e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263d

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
Size

582KB
MD5

6fc610a744521995dfcd5817591865b0
SHA1

731f90c3839a0badc652f8c230622d7b1e3aa8d4
SHA256

e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263d
SHA512

94044da6af713ae4b5d054b1c58476c4bd7d33e3a4e79e0d499088e0efd3789f034575d30f2ae4a33c9e55689069f782828e0a6a4d751f45fccae38352168936
SSDEEP

12288:PFUNDanzcn7EanlQiWtYhmJFSwUBLcQZfgiU:PFOazcn7NlwPUA

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 31 IoCs

pid	Process
3948	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
4988	icsys.icn.exe
1216	explorer.exe
4832	spoolsv.exe
1600	svchost.exe
1768	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
4916	spoolsv.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
5020	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
372	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2676	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
4424	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2040	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3664	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
1488	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
5036	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
4496	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
4428	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3308	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
4412	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3016	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3092	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
4276	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2388	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2820	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3296	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
4016	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2220	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
1648	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
4604	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
2356	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

AutoIT Executable 46 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3948-63-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/1768-93-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/5020-166-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3004-167-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3004-168-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/372-172-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/372-193-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/2676-217-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3004-218-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/4424-242-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3004-243-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/2040-247-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/2040-268-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3664-272-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3664-294-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3004-295-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/1488-319-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3004-343-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/5036-344-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/4496-348-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/4496-369-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3004-370-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/4428-395-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3308-401-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3308-422-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3004-423-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/4412-447-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3004-448-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3016-473-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3092-497-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3004-498-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/4276-522-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3004-546-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/2388-547-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/2820-571-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3004-572-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3296-596-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/4016-620-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3004-621-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/2220-625-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/2220-646-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3004-647-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/1648-671-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/4604-695-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/3004-696-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral2/memory/2356-720-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023474-7.dat	upx
behavioral2/memory/3948-9-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3948-63-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/1768-93-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3004-92-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/5020-166-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3004-167-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3004-168-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/372-172-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/372-193-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/2676-217-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3004-218-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4424-242-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3004-243-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/2040-247-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/2040-268-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3664-272-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3664-294-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3004-295-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/1488-319-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3004-343-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/5036-344-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4496-348-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4496-369-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3004-370-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4428-374-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4428-395-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3308-401-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3308-422-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3004-423-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4412-447-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3004-448-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3016-452-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3016-473-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3092-497-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3004-498-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4276-522-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3004-546-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/2388-547-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/2820-571-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3004-572-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3296-596-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4016-620-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3004-621-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/2220-625-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/2220-646-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3004-647-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/1648-671-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/4604-695-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/3004-696-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral2/memory/2356-720-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
4988	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
1216	explorer.exe
1600	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3948	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	3948	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	3948	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	3948	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	1768	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	1768	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	1768	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeAssignPrimaryTokenPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeIncreaseQuotaPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: 0	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
Token: SeDebugPrivilege	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
4988	icsys.icn.exe
4988	icsys.icn.exe
1216	explorer.exe
1216	explorer.exe
4832	spoolsv.exe
4832	spoolsv.exe
1600	svchost.exe
1600	svchost.exe
4916	spoolsv.exe
4916	spoolsv.exe
3740	OpenWith.exe
3164	OpenWith.exe
2092	OpenWith.exe
5048	OpenWith.exe
1948	OpenWith.exe
2476	OpenWith.exe
2536	OpenWith.exe
3068	OpenWith.exe
5000	OpenWith.exe
2036	OpenWith.exe
1596	OpenWith.exe
4848	OpenWith.exe
2124	OpenWith.exe
4704	OpenWith.exe
4764	OpenWith.exe
4900	OpenWith.exe
4080	OpenWith.exe
2104	OpenWith.exe
3356	OpenWith.exe
1396	OpenWith.exe
4916	OpenWith.exe
740	OpenWith.exe
4024	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 3948	3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe	84
PID 3200 wrote to memory of 3948	3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe	84
PID 3200 wrote to memory of 3948	3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe	84
PID 3200 wrote to memory of 4988	3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe	85
PID 3200 wrote to memory of 4988	3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe	85
PID 3200 wrote to memory of 4988	3200	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe	85
PID 4988 wrote to memory of 1216	4988	icsys.icn.exe	86
PID 4988 wrote to memory of 1216	4988	icsys.icn.exe	86
PID 4988 wrote to memory of 1216	4988	icsys.icn.exe	86
PID 1216 wrote to memory of 4832	1216	explorer.exe	88
PID 1216 wrote to memory of 4832	1216	explorer.exe	88
PID 1216 wrote to memory of 4832	1216	explorer.exe	88
PID 4832 wrote to memory of 1600	4832	spoolsv.exe	89
PID 4832 wrote to memory of 1600	4832	spoolsv.exe	89
PID 4832 wrote to memory of 1600	4832	spoolsv.exe	89
PID 1600 wrote to memory of 4916	1600	svchost.exe	91
PID 1600 wrote to memory of 4916	1600	svchost.exe	91
PID 1600 wrote to memory of 4916	1600	svchost.exe	91
PID 3004 wrote to memory of 5020	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	96
PID 3004 wrote to memory of 5020	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	96
PID 3004 wrote to memory of 5020	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	96
PID 3004 wrote to memory of 372	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	103
PID 3004 wrote to memory of 372	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	103
PID 3004 wrote to memory of 372	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	103
PID 3004 wrote to memory of 2676	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	109
PID 3004 wrote to memory of 2676	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	109
PID 3004 wrote to memory of 2676	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	109
PID 3004 wrote to memory of 4424	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	113
PID 3004 wrote to memory of 4424	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	113
PID 3004 wrote to memory of 4424	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	113
PID 3004 wrote to memory of 2040	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	118
PID 3004 wrote to memory of 2040	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	118
PID 3004 wrote to memory of 2040	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	118
PID 3004 wrote to memory of 3664	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	122
PID 3004 wrote to memory of 3664	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	122
PID 3004 wrote to memory of 3664	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	122
PID 3004 wrote to memory of 1488	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	127
PID 3004 wrote to memory of 1488	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	127
PID 3004 wrote to memory of 1488	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	127
PID 3004 wrote to memory of 5036	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	131
PID 3004 wrote to memory of 5036	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	131
PID 3004 wrote to memory of 5036	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	131
PID 3004 wrote to memory of 4496	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	135
PID 3004 wrote to memory of 4496	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	135
PID 3004 wrote to memory of 4496	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	135
PID 3004 wrote to memory of 4428	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	139
PID 3004 wrote to memory of 4428	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	139
PID 3004 wrote to memory of 4428	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	139
PID 3004 wrote to memory of 3308	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	143
PID 3004 wrote to memory of 3308	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	143
PID 3004 wrote to memory of 3308	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	143
PID 3004 wrote to memory of 4412	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	147
PID 3004 wrote to memory of 4412	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	147
PID 3004 wrote to memory of 4412	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	147
PID 3004 wrote to memory of 3016	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	151
PID 3004 wrote to memory of 3016	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	151
PID 3004 wrote to memory of 3016	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	151
PID 3004 wrote to memory of 3092	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	155
PID 3004 wrote to memory of 3092	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	155
PID 3004 wrote to memory of 3092	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	155
PID 3004 wrote to memory of 4276	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	159
PID 3004 wrote to memory of 4276	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	159
PID 3004 wrote to memory of 4276	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	159
PID 3004 wrote to memory of 2388	3004	e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe	163

C:\Users\Admin\AppData\Local\Temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe
"C:\Users\Admin\AppData\Local\Temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dN.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3200
- \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
  c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
    c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
  - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
      "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /TI
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:2348
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5020
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:3728
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:372
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:4560
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2676
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:1968
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4424
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:1836
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2040
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:5100
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3664
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:4340
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1488
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:3124
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5036
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:4164
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4496
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:3028
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4428
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:3160
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3308
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:436
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4412
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:404
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3016
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:1228
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3092
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:2464
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4276
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:4632
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2388
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:1524
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2820
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:3620
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3296
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:4776
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4016
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:4868
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2220
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:3116
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1648
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:768
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4604
    - - C:\Windows\Explorer.exe
        
        "C:\Windows\Explorer.exe" windowsdefender:
        5⤵
        
        PID:4388
    - - \??\c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe
        
        "c:\users\admin\appdata\local\temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe " /EXP |3524|1216|
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2356
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4988
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4832
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4916

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2720

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3740

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:5064

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3164

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2960

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4160

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5048

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2304

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2476

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1776

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2536

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4800

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4120

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5000

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2864

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3172

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4976

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4848

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4140

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2124

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3716

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4704

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1952

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4764

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4900

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1232

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4080

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3288

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3356

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2524

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4796

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4916

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:740

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3248

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3n9e4t8t.tmp

Filesize
37KB

MD5
3bc9acd9c4b8384fb7ce6c08db87df6d

SHA1
936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

SHA256
a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

SHA512
f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe

Filesize
447KB

MD5
58008524a6473bdf86c1040a9a9e39c3

SHA1
cb704d2e8df80fd3500a5b817966dc262d80ddb8

SHA256
1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

SHA512
8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1a1965f7aa0252f250125fa83740406d96ffa6e4825e20106b996678cc1263dn.exe .ini

Filesize
2KB

MD5
e35c6e20f90515241a93886907532e70

SHA1
4d47e1e76635a49333cfb93fa39a32f7e9e77e42

SHA256
db9cb02870a747faec7d6f59898c4d61ea4dfde6f9df59c514dbbc060a4fdc09

SHA512
11bf3cbbbaf635ab566f18c6d16d736089ae68751d17a62a0055d4f652e2158fc52df4b3f00f472d701dc7e410e2df646f63e8ab3f54d8cb8b267d569e467121

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
4c1e50f61ed48b01b0e4709048947753

SHA1
515e3095e8d26a8be31ca7d0d6b6ed84c680fea0

SHA256
f20224e55ffcbb6cf43370e2e95f70183f355d2e6d077516367dbd204d062217

SHA512
5d7579885acfb7b595bd06f69fec04da27c36da2cea2947c64ce0bf0e0faf5d14034b548ba0199b594794dc842924c82a4b648ffeca44e65ff13f1152b7e4204

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
a46296285b58d3d72fc612f62f0e0897

SHA1
21c6f03e4b0c821ef34d0fa66c6f3f460cd8681f

SHA256
c8f837b5a9a4513b6c274c10e4ea9ec2546517061d3abac5ddff6397a5b769c9

SHA512
da6fccad44ab37f5452339174d92b5c6326ebee3bf558cecaf7c47209ab907063306774fb8ea4008af31293bbbae06ae00f7ae0fb9595b44cfb11f17b5ceed89

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
667ad5e89773d89efa680218309f8017

SHA1
bbe0a4e015b7b8edadc8a92e6b42b27fd33c5699

SHA256
d0070c512531e4319ed7d334d4222bfdb0c51a69bdc2e1444c21f1168d46ddda

SHA512
bfa88ac5dcc9733414e08206d3ee71bea742056eb9d926c0cfcdd853902b7d7ecced723b7b45b37c85dbbe2c822d614c8942b858ab4552dcede259792a0eba2a

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
eca91cc734d181d0d018b480cbb6906f

SHA1
a033802667400307ce4f2f07489b9431b1bcaf33

SHA256
6bfd6284e9eae0db1d1819533bcc222b06b7f0ffef551a3169a0bea18fec6c65

SHA512
1ad92a40c7e4bca6d8c9b1919d42af0f63a691a42cbd9940e22c454c11d2e219a49d0b0ba926531b63f52a212478ecc02f7431726c95bf1d8db2e0b7ba58e2a7

Download Submit
C:\Windows\Temp\3q6m6u4g.tmp

Filesize
37KB

MD5
e00dcc76e4dcd90994587375125de04b

SHA1
6677d2d6bd096ec1c0a12349540b636088da0e34

SHA256
c8709f5a8b971d136e2273d66e65449791ca8eba1f47dd767733ea52ee635447

SHA512
8df7bc46ef0b2e2d4da6d8f31b102ff4813c6544cb751eb700b79fa0fae780814551b58ec8d19ff29cbf8547709add7eef637a52a217714d1a18b450f6755ec8

Download Submit
C:\Windows\Temp\4k2b7o6k.tmp

Filesize
37KB

MD5
1f8c95b97229e09286b8a531f690c661

SHA1
b15b21c4912267b41861fb351f192849cca68a12

SHA256
557a903f0f2177e3e62b1a534dee554cf2eff3dd3991bc2310f064bf9c7d2152

SHA512
0f0e5b85b6ef73ecebcd70ca90ce54c019eec1ea99966c469f357dd3393d0067f591b3690fe0b7922d7ba4aa25ebefd76a092d28c3377e6035720f8630a1a186

Download Submit
C:\Windows\Temp\autC237.tmp

Filesize
14KB

MD5
9d5a0ef18cc4bb492930582064c5330f

SHA1
2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

SHA256
8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

SHA512
1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

Download Submit
C:\Windows\Temp\autC247.tmp

Filesize
12KB

MD5
efe44d9f6e4426a05e39f99ad407d3e7

SHA1
637c531222ee6a56780a7fdcd2b5078467b6e036

SHA256
5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

SHA512
8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

Download Submit
C:\Windows\Temp\autC258.tmp

Filesize
7KB

MD5
ecffd3e81c5f2e3c62bcdc122442b5f2

SHA1
d41567acbbb0107361c6ee1715fe41b416663f40

SHA256
9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

SHA512
7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

Download Submit
memory/372-193-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/372-172-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1216-396-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1488-319-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1600-400-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1648-671-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1768-93-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2040-247-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2040-268-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2220-625-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2220-646-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2356-720-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2388-547-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2676-217-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2820-571-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3004-295-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3004-572-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3004-696-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3004-647-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3004-218-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3004-621-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3004-243-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3004-168-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3004-343-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3004-546-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3004-92-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3004-498-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3004-370-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3004-448-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3004-423-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3004-167-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3016-452-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3016-473-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3092-497-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3200-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3200-90-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3296-596-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3308-401-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3308-422-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3664-294-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3664-272-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3948-9-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3948-63-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4016-620-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4276-522-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4412-447-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4424-242-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4428-395-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4428-374-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4496-369-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4496-348-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4604-695-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/4832-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4916-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4988-89-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5020-166-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/5036-344-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download