308	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 3308	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 4980	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 4980	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe
PID 4476 wrote to memory of 4980	4476	61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3696 attrib.exe

pid	process
3696	attrib.exe

C:\Users\Admin\AppData\Local\Temp\61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
"C:\Users\Admin\AppData\Local\Temp\61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5072

\??\c:\users\admin\appdata\local\temp\61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
c:\users\admin\appdata\local\temp\61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
3⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"
3⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
3⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
4⤵
- Views/modifies file attributes
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:4980

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3136

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3340

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
Filesize
108KB

MD5
b90b0d18391a3f0971dd03f3945718f7

SHA1
99335914aeb9bc7691ba2cfc2133b9b297ecfb9b

SHA256
3dcf8bcf3606652429c9a49bfd6f7a2c2dcd6ec01717de7b5f806c254b1382a8

SHA512
c98e2dd8f115cc43947d4390ca070630471814492c7a18c72fb5d4e19fe98822dd1d142771be383194c3db1d0d018406c49ce77aaf00703773a2fd1793211fbe

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
3917186ad461e102b7adb188a14c9070

SHA1
e04ab4119af915de47933fb9f812b0ea656a7faf

SHA256
ddeff84816c6c4922f5a7b40d81d6ac6c38e4acf5b54bad951974224e005e071

SHA512
e58eadfb57b20350a263890928dfacc36d45800be801093046fdbb91e9dcf9d3a759cd2487518e163a80212362e24a7f1f4f789a416285b641e778ee37105da7

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
cad4a5347fdc759b7cc35996eea6c16f

SHA1
3a8ae75c5f73a796e27b5a740259f17e26ba0754

SHA256
f4b04aad2e6da8b93046396335f8ea80227b893add11de5d79c33bab40112ad3

SHA512
cfdd44c47847997d3894a4d54014db501cc74fc2651031ed695b56ae014ec41fd346d31d1ea546ab0d1c9e4e24df18b8b3396f2f9eee976383a24c369099cecd

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
cad4a5347fdc759b7cc35996eea6c16f

SHA1
3a8ae75c5f73a796e27b5a740259f17e26ba0754

SHA256
f4b04aad2e6da8b93046396335f8ea80227b893add11de5d79c33bab40112ad3

SHA512
cfdd44c47847997d3894a4d54014db501cc74fc2651031ed695b56ae014ec41fd346d31d1ea546ab0d1c9e4e24df18b8b3396f2f9eee976383a24c369099cecd

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
ec1b7938d2634c3151a6b1cd86ee7afa

SHA1
baf46c37ee0a4eb25c2bd7da3eef3727f83eda13

SHA256
055a576f2aa8bea31ffd7738418126be6b0410e707cfbd3ba596a268b7e72b11

SHA512
66ad28113be336a83a6a79449d5cc2c87f20d3ee0e6d1b8e8b75ef0d4c87d9d5ad2c49a07d3498633b6361cc749984566d3ebc4abfab01210e786d9a3bcb8282

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
ec1b7938d2634c3151a6b1cd86ee7afa

SHA1
baf46c37ee0a4eb25c2bd7da3eef3727f83eda13

SHA256
055a576f2aa8bea31ffd7738418126be6b0410e707cfbd3ba596a268b7e72b11

SHA512
66ad28113be336a83a6a79449d5cc2c87f20d3ee0e6d1b8e8b75ef0d4c87d9d5ad2c49a07d3498633b6361cc749984566d3ebc4abfab01210e786d9a3bcb8282

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
135KB

MD5
b8fc7d20426d1ffe642fbe8e917ff80d

SHA1
3d2ec93d9e583d23d1d2e5905636f7098bc45254

SHA256
41de9cc2c11dbc66367a2857e6a75bdabe7827bb64ff845eac5b728d76d977fa

SHA512
3b24d22a2e623c2198814edd2ff20efcbdc43ef689e8ed988a1fffe4b102ee8a9c71ec7b09cc39a784b3158f07005b3579c52c773c796ab197392d6bf98e4148

Download Submit
\??\c:\users\admin\appdata\local\temp\61e6b0b375d6862ab8447e4a3f707010f096c3b7f6527dabfb2e48a40fb8e9ba.exe
Filesize
108KB

MD5
b90b0d18391a3f0971dd03f3945718f7

SHA1
99335914aeb9bc7691ba2cfc2133b9b297ecfb9b

SHA256
3dcf8bcf3606652429c9a49bfd6f7a2c2dcd6ec01717de7b5f806c254b1382a8

SHA512
c98e2dd8f115cc43947d4390ca070630471814492c7a18c72fb5d4e19fe98822dd1d142771be383194c3db1d0d018406c49ce77aaf00703773a2fd1793211fbe

Download Submit
\??\c:\windows\resources\spoolsv.exe
Filesize
135KB

MD5
ec1b7938d2634c3151a6b1cd86ee7afa

SHA1
baf46c37ee0a4eb25c2bd7da3eef3727f83eda13

SHA256
055a576f2aa8bea31ffd7738418126be6b0410e707cfbd3ba596a268b7e72b11

SHA512
66ad28113be336a83a6a79449d5cc2c87f20d3ee0e6d1b8e8b75ef0d4c87d9d5ad2c49a07d3498633b6361cc749984566d3ebc4abfab01210e786d9a3bcb8282

Download Submit
\??\c:\windows\resources\svchost.exe
Filesize
135KB

MD5
b8fc7d20426d1ffe642fbe8e917ff80d

SHA1
3d2ec93d9e583d23d1d2e5905636f7098bc45254

SHA256
41de9cc2c11dbc66367a2857e6a75bdabe7827bb64ff845eac5b728d76d977fa

SHA512
3b24d22a2e623c2198814edd2ff20efcbdc43ef689e8ed988a1fffe4b102ee8a9c71ec7b09cc39a784b3158f07005b3579c52c773c796ab197392d6bf98e4148

Download Submit
\??\c:\windows\resources\themes\explorer.exe
Filesize
135KB

MD5
3917186ad461e102b7adb188a14c9070

SHA1
e04ab4119af915de47933fb9f812b0ea656a7faf

SHA256
ddeff84816c6c4922f5a7b40d81d6ac6c38e4acf5b54bad951974224e005e071

SHA512
e58eadfb57b20350a263890928dfacc36d45800be801093046fdbb91e9dcf9d3a759cd2487518e163a80212362e24a7f1f4f789a416285b641e778ee37105da7

Download Submit
memory/1520-147-0x0000000000000000-mapping.dmp

Download
memory/1812-142-0x0000000000000000-mapping.dmp

Download
memory/2124-174-0x0000000000000000-mapping.dmp

Download
memory/2336-144-0x0000000000000000-mapping.dmp

Download
memory/2336-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2436-152-0x0000000000000000-mapping.dmp

Download
memory/2436-171-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2720-143-0x0000000000000000-mapping.dmp

Download
memory/3136-172-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3136-135-0x0000000000000000-mapping.dmp

Download
memory/3308-179-0x0000000000000000-mapping.dmp

Download
memory/3340-159-0x0000000000000000-mapping.dmp

Download
memory/3380-176-0x0000000000000000-mapping.dmp

Download
memory/3440-158-0x0000000000000000-mapping.dmp

Download
memory/3696-151-0x0000000000000000-mapping.dmp

Download
memory/3952-165-0x0000000000000000-mapping.dmp

Download
memory/3952-170-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4304-175-0x0000000000000000-mapping.dmp

Download
memory/4476-133-0x0000000000000000-mapping.dmp

Download
memory/4528-178-0x0000000000000000-mapping.dmp

Download
memory/4596-177-0x0000000000000000-mapping.dmp

Download
memory/4980-180-0x0000000000000000-mapping.dmp

Download
memory/5072-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download