9efd5581999106d0520020ed66d17aef694b3fe254e334a527fb438f8fd9adc2

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
Size

6.4MB
MD5

11725bb195ddd9e153cfe77b3946f430
SHA1

56105f67b97ae3efbcdc000a57defb2c6c48b362
SHA256

9efd5581999106d0520020ed66d17aef694b3fe254e334a527fb438f8fd9adc2
SHA512

b055a72c9d05ec3d9cb415dd07c0986187e282db247bd74d2ac13d77836e24b8a67acc48cae84d4a8facc1dc6d4a1874926d147ffb53ca7482923aea762f3fc4
SSDEEP

98304:Insmtk2aMrUaJqnvEN/yylHnXvJX9w7YqBEywGxj8yGzjGhDNvPQPMzY:WL3AuqnvEN/yyJnXvxy8SwGxjTGz1kE

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 11 IoCs

pid	Process
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1908	Synaptics.exe
4076	._cache_Synaptics.exe
1068	._cache_neas.11725bb195ddd9e153cfe77b3946f430_jc.exe
1464	._cache_synaptics.exe
4788	icsys.icn.exe
772	icsys.icn.exe
2112	explorer.exe
4216	spoolsv.exe
4716	svchost.exe
3488	spoolsv.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2112	explorer.exe
4716	svchost.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
4076	._cache_Synaptics.exe
4076	._cache_Synaptics.exe
4788	icsys.icn.exe
772	icsys.icn.exe
4788	icsys.icn.exe
772	icsys.icn.exe
2112	explorer.exe
2112	explorer.exe
4216	spoolsv.exe
4216	spoolsv.exe
4716	svchost.exe
4716	svchost.exe
3488	spoolsv.exe
3488	spoolsv.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 1924	2808	NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe	89
PID 2808 wrote to memory of 1924	2808	NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe	89
PID 2808 wrote to memory of 1924	2808	NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe	89
PID 2808 wrote to memory of 1908	2808	NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe	90
PID 2808 wrote to memory of 1908	2808	NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe	90
PID 2808 wrote to memory of 1908	2808	NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe	90
PID 1908 wrote to memory of 4076	1908	Synaptics.exe	92
PID 1908 wrote to memory of 4076	1908	Synaptics.exe	92
PID 1908 wrote to memory of 4076	1908	Synaptics.exe	92
PID 1924 wrote to memory of 1068	1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe	93
PID 1924 wrote to memory of 1068	1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe	93
PID 1924 wrote to memory of 1068	1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe	93
PID 4076 wrote to memory of 1464	4076	._cache_Synaptics.exe	94
PID 4076 wrote to memory of 1464	4076	._cache_Synaptics.exe	94
PID 4076 wrote to memory of 1464	4076	._cache_Synaptics.exe	94
PID 1924 wrote to memory of 4788	1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe	96
PID 1924 wrote to memory of 4788	1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe	96
PID 1924 wrote to memory of 4788	1924	._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe	96
PID 4076 wrote to memory of 772	4076	._cache_Synaptics.exe	97
PID 4076 wrote to memory of 772	4076	._cache_Synaptics.exe	97
PID 4076 wrote to memory of 772	4076	._cache_Synaptics.exe	97
PID 4788 wrote to memory of 2112	4788	icsys.icn.exe	98
PID 4788 wrote to memory of 2112	4788	icsys.icn.exe	98
PID 4788 wrote to memory of 2112	4788	icsys.icn.exe	98
PID 2112 wrote to memory of 4216	2112	explorer.exe	99
PID 2112 wrote to memory of 4216	2112	explorer.exe	99
PID 2112 wrote to memory of 4216	2112	explorer.exe	99
PID 4216 wrote to memory of 4716	4216	spoolsv.exe	100
PID 4216 wrote to memory of 4716	4216	spoolsv.exe	100
PID 4216 wrote to memory of 4716	4216	spoolsv.exe	100
PID 4716 wrote to memory of 3488	4716	svchost.exe	102
PID 4716 wrote to memory of 3488	4716	svchost.exe	102
PID 4716 wrote to memory of 3488	4716	svchost.exe	102

C:\Users\Admin\AppData\Local\Temp\NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1924
- - \??\c:\users\admin\appdata\local\temp\._cache_neas.11725bb195ddd9e153cfe77b3946f430_jc.exe
    c:\users\admin\appdata\local\temp\._cache_neas.11725bb195ddd9e153cfe77b3946f430_jc.exe
    3⤵
    - Executes dropped EXE
    PID:1068
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2112
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4216
      - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        6⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3488
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      PID:1464
  - - C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
6.4MB

MD5
11725bb195ddd9e153cfe77b3946f430

SHA1
56105f67b97ae3efbcdc000a57defb2c6c48b362

SHA256
9efd5581999106d0520020ed66d17aef694b3fe254e334a527fb438f8fd9adc2

SHA512
b055a72c9d05ec3d9cb415dd07c0986187e282db247bd74d2ac13d77836e24b8a67acc48cae84d4a8facc1dc6d4a1874926d147ffb53ca7482923aea762f3fc4

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
6.4MB

MD5
11725bb195ddd9e153cfe77b3946f430

SHA1
56105f67b97ae3efbcdc000a57defb2c6c48b362

SHA256
9efd5581999106d0520020ed66d17aef694b3fe254e334a527fb438f8fd9adc2

SHA512
b055a72c9d05ec3d9cb415dd07c0986187e282db247bd74d2ac13d77836e24b8a67acc48cae84d4a8facc1dc6d4a1874926d147ffb53ca7482923aea762f3fc4

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
6.4MB

MD5
11725bb195ddd9e153cfe77b3946f430

SHA1
56105f67b97ae3efbcdc000a57defb2c6c48b362

SHA256
9efd5581999106d0520020ed66d17aef694b3fe254e334a527fb438f8fd9adc2

SHA512
b055a72c9d05ec3d9cb415dd07c0986187e282db247bd74d2ac13d77836e24b8a67acc48cae84d4a8facc1dc6d4a1874926d147ffb53ca7482923aea762f3fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe

Filesize
5.6MB

MD5
c4a9333222e91fbb7b20476224fa9cd4

SHA1
ea61942247a448f09281c983ee4fdf433eb8258a

SHA256
ffc094e349fa3d55c3b8f1be8309cf1387f3b52838f5f4eeaf741f280be508b0

SHA512
14b8ec8a9e416f1afbb84977690cc62ff4cb0616a4f8639971dbfd81786f20c5b6f5152705d94b72d575eeb05e0b8f25422d787304dd1b31bdf538e365f90ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe

Filesize
5.6MB

MD5
c4a9333222e91fbb7b20476224fa9cd4

SHA1
ea61942247a448f09281c983ee4fdf433eb8258a

SHA256
ffc094e349fa3d55c3b8f1be8309cf1387f3b52838f5f4eeaf741f280be508b0

SHA512
14b8ec8a9e416f1afbb84977690cc62ff4cb0616a4f8639971dbfd81786f20c5b6f5152705d94b72d575eeb05e0b8f25422d787304dd1b31bdf538e365f90ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_NEAS.11725bb195ddd9e153cfe77b3946f430_JC.exe

Filesize
5.6MB

MD5
c4a9333222e91fbb7b20476224fa9cd4

SHA1
ea61942247a448f09281c983ee4fdf433eb8258a

SHA256
ffc094e349fa3d55c3b8f1be8309cf1387f3b52838f5f4eeaf741f280be508b0

SHA512
14b8ec8a9e416f1afbb84977690cc62ff4cb0616a4f8639971dbfd81786f20c5b6f5152705d94b72d575eeb05e0b8f25422d787304dd1b31bdf538e365f90ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
5.6MB

MD5
c4a9333222e91fbb7b20476224fa9cd4

SHA1
ea61942247a448f09281c983ee4fdf433eb8258a

SHA256
ffc094e349fa3d55c3b8f1be8309cf1387f3b52838f5f4eeaf741f280be508b0

SHA512
14b8ec8a9e416f1afbb84977690cc62ff4cb0616a4f8639971dbfd81786f20c5b6f5152705d94b72d575eeb05e0b8f25422d787304dd1b31bdf538e365f90ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
5.6MB

MD5
c4a9333222e91fbb7b20476224fa9cd4

SHA1
ea61942247a448f09281c983ee4fdf433eb8258a

SHA256
ffc094e349fa3d55c3b8f1be8309cf1387f3b52838f5f4eeaf741f280be508b0

SHA512
14b8ec8a9e416f1afbb84977690cc62ff4cb0616a4f8639971dbfd81786f20c5b6f5152705d94b72d575eeb05e0b8f25422d787304dd1b31bdf538e365f90ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_neas.11725bb195ddd9e153cfe77b3946f430_jc.exe

Filesize
5.5MB

MD5
3079d656c516cf835833eb1f9b55b168

SHA1
c481b5c48f94adb20c00eff9352cc8420707cc7d

SHA256
3ecd6941f24243cc933a9f202516dabc5d102f1d0469e8627fe7026735a4fc3f

SHA512
50c29bfd7e3577d6f39c81f0a4734f89733c40c06eaa7e468bb8a6a4f86cb163834af1806db92bd5bba53ede4a1a2b38f97c3ad695f7139f901bc30502248dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_synaptics.exe

Filesize
5.5MB

MD5
3079d656c516cf835833eb1f9b55b168

SHA1
c481b5c48f94adb20c00eff9352cc8420707cc7d

SHA256
3ecd6941f24243cc933a9f202516dabc5d102f1d0469e8627fe7026735a4fc3f

SHA512
50c29bfd7e3577d6f39c81f0a4734f89733c40c06eaa7e468bb8a6a4f86cb163834af1806db92bd5bba53ede4a1a2b38f97c3ad695f7139f901bc30502248dc9

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
f78e2932bc75ff8de2bbd5e828a8729d

SHA1
f2b330daf0a3a5c5e0f2379abe7b776e8aea89bb

SHA256
d4ee25930180f0fb2ed2694fd3a6d7c1091e96d5849c5752db52e49d4f47ff1a

SHA512
584f7af46ecdf1e39ef32414e6b9efbddb02960e16ce02cac1658cd9062f63095c72569acb708e180386016eebb4bad797ca32de6d943cd6c32196d522fd8524

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
571ac3b92ba66dabdfc733dbaacff5ee

SHA1
52310cdaed6988871d7181c7fa042ed14c167ca1

SHA256
dda150595bbd4e6198f604ab3fdffdda5a0d02a35f2e6c918ef7e6622342018c

SHA512
997475cf4383cc4c55d533617ba42a2582d52c9e63220a9caf9781437b07f482d8e00cb201c96e3c92f09c7dd6d37a34a6d7982f8755188c88f750e3db0a8079

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
571ac3b92ba66dabdfc733dbaacff5ee

SHA1
52310cdaed6988871d7181c7fa042ed14c167ca1

SHA256
dda150595bbd4e6198f604ab3fdffdda5a0d02a35f2e6c918ef7e6622342018c

SHA512
997475cf4383cc4c55d533617ba42a2582d52c9e63220a9caf9781437b07f482d8e00cb201c96e3c92f09c7dd6d37a34a6d7982f8755188c88f750e3db0a8079

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
571ac3b92ba66dabdfc733dbaacff5ee

SHA1
52310cdaed6988871d7181c7fa042ed14c167ca1

SHA256
dda150595bbd4e6198f604ab3fdffdda5a0d02a35f2e6c918ef7e6622342018c

SHA512
997475cf4383cc4c55d533617ba42a2582d52c9e63220a9caf9781437b07f482d8e00cb201c96e3c92f09c7dd6d37a34a6d7982f8755188c88f750e3db0a8079

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
571ac3b92ba66dabdfc733dbaacff5ee

SHA1
52310cdaed6988871d7181c7fa042ed14c167ca1

SHA256
dda150595bbd4e6198f604ab3fdffdda5a0d02a35f2e6c918ef7e6622342018c

SHA512
997475cf4383cc4c55d533617ba42a2582d52c9e63220a9caf9781437b07f482d8e00cb201c96e3c92f09c7dd6d37a34a6d7982f8755188c88f750e3db0a8079

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
de1778cc91c3ee45fa3cae9b72fff791

SHA1
ea35139b8fbc313773c58219e181e04ee1c5e4dc

SHA256
51006daaa132404d4510f358a0384f0fb367d8f1deda33bb4b91e4a76a95c79b

SHA512
1c31295574ec547e022071e62afade6963f6803428a96b423ffadfce8bddcd42da3f84296ecb309b9fb93b3a0d903860a11027ba435d0ce2f18e6e6214de082e

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
de1778cc91c3ee45fa3cae9b72fff791

SHA1
ea35139b8fbc313773c58219e181e04ee1c5e4dc

SHA256
51006daaa132404d4510f358a0384f0fb367d8f1deda33bb4b91e4a76a95c79b

SHA512
1c31295574ec547e022071e62afade6963f6803428a96b423ffadfce8bddcd42da3f84296ecb309b9fb93b3a0d903860a11027ba435d0ce2f18e6e6214de082e

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
eca4a78f0902e9b6c991ca2b7eea008e

SHA1
e6481549624c3e2a284b8e5a3e93e4aa3374c46c

SHA256
62b4adf72bdbfa607aec7ba571dca7faa0427aca37d1071feca73ab44b5e4eca

SHA512
9dd3fc4a3f2d62b320367ff2740a5b36f0c1eac94d027d94a4061dbc17026dfbaf31c281e8ee3308ac491c27a811672c8de85323d4d453af95178a6b5f9e04a5

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
de1778cc91c3ee45fa3cae9b72fff791

SHA1
ea35139b8fbc313773c58219e181e04ee1c5e4dc

SHA256
51006daaa132404d4510f358a0384f0fb367d8f1deda33bb4b91e4a76a95c79b

SHA512
1c31295574ec547e022071e62afade6963f6803428a96b423ffadfce8bddcd42da3f84296ecb309b9fb93b3a0d903860a11027ba435d0ce2f18e6e6214de082e

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
eca4a78f0902e9b6c991ca2b7eea008e

SHA1
e6481549624c3e2a284b8e5a3e93e4aa3374c46c

SHA256
62b4adf72bdbfa607aec7ba571dca7faa0427aca37d1071feca73ab44b5e4eca

SHA512
9dd3fc4a3f2d62b320367ff2740a5b36f0c1eac94d027d94a4061dbc17026dfbaf31c281e8ee3308ac491c27a811672c8de85323d4d453af95178a6b5f9e04a5

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
f78e2932bc75ff8de2bbd5e828a8729d

SHA1
f2b330daf0a3a5c5e0f2379abe7b776e8aea89bb

SHA256
d4ee25930180f0fb2ed2694fd3a6d7c1091e96d5849c5752db52e49d4f47ff1a

SHA512
584f7af46ecdf1e39ef32414e6b9efbddb02960e16ce02cac1658cd9062f63095c72569acb708e180386016eebb4bad797ca32de6d943cd6c32196d522fd8524

Download Submit
memory/772-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1908-136-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1908-247-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1908-277-0x0000000000400000-0x0000000000A61000-memory.dmp

Filesize
6.4MB

Download
memory/1908-255-0x0000000000400000-0x0000000000A61000-memory.dmp

Filesize
6.4MB

Download
memory/1924-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1924-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2112-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2808-0-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/2808-133-0x0000000000400000-0x0000000000A61000-memory.dmp

Filesize
6.4MB

Download
memory/3488-251-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4076-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4216-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4716-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4788-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4788-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download