lucastealer | ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

Analysis

max time kernel
62s
max time network
25s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
23-08-2023 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ACNBZD.exe
Size

5.9MB
MD5

021079dc0918b9c7359e93e770678000
SHA1

70c03da6f7b339340b1943f5d0b7b1fd87579adf
SHA256

ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487
SHA512

9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0
SSDEEP

49152:CYnF4XAvvLEDnAby0/1lzR+aJAyPfugmqNiEQG8+ECYoue5S58pzEIOh4xsPub7T:z7OryzzCJf0zBxMkeWg+O2

Score

10^/10

lucastealer evasion persistence stealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Luca Stealer payload 6 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b016-7.dat	family_lucastealer
behavioral1/files/0x000700000001b016-8.dat	family_lucastealer
behavioral1/files/0x000800000001b014-56.dat	family_lucastealer
behavioral1/files/0x000800000001b014-57.dat	family_lucastealer
behavioral1/files/0x000900000001b014-76.dat	family_lucastealer
behavioral1/files/0x000900000001b014-78.dat	family_lucastealer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 12 IoCs

pid	Process
4588	acnbzd.exe
3236	icsys.icn.exe
3784	explorer.exe
2624	spoolsv.exe
932	svchost.exe
816	spoolsv.exe
5088	acnbzd.exe
4848	icsys.icn.exe
400	explorer.exe
5064	acnbzd.exe
2420	icsys.icn.exe
3008	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3236	icsys.icn.exe
3236	icsys.icn.exe
3784	explorer.exe
3784	explorer.exe
3784	explorer.exe
3784	explorer.exe
3784	explorer.exe
3784	explorer.exe
3784	explorer.exe
3784	explorer.exe
3784	explorer.exe
3784	explorer.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
3784	explorer.exe
3784	explorer.exe
932	svchost.exe
932	svchost.exe
3784	explorer.exe
3784	explorer.exe
932	svchost.exe
932	svchost.exe
3784	explorer.exe
3784	explorer.exe
932	svchost.exe
932	svchost.exe
3784	explorer.exe
3784	explorer.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
3784	explorer.exe
932	svchost.exe
3784	explorer.exe
932	svchost.exe
3784	explorer.exe
932	svchost.exe
3784	explorer.exe
932	svchost.exe
932	svchost.exe
3784	explorer.exe
3784	explorer.exe
932	svchost.exe
932	svchost.exe
3784	explorer.exe
3784	explorer.exe
3784	explorer.exe
932	svchost.exe
932	svchost.exe
3784	explorer.exe
3784	explorer.exe
3784	explorer.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
932	svchost.exe
3784	explorer.exe
3784	explorer.exe
932	svchost.exe
3784	explorer.exe
932	svchost.exe
3784	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3784	explorer.exe
932	svchost.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
2872	ACNBZD.exe
2872	ACNBZD.exe
3236	icsys.icn.exe
3236	icsys.icn.exe
3784	explorer.exe
3784	explorer.exe
2624	spoolsv.exe
2624	spoolsv.exe
932	svchost.exe
932	svchost.exe
816	spoolsv.exe
816	spoolsv.exe
3784	explorer.exe
3784	explorer.exe
2932	ACNBZD.exe
2932	ACNBZD.exe
4848	icsys.icn.exe
4848	icsys.icn.exe
400	explorer.exe
400	explorer.exe
4416	ACNBZD.exe
4416	ACNBZD.exe
2420	icsys.icn.exe
2420	icsys.icn.exe
3008	explorer.exe
3008	explorer.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4588	2872	ACNBZD.exe	70
PID 2872 wrote to memory of 4588	2872	ACNBZD.exe	70
PID 2872 wrote to memory of 3236	2872	ACNBZD.exe	72
PID 2872 wrote to memory of 3236	2872	ACNBZD.exe	72
PID 2872 wrote to memory of 3236	2872	ACNBZD.exe	72
PID 3236 wrote to memory of 3784	3236	icsys.icn.exe	73
PID 3236 wrote to memory of 3784	3236	icsys.icn.exe	73
PID 3236 wrote to memory of 3784	3236	icsys.icn.exe	73
PID 3784 wrote to memory of 2624	3784	explorer.exe	74
PID 3784 wrote to memory of 2624	3784	explorer.exe	74
PID 3784 wrote to memory of 2624	3784	explorer.exe	74
PID 2624 wrote to memory of 932	2624	spoolsv.exe	75
PID 2624 wrote to memory of 932	2624	spoolsv.exe	75
PID 2624 wrote to memory of 932	2624	spoolsv.exe	75
PID 932 wrote to memory of 816	932	svchost.exe	76
PID 932 wrote to memory of 816	932	svchost.exe	76
PID 932 wrote to memory of 816	932	svchost.exe	76
PID 932 wrote to memory of 4824	932	svchost.exe	77
PID 932 wrote to memory of 4824	932	svchost.exe	77
PID 932 wrote to memory of 4824	932	svchost.exe	77
PID 2932 wrote to memory of 5088	2932	ACNBZD.exe	84
PID 2932 wrote to memory of 5088	2932	ACNBZD.exe	84
PID 2932 wrote to memory of 4848	2932	ACNBZD.exe	85
PID 2932 wrote to memory of 4848	2932	ACNBZD.exe	85
PID 2932 wrote to memory of 4848	2932	ACNBZD.exe	85
PID 4848 wrote to memory of 400	4848	icsys.icn.exe	86
PID 4848 wrote to memory of 400	4848	icsys.icn.exe	86
PID 4848 wrote to memory of 400	4848	icsys.icn.exe	86
PID 4416 wrote to memory of 5064	4416	ACNBZD.exe	88
PID 4416 wrote to memory of 5064	4416	ACNBZD.exe	88
PID 4416 wrote to memory of 2420	4416	ACNBZD.exe	89
PID 4416 wrote to memory of 2420	4416	ACNBZD.exe	89
PID 4416 wrote to memory of 2420	4416	ACNBZD.exe	89
PID 2420 wrote to memory of 3008	2420	icsys.icn.exe	90
PID 2420 wrote to memory of 3008	2420	icsys.icn.exe	90
PID 2420 wrote to memory of 3008	2420	icsys.icn.exe	90

C:\Users\Admin\AppData\Local\Temp\ACNBZD.exe
"C:\Users\Admin\AppData\Local\Temp\ACNBZD.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872
- \??\c:\users\admin\appdata\local\temp\acnbzd.exe
  c:\users\admin\appdata\local\temp\acnbzd.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3236
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2624
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:932
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:816
      - C:\Windows\SysWOW64\at.exe
        
        at 22:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:4824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\ACNBZD.exe
"C:\Users\Admin\AppData\Local\Temp\ACNBZD.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932
- \??\c:\users\admin\appdata\local\temp\acnbzd.exe
  c:\users\admin\appdata\local\temp\acnbzd.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4848
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:400

C:\Users\Admin\AppData\Local\Temp\ACNBZD.exe
"C:\Users\Admin\AppData\Local\Temp\ACNBZD.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4416
- \??\c:\users\admin\appdata\local\temp\acnbzd.exe
  c:\users\admin\appdata\local\temp\acnbzd.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2420
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\acnbzd.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
C:\Users\Admin\AppData\Local\Temp\acnbzd.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
C:\Users\Admin\AppData\Local\Temp\acnbzd.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
C:\Users\Admin\AppData\Local\Temp\acnbzd.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
5249da132d888c8051255ab3b0f904d8

SHA1
545074adf5fd683e8b2a4d95da10e83b1a5f1091

SHA256
b9e38c87b9317e89d40bac2ae0b4eda3bbdcd2ce153bb48e5b8dd34b625d0f4c

SHA512
232d14731b57b53218a933c686f61e4eced02f2e2dbb342607756e15e2b94e1c5e0e154aae4144c376914e1c8fb11cfeeb3b2fbdb4e787a1ff2fed8c0ffead49

Download Submit
C:\Windows\System\explorer.exe

Filesize
207KB

MD5
83761b9c6644c228197a796eb0d305d6

SHA1
209156a8487cc9a27a74b39f4e9e5a7b16af2878

SHA256
c8a4f1fcf9e24b412670e8355cc830854456322e3c0d672beaa923676df496d6

SHA512
8190c333bc912f5ec979404114c4717cf17b7a880d0b11718e14722a93cec78a4dab26e40b8f44e9e095e10a50eb26143d5b03f5949027c794031aa1fadc4f74

Download Submit
C:\Windows\System\explorer.exe

Filesize
207KB

MD5
83761b9c6644c228197a796eb0d305d6

SHA1
209156a8487cc9a27a74b39f4e9e5a7b16af2878

SHA256
c8a4f1fcf9e24b412670e8355cc830854456322e3c0d672beaa923676df496d6

SHA512
8190c333bc912f5ec979404114c4717cf17b7a880d0b11718e14722a93cec78a4dab26e40b8f44e9e095e10a50eb26143d5b03f5949027c794031aa1fadc4f74

Download Submit
C:\Windows\System\explorer.exe

Filesize
207KB

MD5
83761b9c6644c228197a796eb0d305d6

SHA1
209156a8487cc9a27a74b39f4e9e5a7b16af2878

SHA256
c8a4f1fcf9e24b412670e8355cc830854456322e3c0d672beaa923676df496d6

SHA512
8190c333bc912f5ec979404114c4717cf17b7a880d0b11718e14722a93cec78a4dab26e40b8f44e9e095e10a50eb26143d5b03f5949027c794031aa1fadc4f74

Download Submit
C:\Windows\System\explorer.exe

Filesize
207KB

MD5
83761b9c6644c228197a796eb0d305d6

SHA1
209156a8487cc9a27a74b39f4e9e5a7b16af2878

SHA256
c8a4f1fcf9e24b412670e8355cc830854456322e3c0d672beaa923676df496d6

SHA512
8190c333bc912f5ec979404114c4717cf17b7a880d0b11718e14722a93cec78a4dab26e40b8f44e9e095e10a50eb26143d5b03f5949027c794031aa1fadc4f74

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
8a599040c71f9e0706de09c42f3c4b44

SHA1
930c1483e6db5ef6e141527eeb2642e0a6e576f9

SHA256
80c8bcba6b3048125c8cc1d57c4c4de1dbc34d0b897d75dce013754caea0d894

SHA512
5049485b7396967a6e73227883aa9ec553b0cd1833fc236610fb755a3f2c0aa5021a46cf4c6fe0b3fee6fb01c3b985cff365e3b6c437515c927b14cb3959d88f

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
8a599040c71f9e0706de09c42f3c4b44

SHA1
930c1483e6db5ef6e141527eeb2642e0a6e576f9

SHA256
80c8bcba6b3048125c8cc1d57c4c4de1dbc34d0b897d75dce013754caea0d894

SHA512
5049485b7396967a6e73227883aa9ec553b0cd1833fc236610fb755a3f2c0aa5021a46cf4c6fe0b3fee6fb01c3b985cff365e3b6c437515c927b14cb3959d88f

Download Submit
C:\Windows\System\svchost.exe

Filesize
207KB

MD5
54928efe8cb978e87e237a311c7aeaf3

SHA1
28b27ee4ce85a090bd421f25287000d4c0c9b3ae

SHA256
deae3983ec68be6f49c272c1b7300af94da6b2f30f216943775426667a53e721

SHA512
d444c96c1f0986d1ee1f3f97f5f7275c9d2e0b927af6ed6da2fe852b7bcf78eeca0e396d4526516cc365ba7b2c1ba660fdd7b36151fde22bd6473bb19bf93a89

Download Submit
\??\c:\users\admin\appdata\local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
\??\c:\users\admin\appdata\local\temp\acnbzd.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
\??\c:\users\admin\appdata\local\temp\acnbzd.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
207KB

MD5
83761b9c6644c228197a796eb0d305d6

SHA1
209156a8487cc9a27a74b39f4e9e5a7b16af2878

SHA256
c8a4f1fcf9e24b412670e8355cc830854456322e3c0d672beaa923676df496d6

SHA512
8190c333bc912f5ec979404114c4717cf17b7a880d0b11718e14722a93cec78a4dab26e40b8f44e9e095e10a50eb26143d5b03f5949027c794031aa1fadc4f74

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
206KB

MD5
8a599040c71f9e0706de09c42f3c4b44

SHA1
930c1483e6db5ef6e141527eeb2642e0a6e576f9

SHA256
80c8bcba6b3048125c8cc1d57c4c4de1dbc34d0b897d75dce013754caea0d894

SHA512
5049485b7396967a6e73227883aa9ec553b0cd1833fc236610fb755a3f2c0aa5021a46cf4c6fe0b3fee6fb01c3b985cff365e3b6c437515c927b14cb3959d88f

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
207KB

MD5
54928efe8cb978e87e237a311c7aeaf3

SHA1
28b27ee4ce85a090bd421f25287000d4c0c9b3ae

SHA256
deae3983ec68be6f49c272c1b7300af94da6b2f30f216943775426667a53e721

SHA512
d444c96c1f0986d1ee1f3f97f5f7275c9d2e0b927af6ed6da2fe852b7bcf78eeca0e396d4526516cc365ba7b2c1ba660fdd7b36151fde22bd6473bb19bf93a89

Download Submit
memory/400-69-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/816-43-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2872-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2872-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2932-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3236-46-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4416-91-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4848-70-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4848-61-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download