e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263d

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/10/2024, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
Size

582KB
MD5

6fc610a744521995dfcd5817591865b0
SHA1

731f90c3839a0badc652f8c230622d7b1e3aa8d4
SHA256

e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263d
SHA512

94044da6af713ae4b5d054b1c58476c4bd7d33e3a4e79e0d499088e0efd3789f034575d30f2ae4a33c9e55689069f782828e0a6a4d751f45fccae38352168936
SSDEEP

12288:PFUNDanzcn7EanlQiWtYhmJFSwUBLcQZfgiU:PFOazcn7NlwPUA

Score

10^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "2"	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 33 IoCs

pid	Process
2416	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2644	icsys.icn.exe
2936	explorer.exe
2692	spoolsv.exe
2700	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2220	svchost.exe
2620	spoolsv.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
1928	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2652	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2524	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
1688	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2472	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2148	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
1120	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
548	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
1472	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
628	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2732	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
1516	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2136	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
1688	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2768	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2788	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
288	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2624	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2708	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2148	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
1980	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
1680	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3008	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2444	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
1716	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe

Loads dropped DLL 6 IoCs

pid	Process
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2644	icsys.icn.exe
2936	explorer.exe
2692	spoolsv.exe
2220	svchost.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus = "1"	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

AutoIT Executable 61 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2692-73-0x00000000002C0000-0x00000000002DF000-memory.dmp	autoit_exe
behavioral1/memory/2416-68-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2700-111-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/568-112-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1928-207-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1928-208-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/568-209-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/568-231-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2652-254-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2524-275-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/568-290-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2652-292-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2524-294-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1688-340-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1688-342-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/568-388-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2472-390-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2148-416-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2148-449-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/568-471-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1120-476-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1120-497-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/548-523-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/548-545-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/568-546-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1472-572-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1472-594-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/568-641-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/628-642-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2732-668-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2732-689-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/568-715-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1516-717-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1516-738-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2136-765-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2136-786-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/568-787-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1688-834-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2768-878-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2768-882-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/568-883-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2788-909-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2788-930-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/288-956-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/568-977-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/288-978-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2624-1004-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2624-1025-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/568-1047-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2708-1073-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2148-1121-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/568-1122-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1980-1169-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1680-1215-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/568-1216-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3008-1242-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/3008-1263-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/568-1285-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2444-1290-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/2444-1311-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1716-1337-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000018b4d-10.dat	upx
behavioral1/memory/2416-11-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2700-67-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2416-68-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2700-111-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/568-112-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1928-207-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1928-208-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/568-209-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/568-231-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2652-254-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2524-275-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/568-290-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2652-292-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2524-294-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1688-340-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1688-342-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/568-388-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2472-390-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2148-416-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2148-449-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/568-471-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1120-476-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1120-497-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/548-523-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/548-545-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/568-546-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1472-572-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1472-594-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/628-620-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/568-641-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/628-642-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2732-668-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2732-689-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/568-715-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1516-717-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1516-738-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2136-765-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2136-786-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/568-787-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1688-813-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1688-834-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2768-878-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2768-882-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/568-883-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2788-909-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2788-930-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/288-956-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/568-977-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/288-978-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2624-1004-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2624-1025-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/568-1047-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2708-1052-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2708-1073-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2148-1099-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/2148-1121-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/568-1122-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1980-1169-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1680-1215-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/568-1216-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3008-1242-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/3008-1263-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/568-1285-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20241003044800.cab	makecab.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2120	schtasks.exe
2908	schtasks.exe
2844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2644	icsys.icn.exe
2644	icsys.icn.exe
2644	icsys.icn.exe
2644	icsys.icn.exe
2644	icsys.icn.exe
2644	icsys.icn.exe
2644	icsys.icn.exe
2644	icsys.icn.exe
2644	icsys.icn.exe
2644	icsys.icn.exe
2644	icsys.icn.exe
2644	icsys.icn.exe
2644	icsys.icn.exe
2644	icsys.icn.exe
2644	icsys.icn.exe
2644	icsys.icn.exe
2644	icsys.icn.exe
2936	explorer.exe
2936	explorer.exe
2936	explorer.exe
2936	explorer.exe
2416	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2936	explorer.exe
2936	explorer.exe
2936	explorer.exe
2936	explorer.exe
2416	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2936	explorer.exe
2936	explorer.exe
2936	explorer.exe
2936	explorer.exe
2936	explorer.exe
2936	explorer.exe
2936	explorer.exe
2936	explorer.exe
2416	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2936	explorer.exe
2220	svchost.exe
2064	MSASCui.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	2416	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	2416	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	2416	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	2700	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	2700	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	2700	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
2644	icsys.icn.exe
2644	icsys.icn.exe
2936	explorer.exe
2936	explorer.exe
2692	spoolsv.exe
2692	spoolsv.exe
2220	svchost.exe
2220	svchost.exe
2620	spoolsv.exe
2620	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2416	2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe	29
PID 2720 wrote to memory of 2416	2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe	29
PID 2720 wrote to memory of 2416	2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe	29
PID 2720 wrote to memory of 2416	2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe	29
PID 2720 wrote to memory of 2644	2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe	30
PID 2720 wrote to memory of 2644	2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe	30
PID 2720 wrote to memory of 2644	2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe	30
PID 2720 wrote to memory of 2644	2720	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe	30
PID 2644 wrote to memory of 2936	2644	icsys.icn.exe	31
PID 2644 wrote to memory of 2936	2644	icsys.icn.exe	31
PID 2644 wrote to memory of 2936	2644	icsys.icn.exe	31
PID 2644 wrote to memory of 2936	2644	icsys.icn.exe	31
PID 2936 wrote to memory of 2692	2936	explorer.exe	32
PID 2936 wrote to memory of 2692	2936	explorer.exe	32
PID 2936 wrote to memory of 2692	2936	explorer.exe	32
PID 2936 wrote to memory of 2692	2936	explorer.exe	32
PID 2692 wrote to memory of 2220	2692	spoolsv.exe	34
PID 2692 wrote to memory of 2220	2692	spoolsv.exe	34
PID 2692 wrote to memory of 2220	2692	spoolsv.exe	34
PID 2692 wrote to memory of 2220	2692	spoolsv.exe	34
PID 2220 wrote to memory of 2620	2220	svchost.exe	35
PID 2220 wrote to memory of 2620	2220	svchost.exe	35
PID 2220 wrote to memory of 2620	2220	svchost.exe	35
PID 2220 wrote to memory of 2620	2220	svchost.exe	35
PID 2936 wrote to memory of 2156	2936	explorer.exe	36
PID 2936 wrote to memory of 2156	2936	explorer.exe	36
PID 2936 wrote to memory of 2156	2936	explorer.exe	36
PID 2936 wrote to memory of 2156	2936	explorer.exe	36
PID 2220 wrote to memory of 2120	2220	svchost.exe	38
PID 2220 wrote to memory of 2120	2220	svchost.exe	38
PID 2220 wrote to memory of 2120	2220	svchost.exe	38
PID 2220 wrote to memory of 2120	2220	svchost.exe	38
PID 568 wrote to memory of 1928	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	46
PID 568 wrote to memory of 1928	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	46
PID 568 wrote to memory of 1928	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	46
PID 568 wrote to memory of 1928	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	46
PID 2204 wrote to memory of 2492	2204	explorer.exe	49
PID 2204 wrote to memory of 2492	2204	explorer.exe	49
PID 2204 wrote to memory of 2492	2204	explorer.exe	49
PID 568 wrote to memory of 2652	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	54
PID 568 wrote to memory of 2652	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	54
PID 568 wrote to memory of 2652	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	54
PID 568 wrote to memory of 2652	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	54
PID 568 wrote to memory of 2524	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	56
PID 568 wrote to memory of 2524	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	56
PID 568 wrote to memory of 2524	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	56
PID 568 wrote to memory of 2524	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	56
PID 1640 wrote to memory of 2448	1640	explorer.exe	60
PID 1640 wrote to memory of 2448	1640	explorer.exe	60
PID 1640 wrote to memory of 2448	1640	explorer.exe	60
PID 2016 wrote to memory of 936	2016	explorer.exe	61
PID 2016 wrote to memory of 936	2016	explorer.exe	61
PID 2016 wrote to memory of 936	2016	explorer.exe	61
PID 568 wrote to memory of 1688	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	64
PID 568 wrote to memory of 1688	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	64
PID 568 wrote to memory of 1688	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	64
PID 568 wrote to memory of 1688	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	64
PID 2980 wrote to memory of 2928	2980	explorer.exe	66
PID 2980 wrote to memory of 2928	2980	explorer.exe	66
PID 2980 wrote to memory of 2928	2980	explorer.exe	66
PID 568 wrote to memory of 2472	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	73
PID 568 wrote to memory of 2472	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	73
PID 568 wrote to memory of 2472	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	73
PID 568 wrote to memory of 2472	568	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	73

C:\Users\Admin\AppData\Local\Temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
"C:\Users\Admin\AppData\Local\Temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2720
- \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
  c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
    c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
  - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
      "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /TI
      4⤵
      Modifies security service
      Executes dropped EXE
      Windows security modification
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:568
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:1868
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:2632
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2652
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:2088
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|2632|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2524
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:1616
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1688
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:1608
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2472
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:2228
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:2836
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1120
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:2116
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:548
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:1560
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1472
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:1812
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:628
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:2752
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2732
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:1176
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1516
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:2668
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2136
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:524
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1688
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:1588
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2768
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:236
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2788
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:1592
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:288
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:600
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2624
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:2916
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2708
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:1736
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:2212
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1980
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:3012
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1680
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:1756
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3008
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:560
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2444
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
        5⤵
        
        PID:2236
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |1252|2936|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1716
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2644
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2692
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2220
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2620
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:50 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2120
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:51 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2908
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:52 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2844
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2156

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241003044800.log C:\Windows\Logs\CBS\CbsPersist_20241003044800.cab
1⤵
- Drops file in Windows directory
PID:896

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:2492

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3036

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3064

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2892

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2968

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:2448

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:936

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:2928

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:864

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1620

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2868

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2684

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1744
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2064

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1932
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:916

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1176

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3040

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2788

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2768

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2276
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:2468

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:3044

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:796

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1452
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:944

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1964

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3028
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:632

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1940

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2728

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:760
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:1724

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2840

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2388

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:856
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:2500

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1456

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2424

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:376
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:2252

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1692

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2456
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:1332

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2652

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2084
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:2316

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2616

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2300

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2192
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:2328

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2972

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:924
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:2600

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1000

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2100

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1572
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:1708

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2564

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2168

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1780
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:1688

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2452

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1264

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:692
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:2860

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1020

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:956

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:264
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:628

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1768

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1568

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2588
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:2280

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1628

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:968

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2004
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:2104

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2792

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:952

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1096
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:2852

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:576

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:824
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:2672

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2184

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2488
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe

Filesize
447KB

MD5
58008524a6473bdf86c1040a9a9e39c3

SHA1
cb704d2e8df80fd3500a5b817966dc262d80ddb8

SHA256
1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

SHA512
8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe .ini

Filesize
2KB

MD5
b0cd209605eed99d5fecdbfbaa68bca4

SHA1
d3cfce9d7389aad205672c411a90ebb926f28f81

SHA256
ae56364aa214141f00f60539ebdd49f5278f33dfbfcc0879c268d0e3cadc55b9

SHA512
400a9c5ae4a24f3bbf9abff7adb47328317a3bea04d8b6d5c0756b06768e263fc1601177dc5d18a127b73fcdab248c34f120bb79030d1448ed2c2fc47d6f1f2f

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
15b4c389f44ea43afbda9c34fdec8f49

SHA1
1c44115c5ddc5dc6a4941a9427bb32ce4e34eaef

SHA256
5959ae9f8cba073d8b30d684890c524bc689e0013d562558c37d266f1e706cbf

SHA512
d9091f6228d7884eb30e7aa0bc671c510cb1d15e371d7f32e615f52692dd23227650f9f3bf444405cb72c6b13629740a7c1e8f45b2fb522e67e2545109fe8320

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
8B

MD5
8e1b08222f20e45a3e8db04c569f9cb7

SHA1
a6ac68fbadf96faba3af7000a7514790157f930f

SHA256
5bb1f21f806938a043563024b13b33d74a2b95b767c5f81bde8456e9d0413a89

SHA512
414d30dec0fce6b4e3ab52c50f064262e0df00cf9dbbeacca271a0991555371a37cfffdd0486c07a9096838942a69cdbefea4a4399ef2848139678daff589c31

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
160B

MD5
58f8eb09a822c09fc11f5a42baae36f1

SHA1
9e7063eeee62c8588e0020bef3a116e9379966aa

SHA256
6509c7fc4fa70391399831bbc3d66206d3f6f8f2bb20ffcac4e04844861d733a

SHA512
53806780934bd86bb032ee4a515dfc0e8464a5ecc5f4c8c593304fcd969c1058d443bdec54e7ae21469adb942b16693cc9eaf997217adc69d3618ab0ec99dc1e

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
233B

MD5
cd4326a6fd01cd3ca77cfd8d0f53821b

SHA1
a1030414d1f8e5d5a6e89d5a309921b8920856f9

SHA256
1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

SHA512
29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

Download Submit
C:\Windows\Temp\2e7r0c0w.tmp

Filesize
37KB

MD5
3bc9acd9c4b8384fb7ce6c08db87df6d

SHA1
936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

SHA256
a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

SHA512
f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

Download Submit
C:\Windows\Temp\2e7r0c0w.tmp

Filesize
37KB

MD5
f156a4a8ffd8c440348d52ef8498231c

SHA1
4d2f5e731a0cc9155220b560eb6560f24b623032

SHA256
7c3ca3161b9061c9b1ff70f401d9f02b2d01267bc76cbfcbc397a5aec60d4842

SHA512
48f3c273f072a8c3c73a1b835ed320a6b8962c2f8b5037a3b6c1bea5431b17d9c03e8d771cc205bbc067975c78307f2306c55dbc4c72e0a7c15c6b17b3afa170

Download Submit
C:\Windows\Temp\8bzd5b4v.tmp

Filesize
37KB

MD5
e00dcc76e4dcd90994587375125de04b

SHA1
6677d2d6bd096ec1c0a12349540b636088da0e34

SHA256
c8709f5a8b971d136e2273d66e65449791ca8eba1f47dd767733ea52ee635447

SHA512
8df7bc46ef0b2e2d4da6d8f31b102ff4813c6544cb751eb700b79fa0fae780814551b58ec8d19ff29cbf8547709add7eef637a52a217714d1a18b450f6755ec8

Download Submit
C:\Windows\Temp\aut4A2.tmp

Filesize
14KB

MD5
9d5a0ef18cc4bb492930582064c5330f

SHA1
2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

SHA256
8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

SHA512
1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

Download Submit
C:\Windows\Temp\aut4A3.tmp

Filesize
12KB

MD5
efe44d9f6e4426a05e39f99ad407d3e7

SHA1
637c531222ee6a56780a7fdcd2b5078467b6e036

SHA256
5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

SHA512
8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

Download Submit
C:\Windows\Temp\aut4B4.tmp

Filesize
7KB

MD5
ecffd3e81c5f2e3c62bcdc122442b5f2

SHA1
d41567acbbb0107361c6ee1715fe41b416663f40

SHA256
9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

SHA512
7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
c7abf01c5d2d22aad85919e3d1a47074

SHA1
38bf0e34efde87d5a5899bd216ef91dbcff0bd4a

SHA256
745b55c350bb3d60585cafefcd39a486f053d45999e0a9bbe98233a2fe36ce6b

SHA512
d17a108e3984c9d9cca44ca9c5f337b9f3c140502d97bca10ca4bc1de247703e1130d5a53f34249b0aefdfea16cb33237317506ef2c9e4bac6b2cbfeae2de652

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
a46296285b58d3d72fc612f62f0e0897

SHA1
21c6f03e4b0c821ef34d0fa66c6f3f460cd8681f

SHA256
c8f837b5a9a4513b6c274c10e4ea9ec2546517061d3abac5ddff6397a5b769c9

SHA512
da6fccad44ab37f5452339174d92b5c6326ebee3bf558cecaf7c47209ab907063306774fb8ea4008af31293bbbae06ae00f7ae0fb9595b44cfb11f17b5ceed89

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
e38ebf363bdcb9a8d9dd559c1c1ff24e

SHA1
bd21f17b54482911942130ae7b50c1931aef5be4

SHA256
4667c4a464983fb8edfccc09b618435fd740aaed6f16e0f800418b71436ca92f

SHA512
f91ae1f6e63034c8689b125733037f0fd2f92e4ff542737e444e169dad7626fc60c9578f20159963165f3a0f8ae92c738a10b41996cb19df8448fea964035e1d

Download Submit
memory/288-978-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/288-956-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/548-523-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/548-545-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/568-388-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/568-231-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/568-546-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/568-112-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/568-883-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/568-641-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/568-977-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/568-787-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/568-1047-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/568-290-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/568-1122-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/568-209-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/568-1216-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/568-471-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/568-1285-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/568-715-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/628-620-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/628-642-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1120-476-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1120-497-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1472-572-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1472-594-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1516-717-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1516-738-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1680-1215-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1688-834-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1688-813-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1688-342-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1688-340-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1716-1337-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1928-208-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1928-207-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1980-1169-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2136-786-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2136-765-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2148-416-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2148-1121-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2148-1099-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2148-449-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2220-739-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2220-81-0x0000000000270000-0x000000000028F000-memory.dmp

Filesize
124KB

Download
memory/2416-11-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2416-68-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2444-1311-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2444-1290-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2472-390-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2524-294-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2524-275-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2620-105-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2624-1025-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2624-1004-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2644-107-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2644-46-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/2652-292-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2652-254-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2692-73-0x00000000002C0000-0x00000000002DF000-memory.dmp

Filesize
124KB

Download
memory/2692-106-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2700-67-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2700-111-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2708-1052-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2708-1073-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2720-108-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2720-9-0x0000000002A70000-0x0000000002B3D000-memory.dmp

Filesize
820KB

Download
memory/2720-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2720-78-0x0000000002A70000-0x0000000002B3D000-memory.dmp

Filesize
820KB

Download
memory/2720-37-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2732-668-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2732-689-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2768-882-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2768-878-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2788-930-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2788-909-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2936-690-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3008-1242-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3008-1263-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download