lucastealer | 82bda718a2a0809e9ced3caf31de70eb187447ccf49e7d2d282bd72b5f9c1676

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-05-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
Size

8.7MB
MD5

6b0956eb828c9de80de6e4144e904ae0
SHA1

03099bf11297cdc15badd3dc651c273302e80807
SHA256

82bda718a2a0809e9ced3caf31de70eb187447ccf49e7d2d282bd72b5f9c1676
SHA512

6de681405d76a368593e6fb606f531301767b02f47033d7de4a45aac28ce6eb3e49f91e3aebc8fd2d5d2fc74c916d1b7f9e2f5709e13120b796d7e297cf67908
SSDEEP

196608:Lc1z3ltL5LdGVzu+lKc1z3ltL5LdGVzu+lw:L05LdGVzBo05LdGVzBa

Score

10^/10

lucastealer evasion persistence stealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Drops startup file 1 IoCs

Processes:

6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PTTWEY.lnk	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe

Executes dropped EXE 8 IoCs

Processes:

RDEHKD.exerdehkd.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeRACHIY.exe

pid process

2888 RDEHKD.exe
2752 rdehkd.exe
2368 icsys.icn.exe
1224 explorer.exe
2704 spoolsv.exe
1540 svchost.exe
1736 spoolsv.exe
2092 RACHIY.exe

Loads dropped DLL 20 IoCs

Processes:

6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exeRDEHKD.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

pid	process
1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
2888	RDEHKD.exe
2888	RDEHKD.exe
2888	RDEHKD.exe
2888	RDEHKD.exe
2368	icsys.icn.exe
2368	icsys.icn.exe
1224	explorer.exe
1224	explorer.exe
2704	spoolsv.exe
2704	spoolsv.exe
1540	svchost.exe
1540	svchost.exe
1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\PTTWEY = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Microsoft Office Click-to-Run.exe\""	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

2 0.tcp.sa.ngrok.io
5 0.tcp.sa.ngrok.io
8 0.tcp.sa.ngrok.io

flow	ioc
2	0.tcp.sa.ngrok.io
5	0.tcp.sa.ngrok.io
8	0.tcp.sa.ngrok.io

Drops file in Windows directory 6 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2784 schtasks.exe

pid	process
2784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exe6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe

pid	process
2368	icsys.icn.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1224	explorer.exe
1540	svchost.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1540	svchost.exe
1224	explorer.exe
1224	explorer.exe
1540	svchost.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
1540	svchost.exe
1224	explorer.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe
1224	explorer.exe
1540	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exeexplorer.exesvchost.exe

pid process

1956 6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
1224 explorer.exe
1540 svchost.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

RDEHKD.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
2888	RDEHKD.exe
2888	RDEHKD.exe
2368	icsys.icn.exe
2368	icsys.icn.exe
1224	explorer.exe
1224	explorer.exe
2704	spoolsv.exe
2704	spoolsv.exe
1540	svchost.exe
1540	svchost.exe
1736	spoolsv.exe
1736	spoolsv.exe
1224	explorer.exe
1224	explorer.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exeRDEHKD.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.execmd.exe

description	pid	process	target process
PID 1956 wrote to memory of 2888	1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	RDEHKD.exe
PID 1956 wrote to memory of 2888	1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	RDEHKD.exe
PID 1956 wrote to memory of 2888	1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	RDEHKD.exe
PID 1956 wrote to memory of 2888	1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	RDEHKD.exe
PID 2888 wrote to memory of 2752	2888	RDEHKD.exe	rdehkd.exe
PID 2888 wrote to memory of 2752	2888	RDEHKD.exe	rdehkd.exe
PID 2888 wrote to memory of 2752	2888	RDEHKD.exe	rdehkd.exe
PID 2888 wrote to memory of 2752	2888	RDEHKD.exe	rdehkd.exe
PID 2888 wrote to memory of 2368	2888	RDEHKD.exe	icsys.icn.exe
PID 2888 wrote to memory of 2368	2888	RDEHKD.exe	icsys.icn.exe
PID 2888 wrote to memory of 2368	2888	RDEHKD.exe	icsys.icn.exe
PID 2888 wrote to memory of 2368	2888	RDEHKD.exe	icsys.icn.exe
PID 2368 wrote to memory of 1224	2368	icsys.icn.exe	explorer.exe
PID 2368 wrote to memory of 1224	2368	icsys.icn.exe	explorer.exe
PID 2368 wrote to memory of 1224	2368	icsys.icn.exe	explorer.exe
PID 2368 wrote to memory of 1224	2368	icsys.icn.exe	explorer.exe
PID 1224 wrote to memory of 2704	1224	explorer.exe	spoolsv.exe
PID 1224 wrote to memory of 2704	1224	explorer.exe	spoolsv.exe
PID 1224 wrote to memory of 2704	1224	explorer.exe	spoolsv.exe
PID 1224 wrote to memory of 2704	1224	explorer.exe	spoolsv.exe
PID 2704 wrote to memory of 1540	2704	spoolsv.exe	svchost.exe
PID 2704 wrote to memory of 1540	2704	spoolsv.exe	svchost.exe
PID 2704 wrote to memory of 1540	2704	spoolsv.exe	svchost.exe
PID 2704 wrote to memory of 1540	2704	spoolsv.exe	svchost.exe
PID 1540 wrote to memory of 1736	1540	svchost.exe	spoolsv.exe
PID 1540 wrote to memory of 1736	1540	svchost.exe	spoolsv.exe
PID 1540 wrote to memory of 1736	1540	svchost.exe	spoolsv.exe
PID 1540 wrote to memory of 1736	1540	svchost.exe	spoolsv.exe
PID 1540 wrote to memory of 836	1540	svchost.exe	at.exe
PID 1540 wrote to memory of 836	1540	svchost.exe	at.exe
PID 1540 wrote to memory of 836	1540	svchost.exe	at.exe
PID 1540 wrote to memory of 836	1540	svchost.exe	at.exe
PID 1956 wrote to memory of 2092	1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	RACHIY.exe
PID 1956 wrote to memory of 2092	1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	RACHIY.exe
PID 1956 wrote to memory of 2092	1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	RACHIY.exe
PID 1956 wrote to memory of 2092	1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	RACHIY.exe
PID 1956 wrote to memory of 2532	1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	cmd.exe
PID 1956 wrote to memory of 2532	1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	cmd.exe
PID 1956 wrote to memory of 2532	1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	cmd.exe
PID 1956 wrote to memory of 2532	1956	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	cmd.exe
PID 2532 wrote to memory of 2784	2532	cmd.exe	schtasks.exe
PID 2532 wrote to memory of 2784	2532	cmd.exe	schtasks.exe
PID 2532 wrote to memory of 2784	2532	cmd.exe	schtasks.exe
PID 2532 wrote to memory of 2784	2532	cmd.exe	schtasks.exe
PID 1540 wrote to memory of 1756	1540	svchost.exe	at.exe
PID 1540 wrote to memory of 1756	1540	svchost.exe	at.exe
PID 1540 wrote to memory of 1756	1540	svchost.exe	at.exe
PID 1540 wrote to memory of 1756	1540	svchost.exe	at.exe
PID 1540 wrote to memory of 1656	1540	svchost.exe	at.exe
PID 1540 wrote to memory of 1656	1540	svchost.exe	at.exe
PID 1540 wrote to memory of 1656	1540	svchost.exe	at.exe
PID 1540 wrote to memory of 1656	1540	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\RDEHKD.exe
  "C:\Users\Admin\AppData\Local\Temp\RDEHKD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2888
- - \??\c:\users\admin\appdata\local\temp\rdehkd.exe
    c:\users\admin\appdata\local\temp\rdehkd.exe
    3⤵
    - Executes dropped EXE
    PID:2752
- - C:\Users\Admin\AppData\Local\icsys.icn.exe
    C:\Users\Admin\AppData\Local\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Windows\SysWOW64\at.exe
        
        at 22:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        
        PID:836
        
        C:\Windows\SysWOW64\at.exe
        
        at 22:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\at.exe
        
        at 22:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        
        PID:1656
- C:\Users\Admin\AppData\Local\Temp\RACHIY.exe
  "C:\Users\Admin\AppData\Local\Temp\RACHIY.exe"
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn PTTWEY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn PTTWEY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
    3⤵
    - Creates scheduled task(s)
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RACHIY.exe

Filesize
74KB

MD5
dcdc109069b6e0d80d776c143fecde3f

SHA1
761589c94ba8c2fd57d3ae9666a0fdc0d1b72eb5

SHA256
fe44f050ab9ea33f87acef449ed57157a331a19956207d6243522676c894e284

SHA512
85365775caa1f85c585b4979519357421ec0239d900513c0aadf28d9d238f6548164c3573141b3e272a6d4376129204a7ceba9b2c4b31c8fbdfd13cb814b73b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdehkd.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
855e286247e6a73977719e4bec501562

SHA1
77b8d6ffc7fe886dd0c249ff0d57b466f328ccf9

SHA256
c76c98550ca56e9bb8ec09dc024482f162b28a3487ef042d4ed81a92caa29851

SHA512
bfa2098503ba9bbd5cb3cfdf11bf05f4d4a5968619a07c9cdb879d0cb6bb8b34ffec57117852bdb8c6291c1e7b4bc06d6877cc0c2af8ad3a702736d132b4c6c3

Download Submit
C:\Windows\system\explorer.exe

Filesize
206KB

MD5
7ba7dfc262d0a0a04615a484a36a64c0

SHA1
c54a902910329110be1f27097dc6bc2c04ebf85a

SHA256
dd8ca270a71bb5eed659ec5581fdcbad62cf7647d8ade4f0584accb4053b242d

SHA512
8f4bd2f63987b26dbbb3b07fd5f5e9eb42ec29d6f9029d1135fea984c32dbe03c8b8fd8bb641c06bc30b0a96e0e383ced87ee64ccd2569b04945d1c886241eb3

Download Submit
C:\Windows\system\spoolsv.exe

Filesize
206KB

MD5
dd6eed7cccf0cfc3d4f939e51badfce8

SHA1
34498d8d8e80b264ed20785cb0e490cdd94644d6

SHA256
80fbf7ea2f08f692ea5ebbdc272848c01cd18cb9020a0907c78967a57f55925a

SHA512
a682f9131862ae17391e4afac298c38e676138451392a2d9b09be799d84ca8c3d88c29ca812d0791b09eafca6a11f3c2f7b9c0810c39a435437ec5bd60dd568a

Download Submit
C:\Windows\system\svchost.exe

Filesize
206KB

MD5
2cd861f4ceae87f5c11dc3a52fb78be8

SHA1
c6970ac238ea7bb722805360378c8ee37460e021

SHA256
eccec1f86730362438caf67ff99e70e38c51603442044661ae36bcf0a550b74d

SHA512
e8d63b4b09444fc9129e159d607cd5462d660382ca6b8d3f68d97de79aa125538946c4a6f5200c224c1f763e817bac36ec8c38a82cc45d257b7610f7631dd25f

Download Submit
\??\PIPE\atsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\users\admin\appdata\local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
\Users\Admin\AppData\Local\Temp\RDEHKD.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
memory/1736-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1956-21-0x0000000004140000-0x0000000004180000-memory.dmp

Filesize
256KB

Download
memory/1956-7-0x0000000004140000-0x0000000004180000-memory.dmp

Filesize
256KB

Download
memory/2092-119-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2368-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2368-102-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2704-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

pid	process
2888	RDEHKD.exe
2752	rdehkd.exe
2368	icsys.icn.exe
1224	explorer.exe
2704	spoolsv.exe
1540	svchost.exe
1736	spoolsv.exe
2092	RACHIY.exe