509166edc96857df176933f0efd86e52705c19c78922f833c9207d337742a277

General

Target

Free_Candy_Optimizer.exe
Size

2.8MB
MD5

08ee4afb6173700b40bd882dcb430896
SHA1

3fbae4aa4fcf51624a730a4b0e4ecf88ee139597
SHA256

509166edc96857df176933f0efd86e52705c19c78922f833c9207d337742a277
SHA512

1e8b896fb4aa677d3d83b6ff48fbcfaf9484444de94f8464b1daa8ceb264617ea84e4811c4d67481d6244dd74370011a49ebe3b747a4a61f657e66264e4a577b
SSDEEP

49152:BXzhpDtKSK1cb8PGK+Tfuqmpc3elWo8GnQAsYZEVYq:BXzhW148Pd+Tf1mpcOldJQ3/VN

Score

10^/10

evasion persistence themida trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

svchost.exespoolsv.exeFree_Candy_Optimizer.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Free_Candy_Optimizer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Free_Candy_Optimizer.exeicsys.icn.exespoolsv.exesvchost.exespoolsv.exeexplorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Free_Candy_Optimizer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Free_Candy_Optimizer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe

Executes dropped EXE 6 IoCs

Processes:

free_candy_optimizer.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

3636 free_candy_optimizer.exe
4964 icsys.icn.exe
4260 explorer.exe
1488 spoolsv.exe
4180 svchost.exe
3416 spoolsv.exe

pid	process
3636	free_candy_optimizer.exe
4964	icsys.icn.exe
4260	explorer.exe
1488	spoolsv.exe
4180	svchost.exe
3416	spoolsv.exe

Themida packer 23 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3016-0-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\Themes\icsys.icn.exe	themida
behavioral2/memory/4964-14-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\Themes\explorer.exe	themida
behavioral2/memory/4260-24-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\??\c:\windows\resources\spoolsv.exe	themida
behavioral2/memory/1488-33-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\??\c:\windows\resources\svchost.exe	themida
behavioral2/memory/4180-42-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3016-47-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4964-49-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3416-48-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3016-54-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3416-53-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1488-55-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4964-56-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4260-57-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4260-58-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4180-59-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4180-61-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4180-63-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4260-68-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4260-76-0x0000000000400000-0x0000000000A16000-memory.dmp	themida

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exefree_candy_optimizer.exe explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	free_candy_optimizer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

explorer.exespoolsv.exesvchost.exespoolsv.exeFree_Candy_Optimizer.exeicsys.icn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Free_Candy_Optimizer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icsys.icn.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

Free_Candy_Optimizer.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

3016 Free_Candy_Optimizer.exe
4964 icsys.icn.exe
4260 explorer.exe
1488 spoolsv.exe
4180 svchost.exe
3416 spoolsv.exe

Drops file in Windows directory 5 IoCs

Processes:

explorer.exeFree_Candy_Optimizer.exeicsys.icn.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Free_Candy_Optimizer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3920 timeout.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3704 NOTEPAD.EXE

pid	process
3920	timeout.exe

pid	process
3704	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Free_Candy_Optimizer.exeicsys.icn.exe

pid	process
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4964	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

4260 explorer.exe
4180 svchost.exe

pid	process
4260	explorer.exe
4180	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

Free_Candy_Optimizer.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3016	Free_Candy_Optimizer.exe
3016	Free_Candy_Optimizer.exe
4964	icsys.icn.exe
4964	icsys.icn.exe
4260	explorer.exe
4260	explorer.exe
1488	spoolsv.exe
1488	spoolsv.exe
4180	svchost.exe
4180	svchost.exe
3416	spoolsv.exe
3416	spoolsv.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Free_Candy_Optimizer.exefree_candy_optimizer.exe cmd.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 3016 wrote to memory of 3636	3016	Free_Candy_Optimizer.exe	free_candy_optimizer.exe
PID 3016 wrote to memory of 3636	3016	Free_Candy_Optimizer.exe	free_candy_optimizer.exe
PID 3636 wrote to memory of 2880	3636	free_candy_optimizer.exe	cmd.exe
PID 3636 wrote to memory of 2880	3636	free_candy_optimizer.exe	cmd.exe
PID 3016 wrote to memory of 4964	3016	Free_Candy_Optimizer.exe	icsys.icn.exe
PID 3016 wrote to memory of 4964	3016	Free_Candy_Optimizer.exe	icsys.icn.exe
PID 3016 wrote to memory of 4964	3016	Free_Candy_Optimizer.exe	icsys.icn.exe
PID 2880 wrote to memory of 4372	2880	cmd.exe	chcp.com
PID 2880 wrote to memory of 4372	2880	cmd.exe	chcp.com
PID 2880 wrote to memory of 3920	2880	cmd.exe	timeout.exe
PID 2880 wrote to memory of 3920	2880	cmd.exe	timeout.exe
PID 4964 wrote to memory of 4260	4964	icsys.icn.exe	explorer.exe
PID 4964 wrote to memory of 4260	4964	icsys.icn.exe	explorer.exe
PID 4964 wrote to memory of 4260	4964	icsys.icn.exe	explorer.exe
PID 4260 wrote to memory of 1488	4260	explorer.exe	spoolsv.exe
PID 4260 wrote to memory of 1488	4260	explorer.exe	spoolsv.exe
PID 4260 wrote to memory of 1488	4260	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 4180	1488	spoolsv.exe	svchost.exe
PID 1488 wrote to memory of 4180	1488	spoolsv.exe	svchost.exe
PID 1488 wrote to memory of 4180	1488	spoolsv.exe	svchost.exe
PID 4180 wrote to memory of 3416	4180	svchost.exe	spoolsv.exe
PID 4180 wrote to memory of 3416	4180	svchost.exe	spoolsv.exe
PID 4180 wrote to memory of 3416	4180	svchost.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\Free_Candy_Optimizer.exe
"C:\Users\Admin\AppData\Local\Temp\Free_Candy_Optimizer.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016

\??\c:\users\admin\appdata\local\temp\free_candy_optimizer.exe
c:\users\admin\appdata\local\temp\free_candy_optimizer.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SYSTEM32\cmd.exe
cmd /c "Free Candy Optimizer.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:4372

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:3920

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4260

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4180

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3888

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Free Candy Optimizer.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Modify Registry

2

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Free Candy Optimizer.bat
Filesize
98KB

MD5
e86e31bbeb9493c361cfdc29d838f644

SHA1
792d995da93083729d863e5fd48e873ac4052c3f

SHA256
2bbf80db47959a275b23572b7cc7465ac29c6727fefbf6b9935d638589fc17ec

SHA512
21ccce57366c2bf293423edcef79da82932847dae526b3c23536047465aed7b624c053c2a87dc322956e36a98291a128cd33e8149a92515bd80b8db087c66d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\free_candy_optimizer.exe
Filesize
236KB

MD5
cd1fa5bcbc7b251dc0efdfd32d5fd6ee

SHA1
52908e931654115ddb0100ba7795295e31382844

SHA256
9cb855726b752e515fbab26ef7e898f9ed19207d5aa0ee50b9481dd91c6386b6

SHA512
ab93e24942581e5c5b8197c50bf7d0824dbe9f0a53a10e27908fe01a2e5c956f57c69d1cbc01136541195d8776984bf516ea4f1276bdae64ee1d514091f7064c

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
2.6MB

MD5
12e0daa28671752a830aea57fb026b99

SHA1
ac87d2792c169c44a8fac964661a13e8ced26a51

SHA256
b15b968bb32c97a7070f30d6b9eb6993390aedcb03450321be60b00937d6fa1b

SHA512
ae280d9948bb66dce12a25fe15bae1c7a7f077b73798f86e660f42eebcfa2cf055b5f521bba6975846bfce32d981b4b3b7cb5c67e1f4452d8d92250db8411628

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
2.6MB

MD5
9b9e7bb08462ad4c2b8ddf65e78b5bc5

SHA1
afd3b983ac985cb04cd50480c7c5e5fa988eef91

SHA256
80e42ee9ada71279c0a02eaa6b9a0d27cc8bb5a2ad1c6a246f57463213ddff73

SHA512
d370244819ac839f37712055cd4ae8187f3727ef01801d79a51756ea2fad6d4412afede151edf31c9f28b898994be3ecd26a0cb69d09a3d92d06e6e2fbdf094b

Download Submit
\??\c:\windows\resources\spoolsv.exe
Filesize
2.6MB

MD5
fab97f1b34155e3c2f1846533d8fe0f5

SHA1
42c06f599f125b0dba50b277a69a13ad3ef73079

SHA256
f0afd5be34c1901041699a472d436c971e29a4c2b225aa7e0dd08ee0c03d76b0

SHA512
fbcff7b95ed867ae28c1e08c851642d7c823169807181a74a10db56df8cb61a5d4d35a7cf5726b775555184aa7e00f072633c4a06826dce8246f014ebd195475

Download Submit
\??\c:\windows\resources\svchost.exe
Filesize
2.6MB

MD5
885163f6ec4f1e0f47a928cbb2936ca6

SHA1
cceca488aab90f1555811c5f5e6ae48c61954c7b

SHA256
601eccf4272dd3794cc7484a092ccc773447545e3428c7ae8569d5ec7d842823

SHA512
345ed08c9c65560f1d484bbda2bdd056b1c5f5ec00cb00cfb252ea8801464a810e7b682174883e9db54d23ae4ff49b9cc6ab409bbeee47e0bed9df5ef3dc7f41

Download Submit
memory/1488-55-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1488-33-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3016-47-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3016-1-0x00000000779F4000-0x00000000779F6000-memory.dmp

Filesize
8KB

Download
memory/3016-0-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3016-54-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3416-48-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3416-53-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4180-59-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4180-42-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4180-61-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4180-63-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4260-57-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4260-58-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4260-24-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4260-68-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4260-76-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4964-49-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4964-14-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4964-56-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads