8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
Size

4.7MB
MD5

952d19462a8b71553eb09ab55c3e8e4c
SHA1

7a905612d16592ea04ba5dc2162950cc00a6cf5e
SHA256

8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e
SHA512

052b38fd607334c167e835a872413ae0c09cdbf5c778f2d391067b50849c9e4260f54aec6dc9c2fcb5a3efd88cfdb2581fef1533e82ae74062a517f4d6dcb569

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

icsys.ico.exewininit.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\wininit.exe"	icsys.ico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\wininit.exe"	wininit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\wininit.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 5 IoCs

Processes:

icsys.ico.exewininit.exe8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe spoolsv.exesvchost.exe

pid process

1348 icsys.ico.exe
1320 wininit.exe
1104 8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
988 spoolsv.exe
1824 svchost.exe

Loads dropped DLL 5 IoCs

Processes:

8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exeicsys.ico.exewininit.exespoolsv.exe

pid	process
2008	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
1348	icsys.ico.exe
2008	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
1320	wininit.exe
988	spoolsv.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

icsys.ico.exewininit.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	icsys.ico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wininit = "c:\\windows\\wininit.exe"	icsys.ico.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Svchost = "c:\\windows\\svchost.exe"	icsys.ico.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	wininit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 10 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

spoolsv.exesvchost.exeicsys.ico.exewininit.exe8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icsys.ico.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	icsys.ico.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe

Drops file in Windows directory 8 IoCs

Processes:

icsys.ico.exewininit.exespoolsv.exesvchost.exe8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe

description	ioc	process
File opened for modification	C:\Windows\Wininit	icsys.ico.exe
File created	\??\c:\windows\wininit.exe	icsys.ico.exe
File opened for modification	\??\c:\windows\wininit.exe	icsys.ico.exe
File opened for modification	\??\c:\windows\wininit.exe	wininit.exe
File created	\??\c:\windows\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\svchost.exe	svchost.exe
File opened for modification	C:\Windows\Wininit	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.ico.exespoolsv.exewininit.exesvchost.exe

pid	process
1348	icsys.ico.exe
988	spoolsv.exe
1320	wininit.exe
1320	wininit.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1824	svchost.exe
1320	wininit.exe
1320	wininit.exe
1824	svchost.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1320	wininit.exe
1824	svchost.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1824	svchost.exe
1320	wininit.exe
1824	svchost.exe
1320	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

wininit.exesvchost.exe

pid process

1320 wininit.exe
1824 svchost.exe

pid	process
1320	wininit.exe
1824	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exeicsys.ico.exewininit.exespoolsv.exe

description	pid	process	target process
PID 2008 wrote to memory of 1348	2008	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe	icsys.ico.exe
PID 2008 wrote to memory of 1348	2008	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe	icsys.ico.exe
PID 2008 wrote to memory of 1348	2008	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe	icsys.ico.exe
PID 2008 wrote to memory of 1348	2008	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe	icsys.ico.exe
PID 1348 wrote to memory of 1320	1348	icsys.ico.exe	wininit.exe
PID 1348 wrote to memory of 1320	1348	icsys.ico.exe	wininit.exe
PID 1348 wrote to memory of 1320	1348	icsys.ico.exe	wininit.exe
PID 1348 wrote to memory of 1320	1348	icsys.ico.exe	wininit.exe
PID 2008 wrote to memory of 1104	2008	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
PID 2008 wrote to memory of 1104	2008	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
PID 2008 wrote to memory of 1104	2008	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
PID 2008 wrote to memory of 1104	2008	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
PID 2008 wrote to memory of 1104	2008	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
PID 2008 wrote to memory of 1104	2008	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
PID 2008 wrote to memory of 1104	2008	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
PID 1320 wrote to memory of 988	1320	wininit.exe	spoolsv.exe
PID 1320 wrote to memory of 988	1320	wininit.exe	spoolsv.exe
PID 1320 wrote to memory of 988	1320	wininit.exe	spoolsv.exe
PID 1320 wrote to memory of 988	1320	wininit.exe	spoolsv.exe
PID 988 wrote to memory of 1824	988	spoolsv.exe	svchost.exe
PID 988 wrote to memory of 1824	988	spoolsv.exe	svchost.exe
PID 988 wrote to memory of 1824	988	spoolsv.exe	svchost.exe
PID 988 wrote to memory of 1824	988	spoolsv.exe	svchost.exe

System policy modification 1 TTPs 15 IoCs

evasion

Modify Registry

T1112

Processes:

svchost.exewininit.exespoolsv.exeicsys.ico.exe8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	icsys.ico.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	icsys.ico.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wininit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	icsys.ico.exe

C:\Users\Admin\AppData\Local\Temp\8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
"C:\Users\Admin\AppData\Local\Temp\8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2008

C:\Users\Admin\AppData\Roaming\icsys.ico.exe
C:\Users\Admin\AppData\Roaming\icsys.ico.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1348

C:\windows\wininit.exe
"C:\windows\wininit.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1320

C:\Users\Admin\appdata\roaming\spoolsv.exe
"C:\Users\Admin\appdata\roaming\spoolsv.exe" /SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:988

C:\windows\svchost.exe
"C:\windows\svchost.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:1824

\??\c:\users\admin\appdata\local\temp\8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
c:\users\admin\appdata\local\temp\8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe
2⤵
- Executes dropped EXE
PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe

Filesize
1.8MB

MD5
43d3c74e0a22dcc300743516b734430a

SHA1
631ae51036b809450b1ce58f0a484cf7c28e0964

SHA256
b1a15ed9c9012b18c7ab2122cf7d4cc777a5acf5bf68a98fee28f9b460d68bc9

SHA512
a13b1183ff7ed4bcce4fe023db05f33703864137d3ecd8e975b4e87102daa3aebbff0c5a6ee3dabe0ffe5266544989e679f96bb7030cfeb19bc04f030fac1867

Download Submit
C:\Users\Admin\AppData\Roaming\icsys.ico.exe

Filesize
2.9MB

MD5
6680c58eafb91f55c9b61a839c4fb947

SHA1
550db8a783fc1491901eeb11633347150070afa9

SHA256
b6b1a321af85038ead77a2a12860b6e3d4ca8520e1bb4666999844e5bde6c69a

SHA512
cc10d32a963997a306141ab9ee5b2ac2db8ee730232430e88a2f1be3a86ef37508dc4309d3c4cb7dd93d3c0b0277e1f7b5443125adcc4fb486c197bbc64b4ef5

Download Submit
C:\Users\Admin\AppData\Roaming\spoolsv.exe

Filesize
2.9MB

MD5
6680c58eafb91f55c9b61a839c4fb947

SHA1
550db8a783fc1491901eeb11633347150070afa9

SHA256
b6b1a321af85038ead77a2a12860b6e3d4ca8520e1bb4666999844e5bde6c69a

SHA512
cc10d32a963997a306141ab9ee5b2ac2db8ee730232430e88a2f1be3a86ef37508dc4309d3c4cb7dd93d3c0b0277e1f7b5443125adcc4fb486c197bbc64b4ef5

Download Submit
C:\Windows\Wininit

Filesize
17B

MD5
dc88c4aa03f5180bbece1abdfec93e70

SHA1
59662d61697f32a522dc6cfeb67202803b311788

SHA256
764df4d37a31be29b4d87041c66c520cf72260d05b22c92df5f61e1eb67ef728

SHA512
f3b434bfa1767976744b80abe90c4d9614aecbacca889571ba90e8c848808bed73d37b21eb56afa51234481c36ba74348bb791f43655be4f0ee9bca8df89ae49

Download Submit
C:\Windows\svchost.exe

Filesize
2.9MB

MD5
6680c58eafb91f55c9b61a839c4fb947

SHA1
550db8a783fc1491901eeb11633347150070afa9

SHA256
b6b1a321af85038ead77a2a12860b6e3d4ca8520e1bb4666999844e5bde6c69a

SHA512
cc10d32a963997a306141ab9ee5b2ac2db8ee730232430e88a2f1be3a86ef37508dc4309d3c4cb7dd93d3c0b0277e1f7b5443125adcc4fb486c197bbc64b4ef5

Download Submit
C:\Windows\wininit.exe

Filesize
2.9MB

MD5
6680c58eafb91f55c9b61a839c4fb947

SHA1
550db8a783fc1491901eeb11633347150070afa9

SHA256
b6b1a321af85038ead77a2a12860b6e3d4ca8520e1bb4666999844e5bde6c69a

SHA512
cc10d32a963997a306141ab9ee5b2ac2db8ee730232430e88a2f1be3a86ef37508dc4309d3c4cb7dd93d3c0b0277e1f7b5443125adcc4fb486c197bbc64b4ef5

Download Submit
\??\c:\users\admin\appdata\roaming\icsys.ico.exe

Filesize
2.9MB

MD5
6680c58eafb91f55c9b61a839c4fb947

SHA1
550db8a783fc1491901eeb11633347150070afa9

SHA256
b6b1a321af85038ead77a2a12860b6e3d4ca8520e1bb4666999844e5bde6c69a

SHA512
cc10d32a963997a306141ab9ee5b2ac2db8ee730232430e88a2f1be3a86ef37508dc4309d3c4cb7dd93d3c0b0277e1f7b5443125adcc4fb486c197bbc64b4ef5

Download Submit
\??\c:\users\admin\appdata\roaming\spoolsv.exe

Filesize
2.9MB

MD5
6680c58eafb91f55c9b61a839c4fb947

SHA1
550db8a783fc1491901eeb11633347150070afa9

SHA256
b6b1a321af85038ead77a2a12860b6e3d4ca8520e1bb4666999844e5bde6c69a

SHA512
cc10d32a963997a306141ab9ee5b2ac2db8ee730232430e88a2f1be3a86ef37508dc4309d3c4cb7dd93d3c0b0277e1f7b5443125adcc4fb486c197bbc64b4ef5

Download Submit
\??\c:\windows\svchost.exe

Filesize
2.9MB

MD5
6680c58eafb91f55c9b61a839c4fb947

SHA1
550db8a783fc1491901eeb11633347150070afa9

SHA256
b6b1a321af85038ead77a2a12860b6e3d4ca8520e1bb4666999844e5bde6c69a

SHA512
cc10d32a963997a306141ab9ee5b2ac2db8ee730232430e88a2f1be3a86ef37508dc4309d3c4cb7dd93d3c0b0277e1f7b5443125adcc4fb486c197bbc64b4ef5

Download Submit
\??\c:\windows\wininit.exe

Filesize
2.9MB

MD5
6680c58eafb91f55c9b61a839c4fb947

SHA1
550db8a783fc1491901eeb11633347150070afa9

SHA256
b6b1a321af85038ead77a2a12860b6e3d4ca8520e1bb4666999844e5bde6c69a

SHA512
cc10d32a963997a306141ab9ee5b2ac2db8ee730232430e88a2f1be3a86ef37508dc4309d3c4cb7dd93d3c0b0277e1f7b5443125adcc4fb486c197bbc64b4ef5

Download Submit
\Users\Admin\AppData\Local\Temp\8a3811e5ccbc31361ebcf1451d69e406952f43c133779b0c25746fe5005eff9e.exe

Filesize
1.8MB

MD5
43d3c74e0a22dcc300743516b734430a

SHA1
631ae51036b809450b1ce58f0a484cf7c28e0964

SHA256
b1a15ed9c9012b18c7ab2122cf7d4cc777a5acf5bf68a98fee28f9b460d68bc9

SHA512
a13b1183ff7ed4bcce4fe023db05f33703864137d3ecd8e975b4e87102daa3aebbff0c5a6ee3dabe0ffe5266544989e679f96bb7030cfeb19bc04f030fac1867

Download Submit
\Users\Admin\AppData\Roaming\icsys.ico.exe

Filesize
2.9MB

MD5
6680c58eafb91f55c9b61a839c4fb947

SHA1
550db8a783fc1491901eeb11633347150070afa9

SHA256
b6b1a321af85038ead77a2a12860b6e3d4ca8520e1bb4666999844e5bde6c69a

SHA512
cc10d32a963997a306141ab9ee5b2ac2db8ee730232430e88a2f1be3a86ef37508dc4309d3c4cb7dd93d3c0b0277e1f7b5443125adcc4fb486c197bbc64b4ef5

Download Submit
\Users\Admin\AppData\Roaming\icsys.ico.exe

Filesize
2.9MB

MD5
6680c58eafb91f55c9b61a839c4fb947

SHA1
550db8a783fc1491901eeb11633347150070afa9

SHA256
b6b1a321af85038ead77a2a12860b6e3d4ca8520e1bb4666999844e5bde6c69a

SHA512
cc10d32a963997a306141ab9ee5b2ac2db8ee730232430e88a2f1be3a86ef37508dc4309d3c4cb7dd93d3c0b0277e1f7b5443125adcc4fb486c197bbc64b4ef5

Download Submit
\Users\Admin\AppData\Roaming\spoolsv.exe

Filesize
2.9MB

MD5
6680c58eafb91f55c9b61a839c4fb947

SHA1
550db8a783fc1491901eeb11633347150070afa9

SHA256
b6b1a321af85038ead77a2a12860b6e3d4ca8520e1bb4666999844e5bde6c69a

SHA512
cc10d32a963997a306141ab9ee5b2ac2db8ee730232430e88a2f1be3a86ef37508dc4309d3c4cb7dd93d3c0b0277e1f7b5443125adcc4fb486c197bbc64b4ef5

Download Submit
\Users\Admin\AppData\Roaming\spoolsv.exe

Filesize
2.9MB

MD5
6680c58eafb91f55c9b61a839c4fb947

SHA1
550db8a783fc1491901eeb11633347150070afa9

SHA256
b6b1a321af85038ead77a2a12860b6e3d4ca8520e1bb4666999844e5bde6c69a

SHA512
cc10d32a963997a306141ab9ee5b2ac2db8ee730232430e88a2f1be3a86ef37508dc4309d3c4cb7dd93d3c0b0277e1f7b5443125adcc4fb486c197bbc64b4ef5

Download Submit
memory/988-71-0x0000000000000000-mapping.dmp

Download
memory/1104-66-0x0000000000000000-mapping.dmp

Download
memory/1320-62-0x0000000000000000-mapping.dmp

Download
memory/1348-56-0x0000000000000000-mapping.dmp

Download
memory/1824-76-0x0000000000000000-mapping.dmp

Download
memory/2008-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download