deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d

Analysis

max time kernel
151s
max time network
130s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
Size

2.6MB
MD5

b12aeed252db94f858037957b35f7997
SHA1

2dffcaf75338359cd039fd827556835ac9d1e212
SHA256

deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d
SHA512

d012897bd4beba65a8c65ede1a4679f671713f448305c9606de57265fad34a7bb523859fe2778216c82583cd0af7f3c8e0a892ece68b69a56651933c1e5db97a

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

Executes dropped EXE 7 IoCs

Processes:

deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1272	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1092	icsys.icn.exe
1364
468	explorer.exe
1656	spoolsv.exe
1424	svchost.exe
308	spoolsv.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe

Loads dropped DLL 7 IoCs

Processes:

deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid	process
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1932
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1092	icsys.icn.exe
468	explorer.exe
1656	spoolsv.exe
1424	svchost.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2040 schtasks.exe
1640 schtasks.exe
292 schtasks.exe

pid	process
2040	schtasks.exe
1640	schtasks.exe
292	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exeicsys.icn.exeexplorer.exesvchost.exe

pid	process
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1092	icsys.icn.exe
1092	icsys.icn.exe
1092	icsys.icn.exe
1092	icsys.icn.exe
1092	icsys.icn.exe
1092	icsys.icn.exe
1092	icsys.icn.exe
1092	icsys.icn.exe
1092	icsys.icn.exe
1092	icsys.icn.exe
1092	icsys.icn.exe
1092	icsys.icn.exe
1092	icsys.icn.exe
1092	icsys.icn.exe
1092	icsys.icn.exe
1092	icsys.icn.exe
1092	icsys.icn.exe
468	explorer.exe
468	explorer.exe
468	explorer.exe
468	explorer.exe
468	explorer.exe
468	explorer.exe
468	explorer.exe
468	explorer.exe
468	explorer.exe
468	explorer.exe
468	explorer.exe
468	explorer.exe
468	explorer.exe
468	explorer.exe
468	explorer.exe
468	explorer.exe
1424	svchost.exe
1424	svchost.exe
1424	svchost.exe
1424	svchost.exe
1424	svchost.exe
1424	svchost.exe
1424	svchost.exe
1424	svchost.exe
1424	svchost.exe
1424	svchost.exe
1424	svchost.exe
1424	svchost.exe
1424	svchost.exe
1424	svchost.exe
1424	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

468 explorer.exe
1424 svchost.exe

pid	process
468	explorer.exe
1424	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
1092	icsys.icn.exe
1092	icsys.icn.exe
468	explorer.exe
468	explorer.exe
1656	spoolsv.exe
1656	spoolsv.exe
1424	svchost.exe
1424	svchost.exe
308	spoolsv.exe
308	spoolsv.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 1000 wrote to memory of 1272	1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
PID 1000 wrote to memory of 1272	1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
PID 1000 wrote to memory of 1272	1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
PID 1000 wrote to memory of 1272	1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
PID 1000 wrote to memory of 1092	1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe	icsys.icn.exe
PID 1000 wrote to memory of 1092	1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe	icsys.icn.exe
PID 1000 wrote to memory of 1092	1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe	icsys.icn.exe
PID 1000 wrote to memory of 1092	1000	deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe	icsys.icn.exe
PID 1092 wrote to memory of 468	1092	icsys.icn.exe	explorer.exe
PID 1092 wrote to memory of 468	1092	icsys.icn.exe	explorer.exe
PID 1092 wrote to memory of 468	1092	icsys.icn.exe	explorer.exe
PID 1092 wrote to memory of 468	1092	icsys.icn.exe	explorer.exe
PID 468 wrote to memory of 1656	468	explorer.exe	spoolsv.exe
PID 468 wrote to memory of 1656	468	explorer.exe	spoolsv.exe
PID 468 wrote to memory of 1656	468	explorer.exe	spoolsv.exe
PID 468 wrote to memory of 1656	468	explorer.exe	spoolsv.exe
PID 1656 wrote to memory of 1424	1656	spoolsv.exe	svchost.exe
PID 1656 wrote to memory of 1424	1656	spoolsv.exe	svchost.exe
PID 1656 wrote to memory of 1424	1656	spoolsv.exe	svchost.exe
PID 1656 wrote to memory of 1424	1656	spoolsv.exe	svchost.exe
PID 1424 wrote to memory of 308	1424	svchost.exe	spoolsv.exe
PID 1424 wrote to memory of 308	1424	svchost.exe	spoolsv.exe
PID 1424 wrote to memory of 308	1424	svchost.exe	spoolsv.exe
PID 1424 wrote to memory of 308	1424	svchost.exe	spoolsv.exe
PID 468 wrote to memory of 1064	468	explorer.exe	Explorer.exe
PID 468 wrote to memory of 1064	468	explorer.exe	Explorer.exe
PID 468 wrote to memory of 1064	468	explorer.exe	Explorer.exe
PID 468 wrote to memory of 1064	468	explorer.exe	Explorer.exe
PID 1424 wrote to memory of 2040	1424	svchost.exe	schtasks.exe
PID 1424 wrote to memory of 2040	1424	svchost.exe	schtasks.exe
PID 1424 wrote to memory of 2040	1424	svchost.exe	schtasks.exe
PID 1424 wrote to memory of 2040	1424	svchost.exe	schtasks.exe
PID 1424 wrote to memory of 1640	1424	svchost.exe	schtasks.exe
PID 1424 wrote to memory of 1640	1424	svchost.exe	schtasks.exe
PID 1424 wrote to memory of 1640	1424	svchost.exe	schtasks.exe
PID 1424 wrote to memory of 1640	1424	svchost.exe	schtasks.exe
PID 1424 wrote to memory of 292	1424	svchost.exe	schtasks.exe
PID 1424 wrote to memory of 292	1424	svchost.exe	schtasks.exe
PID 1424 wrote to memory of 292	1424	svchost.exe	schtasks.exe
PID 1424 wrote to memory of 292	1424	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
"C:\Users\Admin\AppData\Local\Temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1000

\??\c:\users\admin\appdata\local\temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
c:\users\admin\appdata\local\temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
PID:1272

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:468

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:308

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:23 /f
6⤵
- Creates scheduled task(s)
PID:2040

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:24 /f
6⤵
- Creates scheduled task(s)
PID:1640

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 00:25 /f
6⤵
- Creates scheduled task(s)
PID:292

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
4⤵
PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe

Filesize
2.5MB

MD5
5a4dd8a44bbef9445e749826b3168667

SHA1
6d5e73a99449214f13d8c8a496b14f6c03110d08

SHA256
c52681b18b095ab61bbc23c52ade012327af1a44ce04e9c3bbf915a27125f2b3

SHA512
5977319acbc8e6e470795099b8e1ccf8c85eda826b4d10141e615dbb721c67e4d00d93bfe56b76a23c30d5dd2da2bf5800429f1a8943702bccb0b0d2318f18f1

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
29a886fd5d198506b72089531a3cf22a

SHA1
ec58a8665a7639b3541383cb95793c75a0254980

SHA256
607ff5a2555dff43911d9cb6b832f429ad1679769bf1e55db3dca687d01106b7

SHA512
daed599ab3fed5a03f4ce1e671edf218bf3bdb86c403240730de2f28c405ef4592868e287b2a56be3f11dc3ffc8d032aef21bab0da4217805b6b716ec965b3f3

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
62f0894675df2c1cae6ce7f5ff18c293

SHA1
732019678b70d04996917130a013d1ac85f7149d

SHA256
13fa150b0713a5d892aebac9acb0859a1a31784b857a9e74dabc694d7d74e72f

SHA512
f3de087c63bca724eaead933d15410ad69bbfc418bbae78f771152ea5dbda9dd155e3068be1d9447d2959f4615f3908d34ffe1906845c9111e3c9531efd3c0b3

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
6e9c70d749e9b3223a768de997aa27f4

SHA1
c41de192892a8f383ba6839a3064b51e866eb1a7

SHA256
4455ea1a9c5d656d5ceffb17d483744ebb3f046bd57d3a93035dae7baf98b051

SHA512
bc94a821a190029200c5247d375704d551ed8109f0d794a947c9b5129ca15ae08594ec6d8bc4694cfa5a9682b4c1ab24facc0a5e4d85adbbb88bf84dfebf284d

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
6e9c70d749e9b3223a768de997aa27f4

SHA1
c41de192892a8f383ba6839a3064b51e866eb1a7

SHA256
4455ea1a9c5d656d5ceffb17d483744ebb3f046bd57d3a93035dae7baf98b051

SHA512
bc94a821a190029200c5247d375704d551ed8109f0d794a947c9b5129ca15ae08594ec6d8bc4694cfa5a9682b4c1ab24facc0a5e4d85adbbb88bf84dfebf284d

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
ce77ec07054ab029cdd9b443b9832c81

SHA1
6d694f68ce5929990058f603e3b7646f2d5a62bd

SHA256
09ccd08b331ef401f9c0d7f99d2a270d0a9958a67b4622c2eee2869da9f45556

SHA512
e8d0ccce32288625a463771ed0f5c04164b8e8d2bcbfc702c898a97db4ff0d228e3ca39d496d57223f0194d5f5eef1c22fb5d3c329baa1084479c0d8347f0003

Download Submit
\??\c:\users\admin\appdata\local\temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe

Filesize
2.5MB

MD5
5a4dd8a44bbef9445e749826b3168667

SHA1
6d5e73a99449214f13d8c8a496b14f6c03110d08

SHA256
c52681b18b095ab61bbc23c52ade012327af1a44ce04e9c3bbf915a27125f2b3

SHA512
5977319acbc8e6e470795099b8e1ccf8c85eda826b4d10141e615dbb721c67e4d00d93bfe56b76a23c30d5dd2da2bf5800429f1a8943702bccb0b0d2318f18f1

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
6e9c70d749e9b3223a768de997aa27f4

SHA1
c41de192892a8f383ba6839a3064b51e866eb1a7

SHA256
4455ea1a9c5d656d5ceffb17d483744ebb3f046bd57d3a93035dae7baf98b051

SHA512
bc94a821a190029200c5247d375704d551ed8109f0d794a947c9b5129ca15ae08594ec6d8bc4694cfa5a9682b4c1ab24facc0a5e4d85adbbb88bf84dfebf284d

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
ce77ec07054ab029cdd9b443b9832c81

SHA1
6d694f68ce5929990058f603e3b7646f2d5a62bd

SHA256
09ccd08b331ef401f9c0d7f99d2a270d0a9958a67b4622c2eee2869da9f45556

SHA512
e8d0ccce32288625a463771ed0f5c04164b8e8d2bcbfc702c898a97db4ff0d228e3ca39d496d57223f0194d5f5eef1c22fb5d3c329baa1084479c0d8347f0003

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
29a886fd5d198506b72089531a3cf22a

SHA1
ec58a8665a7639b3541383cb95793c75a0254980

SHA256
607ff5a2555dff43911d9cb6b832f429ad1679769bf1e55db3dca687d01106b7

SHA512
daed599ab3fed5a03f4ce1e671edf218bf3bdb86c403240730de2f28c405ef4592868e287b2a56be3f11dc3ffc8d032aef21bab0da4217805b6b716ec965b3f3

Download Submit
\??\c:\windows\resources\themes\icsys.icn.exe

Filesize
135KB

MD5
62f0894675df2c1cae6ce7f5ff18c293

SHA1
732019678b70d04996917130a013d1ac85f7149d

SHA256
13fa150b0713a5d892aebac9acb0859a1a31784b857a9e74dabc694d7d74e72f

SHA512
f3de087c63bca724eaead933d15410ad69bbfc418bbae78f771152ea5dbda9dd155e3068be1d9447d2959f4615f3908d34ffe1906845c9111e3c9531efd3c0b3

Download Submit
\Users\Admin\AppData\Local\Temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe

Filesize
2.5MB

MD5
5a4dd8a44bbef9445e749826b3168667

SHA1
6d5e73a99449214f13d8c8a496b14f6c03110d08

SHA256
c52681b18b095ab61bbc23c52ade012327af1a44ce04e9c3bbf915a27125f2b3

SHA512
5977319acbc8e6e470795099b8e1ccf8c85eda826b4d10141e615dbb721c67e4d00d93bfe56b76a23c30d5dd2da2bf5800429f1a8943702bccb0b0d2318f18f1

Download Submit
\Users\Admin\AppData\Local\Temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe

Filesize
2.5MB

MD5
5a4dd8a44bbef9445e749826b3168667

SHA1
6d5e73a99449214f13d8c8a496b14f6c03110d08

SHA256
c52681b18b095ab61bbc23c52ade012327af1a44ce04e9c3bbf915a27125f2b3

SHA512
5977319acbc8e6e470795099b8e1ccf8c85eda826b4d10141e615dbb721c67e4d00d93bfe56b76a23c30d5dd2da2bf5800429f1a8943702bccb0b0d2318f18f1

Download Submit
\Users\Admin\AppData\Local\Temp\deb6a175d56e09e4709c73c8c40a1fb88e2cf5bee812149217c824cb0815492d.exe

Filesize
2.5MB

MD5
5a4dd8a44bbef9445e749826b3168667

SHA1
6d5e73a99449214f13d8c8a496b14f6c03110d08

SHA256
c52681b18b095ab61bbc23c52ade012327af1a44ce04e9c3bbf915a27125f2b3

SHA512
5977319acbc8e6e470795099b8e1ccf8c85eda826b4d10141e615dbb721c67e4d00d93bfe56b76a23c30d5dd2da2bf5800429f1a8943702bccb0b0d2318f18f1

Download Submit
\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
29a886fd5d198506b72089531a3cf22a

SHA1
ec58a8665a7639b3541383cb95793c75a0254980

SHA256
607ff5a2555dff43911d9cb6b832f429ad1679769bf1e55db3dca687d01106b7

SHA512
daed599ab3fed5a03f4ce1e671edf218bf3bdb86c403240730de2f28c405ef4592868e287b2a56be3f11dc3ffc8d032aef21bab0da4217805b6b716ec965b3f3

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
62f0894675df2c1cae6ce7f5ff18c293

SHA1
732019678b70d04996917130a013d1ac85f7149d

SHA256
13fa150b0713a5d892aebac9acb0859a1a31784b857a9e74dabc694d7d74e72f

SHA512
f3de087c63bca724eaead933d15410ad69bbfc418bbae78f771152ea5dbda9dd155e3068be1d9447d2959f4615f3908d34ffe1906845c9111e3c9531efd3c0b3

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
6e9c70d749e9b3223a768de997aa27f4

SHA1
c41de192892a8f383ba6839a3064b51e866eb1a7

SHA256
4455ea1a9c5d656d5ceffb17d483744ebb3f046bd57d3a93035dae7baf98b051

SHA512
bc94a821a190029200c5247d375704d551ed8109f0d794a947c9b5129ca15ae08594ec6d8bc4694cfa5a9682b4c1ab24facc0a5e4d85adbbb88bf84dfebf284d

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
6e9c70d749e9b3223a768de997aa27f4

SHA1
c41de192892a8f383ba6839a3064b51e866eb1a7

SHA256
4455ea1a9c5d656d5ceffb17d483744ebb3f046bd57d3a93035dae7baf98b051

SHA512
bc94a821a190029200c5247d375704d551ed8109f0d794a947c9b5129ca15ae08594ec6d8bc4694cfa5a9682b4c1ab24facc0a5e4d85adbbb88bf84dfebf284d

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
ce77ec07054ab029cdd9b443b9832c81

SHA1
6d694f68ce5929990058f603e3b7646f2d5a62bd

SHA256
09ccd08b331ef401f9c0d7f99d2a270d0a9958a67b4622c2eee2869da9f45556

SHA512
e8d0ccce32288625a463771ed0f5c04164b8e8d2bcbfc702c898a97db4ff0d228e3ca39d496d57223f0194d5f5eef1c22fb5d3c329baa1084479c0d8347f0003

Download Submit
memory/292-105-0x0000000000000000-mapping.dmp

Download
memory/308-97-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/308-92-0x0000000000000000-mapping.dmp

Download
memory/468-71-0x0000000000000000-mapping.dmp

Download
memory/468-106-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1000-102-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1064-98-0x0000000000000000-mapping.dmp

Download
memory/1064-100-0x000007FEFC3A1000-0x000007FEFC3A3000-memory.dmp

Filesize
8KB

Download
memory/1092-62-0x0000000000000000-mapping.dmp

Download
memory/1092-101-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1272-58-0x0000000000000000-mapping.dmp

Download
memory/1424-85-0x0000000000000000-mapping.dmp

Download
memory/1640-104-0x0000000000000000-mapping.dmp

Download
memory/1656-78-0x0000000000000000-mapping.dmp

Download
memory/1656-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-103-0x0000000000000000-mapping.dmp

Download