ee49570cc7c34e3d58400651141e04225db176c54c7fc6f704bba09133184c75

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
18/11/2023, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4rk_ware.exe
Size

760KB
MD5

8bd49467277cb9f87efefbe8e3cae943
SHA1

088eec7fc8e1df34781cdeac8dea14c4e64805a2
SHA256

ee49570cc7c34e3d58400651141e04225db176c54c7fc6f704bba09133184c75
SHA512

2d4979f86a572644cff34801c49e8e223cf03d37dda526dcf94bd62b040941d17876a86cee736ba2886d62adc7b972ff3769bd230fde65d57f0c9cb9a33c4f6f
SSDEEP

12288:PFUNDazKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKa:PFOaGxsv80do/lBc9eGjpDvZiquf

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 6 IoCs

pid	Process
2096	d4rk_ware.exe
2344	icsys.icn.exe
2756	explorer.exe
2636	spoolsv.exe
2504	svchost.exe
3028	spoolsv.exe

Loads dropped DLL 7 IoCs

pid	Process
2936	d4rk_ware.exe
2692	Process not Found
2936	d4rk_ware.exe
2344	icsys.icn.exe
2756	explorer.exe
2636	spoolsv.exe
2504	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2096	d4rk_ware.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	d4rk_ware.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
944	sc.exe
1752	sc.exe
2236	sc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2224	schtasks.exe
592	schtasks.exe
972	schtasks.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
1596	taskkill.exe
2880	taskkill.exe
2408	taskkill.exe
2400	taskkill.exe
2748	taskkill.exe
2728	taskkill.exe
832	taskkill.exe
1812	taskkill.exe
1496	taskkill.exe
396	taskkill.exe
1920	taskkill.exe
1376	taskkill.exe
1808	taskkill.exe
2436	taskkill.exe
1440	taskkill.exe
2840	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	d4rk_ware.exe
2936	d4rk_ware.exe
2936	d4rk_ware.exe
2936	d4rk_ware.exe
2936	d4rk_ware.exe
2936	d4rk_ware.exe
2936	d4rk_ware.exe
2936	d4rk_ware.exe
2936	d4rk_ware.exe
2936	d4rk_ware.exe
2936	d4rk_ware.exe
2936	d4rk_ware.exe
2936	d4rk_ware.exe
2936	d4rk_ware.exe
2936	d4rk_ware.exe
2936	d4rk_ware.exe
2344	icsys.icn.exe
2344	icsys.icn.exe
2344	icsys.icn.exe
2344	icsys.icn.exe
2344	icsys.icn.exe
2344	icsys.icn.exe
2344	icsys.icn.exe
2344	icsys.icn.exe
2344	icsys.icn.exe
2344	icsys.icn.exe
2344	icsys.icn.exe
2344	icsys.icn.exe
2344	icsys.icn.exe
2344	icsys.icn.exe
2344	icsys.icn.exe
2344	icsys.icn.exe
2344	icsys.icn.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2756	explorer.exe
2504	svchost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	832	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	1440	taskkill.exe
Token: SeDebugPrivilege	2748	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2936	d4rk_ware.exe
2936	d4rk_ware.exe
2344	icsys.icn.exe
2344	icsys.icn.exe
2756	explorer.exe
2756	explorer.exe
2636	spoolsv.exe
2636	spoolsv.exe
2504	svchost.exe
2504	svchost.exe
3028	spoolsv.exe
3028	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2096	2936	d4rk_ware.exe	28
PID 2936 wrote to memory of 2096	2936	d4rk_ware.exe	28
PID 2936 wrote to memory of 2096	2936	d4rk_ware.exe	28
PID 2936 wrote to memory of 2096	2936	d4rk_ware.exe	28
PID 2936 wrote to memory of 2344	2936	d4rk_ware.exe	30
PID 2936 wrote to memory of 2344	2936	d4rk_ware.exe	30
PID 2936 wrote to memory of 2344	2936	d4rk_ware.exe	30
PID 2936 wrote to memory of 2344	2936	d4rk_ware.exe	30
PID 2096 wrote to memory of 2660	2096	d4rk_ware.exe	31
PID 2096 wrote to memory of 2660	2096	d4rk_ware.exe	31
PID 2096 wrote to memory of 2660	2096	d4rk_ware.exe	31
PID 2660 wrote to memory of 2776	2660	cmd.exe	34
PID 2660 wrote to memory of 2776	2660	cmd.exe	34
PID 2660 wrote to memory of 2776	2660	cmd.exe	34
PID 2660 wrote to memory of 2788	2660	cmd.exe	32
PID 2660 wrote to memory of 2788	2660	cmd.exe	32
PID 2660 wrote to memory of 2788	2660	cmd.exe	32
PID 2344 wrote to memory of 2756	2344	icsys.icn.exe	35
PID 2344 wrote to memory of 2756	2344	icsys.icn.exe	35
PID 2344 wrote to memory of 2756	2344	icsys.icn.exe	35
PID 2344 wrote to memory of 2756	2344	icsys.icn.exe	35
PID 2660 wrote to memory of 2956	2660	cmd.exe	33
PID 2660 wrote to memory of 2956	2660	cmd.exe	33
PID 2660 wrote to memory of 2956	2660	cmd.exe	33
PID 2756 wrote to memory of 2636	2756	explorer.exe	36
PID 2756 wrote to memory of 2636	2756	explorer.exe	36
PID 2756 wrote to memory of 2636	2756	explorer.exe	36
PID 2756 wrote to memory of 2636	2756	explorer.exe	36
PID 2636 wrote to memory of 2504	2636	spoolsv.exe	37
PID 2636 wrote to memory of 2504	2636	spoolsv.exe	37
PID 2636 wrote to memory of 2504	2636	spoolsv.exe	37
PID 2636 wrote to memory of 2504	2636	spoolsv.exe	37
PID 2504 wrote to memory of 3028	2504	svchost.exe	38
PID 2504 wrote to memory of 3028	2504	svchost.exe	38
PID 2504 wrote to memory of 3028	2504	svchost.exe	38
PID 2504 wrote to memory of 3028	2504	svchost.exe	38
PID 2756 wrote to memory of 344	2756	explorer.exe	39
PID 2756 wrote to memory of 344	2756	explorer.exe	39
PID 2756 wrote to memory of 344	2756	explorer.exe	39
PID 2756 wrote to memory of 344	2756	explorer.exe	39
PID 2504 wrote to memory of 2224	2504	svchost.exe	40
PID 2504 wrote to memory of 2224	2504	svchost.exe	40
PID 2504 wrote to memory of 2224	2504	svchost.exe	40
PID 2504 wrote to memory of 2224	2504	svchost.exe	40
PID 2096 wrote to memory of 1956	2096	d4rk_ware.exe	43
PID 2096 wrote to memory of 1956	2096	d4rk_ware.exe	43
PID 2096 wrote to memory of 1956	2096	d4rk_ware.exe	43
PID 1956 wrote to memory of 832	1956	cmd.exe	44
PID 1956 wrote to memory of 832	1956	cmd.exe	44
PID 1956 wrote to memory of 832	1956	cmd.exe	44
PID 2096 wrote to memory of 1664	2096	d4rk_ware.exe	46
PID 2096 wrote to memory of 1664	2096	d4rk_ware.exe	46
PID 2096 wrote to memory of 1664	2096	d4rk_ware.exe	46
PID 1664 wrote to memory of 1808	1664	cmd.exe	47
PID 1664 wrote to memory of 1808	1664	cmd.exe	47
PID 1664 wrote to memory of 1808	1664	cmd.exe	47
PID 2096 wrote to memory of 2212	2096	d4rk_ware.exe	48
PID 2096 wrote to memory of 2212	2096	d4rk_ware.exe	48
PID 2096 wrote to memory of 2212	2096	d4rk_ware.exe	48
PID 2212 wrote to memory of 2236	2212	cmd.exe	49
PID 2212 wrote to memory of 2236	2212	cmd.exe	49
PID 2212 wrote to memory of 2236	2212	cmd.exe	49
PID 2096 wrote to memory of 2420	2096	d4rk_ware.exe	50
PID 2096 wrote to memory of 2420	2096	d4rk_ware.exe	50

C:\Users\Admin\AppData\Local\Temp\d4rk_ware.exe
"C:\Users\Admin\AppData\Local\Temp\d4rk_ware.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936
- \??\c:\users\admin\appdata\local\temp\d4rk_ware.exe
  c:\users\admin\appdata\local\temp\d4rk_ware.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "c:\users\admin\appdata\local\temp\d4rk_ware.exe " MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:2788
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:2956
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "c:\users\admin\appdata\local\temp\d4rk_ware.exe " MD5
      4⤵
      PID:2776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\system32\sc.exe
      sc stop HTTPDebuggerPro
      4⤵
      Launches sc.exe
      PID:2236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2420
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:2412
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
    3⤵
    PID:320
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe > nul
    3⤵
    PID:608
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im epicgameslauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicWebHelper.exe > nul
    3⤵
    PID:1456
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicWebHelper.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient - Win64 - Shipping_EAC.exe > nul
    3⤵
    PID:1620
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient - Win64 - Shipping_EAC.exe
      4⤵
      Kills process with taskkill
      PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient - Win64 - Shipping_BE.exe > nul
    3⤵
    PID:1552
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient - Win64 - Shipping_BE.exe
      4⤵
      Kills process with taskkill
      PID:2400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe > nul
    3⤵
    PID:2704
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient - Win64 - Shipping.exe > nul
    3⤵
    PID:2752
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient - Win64 - Shipping.exe
      4⤵
      Kills process with taskkill
      PID:2728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe > nul
    3⤵
    PID:2596
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe > nul
    3⤵
    PID:2712
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EasyAntiCheat.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im BEService.exe > nul
    3⤵
    PID:1300
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im BEService.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im BEServices.exe > nul
    3⤵
    PID:2912
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im BEServices.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im BattleEye.exe > nul
    3⤵
    PID:2464
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im BattleEye.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop BattlEye Service
    3⤵
    PID:1164
  - - C:\Windows\system32\sc.exe
      sc stop BattlEye Service
      4⤵
      Launches sc.exe
      PID:944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat
    3⤵
    PID:1588
  - - C:\Windows\system32\sc.exe
      sc stop EasyAntiCheat
      4⤵
      Launches sc.exe
      PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1672
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2344
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2636
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2504
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3028
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 16:40 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2224
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 16:41 /f
        6⤵
        Creates scheduled task(s)
        
        PID:592
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 16:42 /f
        6⤵
        Creates scheduled task(s)
        
        PID:972
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d4rk_ware.exe

Filesize
625KB

MD5
b4910cef43bbc5afb698aa0141f0e381

SHA1
7783dd8c3662fd7ccdf4602647c4e6e46683d20e

SHA256
635adaf49ce37c0296cc821e6c18eb12657a300c041c2c1fb766681ab60c6b4b

SHA512
e6ca0a92bb9fc3b14abf3a3063ead7d8ce74dcd68fe358f084c0fc37c09622e4b967d8c71acb3cfce5fd4af242e942dfb86a1f409347091226b3b38c63ad70fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4rk_ware.exe

Filesize
625KB

MD5
b4910cef43bbc5afb698aa0141f0e381

SHA1
7783dd8c3662fd7ccdf4602647c4e6e46683d20e

SHA256
635adaf49ce37c0296cc821e6c18eb12657a300c041c2c1fb766681ab60c6b4b

SHA512
e6ca0a92bb9fc3b14abf3a3063ead7d8ce74dcd68fe358f084c0fc37c09622e4b967d8c71acb3cfce5fd4af242e942dfb86a1f409347091226b3b38c63ad70fc

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
806a20615356ef562d80c76e88d253ea

SHA1
60fa6628affa164df4001af4fdd6036467175c52

SHA256
693b4a162c642f093ce7fbf874e65d12ddc1f2ebb897bb8a0cd21029b8a6eaa8

SHA512
1bdfcc65ec2ab563ceef6cfbc971c3909db9462ad3f633481b076cb24fb50fe669a015209ce0e16d558be9e0ec0b8c8e449ac78fb0530db430e88e4d8c095a0f

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
806a20615356ef562d80c76e88d253ea

SHA1
60fa6628affa164df4001af4fdd6036467175c52

SHA256
693b4a162c642f093ce7fbf874e65d12ddc1f2ebb897bb8a0cd21029b8a6eaa8

SHA512
1bdfcc65ec2ab563ceef6cfbc971c3909db9462ad3f633481b076cb24fb50fe669a015209ce0e16d558be9e0ec0b8c8e449ac78fb0530db430e88e4d8c095a0f

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d96e9542c578e129300bc5a9041be46f

SHA1
e2d2a9f45b0f1b4fff8c7a5ed512671ae95ae351

SHA256
772fe8ee70f77356e05495eb8fc0174e4285d60d84dbd9631abda9af429c783c

SHA512
7f3da3ca8a69eeffecd34a2a9581852df12effbc6eed750506e87afd970a480268ff6d74491ebd8200fbd906741fdb66970c8eb61306531f617cde1519f75f9e

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
c47419db9318456b53531427f0dad74f

SHA1
247f7dfe9ab35d38272a4c9ca4d4c6f81581ac4b

SHA256
472d4fa3ff99eb4a70aa203ff30d40cc8346094c15a064439e9ddc7342f404ad

SHA512
c1e61b13bfa04d4d047d0292cab56516ccd7cb714adcae86913baf543257205058933f9bd69ed2a0142d131665539c1f83b3e71fee3b82fe8fff8ad50e86eb72

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
c47419db9318456b53531427f0dad74f

SHA1
247f7dfe9ab35d38272a4c9ca4d4c6f81581ac4b

SHA256
472d4fa3ff99eb4a70aa203ff30d40cc8346094c15a064439e9ddc7342f404ad

SHA512
c1e61b13bfa04d4d047d0292cab56516ccd7cb714adcae86913baf543257205058933f9bd69ed2a0142d131665539c1f83b3e71fee3b82fe8fff8ad50e86eb72

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
7dd6b8cdad31a9387b55df3a5a7c7e5f

SHA1
33969accf7b67bd3635716178525ccb8109e98e7

SHA256
55fdb6f0a2932cd5023e1c52ac6878bae200eb402c36b2c4ca7f5d6ba8f30dc0

SHA512
150ea9d58d1f0ca0a8af0ba614ff6144728ce60a07de4596c16c0f887ef467bf019e387bd6c96d98d25ac1402909d731472ac11f3c7e6822b64946c1cfbe6e4f

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
c47419db9318456b53531427f0dad74f

SHA1
247f7dfe9ab35d38272a4c9ca4d4c6f81581ac4b

SHA256
472d4fa3ff99eb4a70aa203ff30d40cc8346094c15a064439e9ddc7342f404ad

SHA512
c1e61b13bfa04d4d047d0292cab56516ccd7cb714adcae86913baf543257205058933f9bd69ed2a0142d131665539c1f83b3e71fee3b82fe8fff8ad50e86eb72

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
7dd6b8cdad31a9387b55df3a5a7c7e5f

SHA1
33969accf7b67bd3635716178525ccb8109e98e7

SHA256
55fdb6f0a2932cd5023e1c52ac6878bae200eb402c36b2c4ca7f5d6ba8f30dc0

SHA512
150ea9d58d1f0ca0a8af0ba614ff6144728ce60a07de4596c16c0f887ef467bf019e387bd6c96d98d25ac1402909d731472ac11f3c7e6822b64946c1cfbe6e4f

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
806a20615356ef562d80c76e88d253ea

SHA1
60fa6628affa164df4001af4fdd6036467175c52

SHA256
693b4a162c642f093ce7fbf874e65d12ddc1f2ebb897bb8a0cd21029b8a6eaa8

SHA512
1bdfcc65ec2ab563ceef6cfbc971c3909db9462ad3f633481b076cb24fb50fe669a015209ce0e16d558be9e0ec0b8c8e449ac78fb0530db430e88e4d8c095a0f

Download Submit
\??\c:\windows\resources\themes\icsys.icn.exe

Filesize
135KB

MD5
d96e9542c578e129300bc5a9041be46f

SHA1
e2d2a9f45b0f1b4fff8c7a5ed512671ae95ae351

SHA256
772fe8ee70f77356e05495eb8fc0174e4285d60d84dbd9631abda9af429c783c

SHA512
7f3da3ca8a69eeffecd34a2a9581852df12effbc6eed750506e87afd970a480268ff6d74491ebd8200fbd906741fdb66970c8eb61306531f617cde1519f75f9e

Download Submit
\Users\Admin\AppData\Local\Temp\d4rk_ware.exe

Filesize
625KB

MD5
b4910cef43bbc5afb698aa0141f0e381

SHA1
7783dd8c3662fd7ccdf4602647c4e6e46683d20e

SHA256
635adaf49ce37c0296cc821e6c18eb12657a300c041c2c1fb766681ab60c6b4b

SHA512
e6ca0a92bb9fc3b14abf3a3063ead7d8ce74dcd68fe358f084c0fc37c09622e4b967d8c71acb3cfce5fd4af242e942dfb86a1f409347091226b3b38c63ad70fc

Download Submit
\Users\Admin\AppData\Local\Temp\d4rk_ware.exe

Filesize
625KB

MD5
b4910cef43bbc5afb698aa0141f0e381

SHA1
7783dd8c3662fd7ccdf4602647c4e6e46683d20e

SHA256
635adaf49ce37c0296cc821e6c18eb12657a300c041c2c1fb766681ab60c6b4b

SHA512
e6ca0a92bb9fc3b14abf3a3063ead7d8ce74dcd68fe358f084c0fc37c09622e4b967d8c71acb3cfce5fd4af242e942dfb86a1f409347091226b3b38c63ad70fc

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
806a20615356ef562d80c76e88d253ea

SHA1
60fa6628affa164df4001af4fdd6036467175c52

SHA256
693b4a162c642f093ce7fbf874e65d12ddc1f2ebb897bb8a0cd21029b8a6eaa8

SHA512
1bdfcc65ec2ab563ceef6cfbc971c3909db9462ad3f633481b076cb24fb50fe669a015209ce0e16d558be9e0ec0b8c8e449ac78fb0530db430e88e4d8c095a0f

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d96e9542c578e129300bc5a9041be46f

SHA1
e2d2a9f45b0f1b4fff8c7a5ed512671ae95ae351

SHA256
772fe8ee70f77356e05495eb8fc0174e4285d60d84dbd9631abda9af429c783c

SHA512
7f3da3ca8a69eeffecd34a2a9581852df12effbc6eed750506e87afd970a480268ff6d74491ebd8200fbd906741fdb66970c8eb61306531f617cde1519f75f9e

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
c47419db9318456b53531427f0dad74f

SHA1
247f7dfe9ab35d38272a4c9ca4d4c6f81581ac4b

SHA256
472d4fa3ff99eb4a70aa203ff30d40cc8346094c15a064439e9ddc7342f404ad

SHA512
c1e61b13bfa04d4d047d0292cab56516ccd7cb714adcae86913baf543257205058933f9bd69ed2a0142d131665539c1f83b3e71fee3b82fe8fff8ad50e86eb72

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
c47419db9318456b53531427f0dad74f

SHA1
247f7dfe9ab35d38272a4c9ca4d4c6f81581ac4b

SHA256
472d4fa3ff99eb4a70aa203ff30d40cc8346094c15a064439e9ddc7342f404ad

SHA512
c1e61b13bfa04d4d047d0292cab56516ccd7cb714adcae86913baf543257205058933f9bd69ed2a0142d131665539c1f83b3e71fee3b82fe8fff8ad50e86eb72

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
7dd6b8cdad31a9387b55df3a5a7c7e5f

SHA1
33969accf7b67bd3635716178525ccb8109e98e7

SHA256
55fdb6f0a2932cd5023e1c52ac6878bae200eb402c36b2c4ca7f5d6ba8f30dc0

SHA512
150ea9d58d1f0ca0a8af0ba614ff6144728ce60a07de4596c16c0f887ef467bf019e387bd6c96d98d25ac1402909d731472ac11f3c7e6822b64946c1cfbe6e4f

Download Submit
memory/2344-24-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/2344-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2636-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2936-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2936-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3028-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download