lucastealer | 82bda718a2a0809e9ced3caf31de70eb187447ccf49e7d2d282bd72b5f9c1676

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
Size

8.7MB
MD5

6b0956eb828c9de80de6e4144e904ae0
SHA1

03099bf11297cdc15badd3dc651c273302e80807
SHA256

82bda718a2a0809e9ced3caf31de70eb187447ccf49e7d2d282bd72b5f9c1676
SHA512

6de681405d76a368593e6fb606f531301767b02f47033d7de4a45aac28ce6eb3e49f91e3aebc8fd2d5d2fc74c916d1b7f9e2f5709e13120b796d7e297cf67908
SSDEEP

196608:Lc1z3ltL5LdGVzu+lKc1z3ltL5LdGVzu+lw:L05LdGVzBo05LdGVzBa

Score

10^/10

lucastealer evasion persistence stealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe

Drops startup file 1 IoCs

Processes:

6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PTTWEY.lnk	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe

Executes dropped EXE 8 IoCs

Processes:

RDEHKD.exeRACHIY.exerdehkd.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	Process
4064	RDEHKD.exe
792	RACHIY.exe
1364	rdehkd.exe
4304	icsys.icn.exe
3652	explorer.exe
944	spoolsv.exe
5064	svchost.exe
4308	spoolsv.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exeexplorer.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PTTWEY = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Microsoft Office Click-to-Run.exe\""	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
68	0.tcp.sa.ngrok.io
23	0.tcp.sa.ngrok.io
51	0.tcp.sa.ngrok.io

Drops file in Windows directory 6 IoCs

Processes:

icsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exeicsys.icn.exeexplorer.exesvchost.exe

pid	Process
4440	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
4440	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
4304	icsys.icn.exe
4304	icsys.icn.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
5064	svchost.exe
3652	explorer.exe
3652	explorer.exe
5064	svchost.exe
5064	svchost.exe
3652	explorer.exe
3652	explorer.exe
5064	svchost.exe
5064	svchost.exe
3652	explorer.exe
3652	explorer.exe
5064	svchost.exe
5064	svchost.exe
3652	explorer.exe
3652	explorer.exe
5064	svchost.exe
5064	svchost.exe
3652	explorer.exe
3652	explorer.exe
5064	svchost.exe
5064	svchost.exe
3652	explorer.exe
3652	explorer.exe
5064	svchost.exe
5064	svchost.exe
3652	explorer.exe
3652	explorer.exe
5064	svchost.exe
5064	svchost.exe
3652	explorer.exe
3652	explorer.exe
5064	svchost.exe
5064	svchost.exe
3652	explorer.exe
3652	explorer.exe
5064	svchost.exe
5064	svchost.exe
3652	explorer.exe
3652	explorer.exe
5064	svchost.exe
5064	svchost.exe
3652	explorer.exe
3652	explorer.exe
5064	svchost.exe
5064	svchost.exe
3652	explorer.exe
3652	explorer.exe
5064	svchost.exe
5064	svchost.exe
3652	explorer.exe
3652	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exeexplorer.exesvchost.exe

pid	Process
4440	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
3652	explorer.exe
5064	svchost.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

RDEHKD.exeRACHIY.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	Process
4064	RDEHKD.exe
4064	RDEHKD.exe
792	RACHIY.exe
4304	icsys.icn.exe
4304	icsys.icn.exe
3652	explorer.exe
3652	explorer.exe
944	spoolsv.exe
944	spoolsv.exe
5064	svchost.exe
5064	svchost.exe
4308	spoolsv.exe
4308	spoolsv.exe
3652	explorer.exe
3652	explorer.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exeRDEHKD.execmd.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	Process	procid_target
PID 4440 wrote to memory of 4064	4440	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	84
PID 4440 wrote to memory of 4064	4440	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	84
PID 4440 wrote to memory of 4064	4440	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	84
PID 4440 wrote to memory of 792	4440	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	87
PID 4440 wrote to memory of 792	4440	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	87
PID 4440 wrote to memory of 792	4440	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	87
PID 4440 wrote to memory of 4996	4440	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	89
PID 4440 wrote to memory of 4996	4440	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	89
PID 4440 wrote to memory of 4996	4440	6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe	89
PID 4064 wrote to memory of 1364	4064	RDEHKD.exe	88
PID 4064 wrote to memory of 1364	4064	RDEHKD.exe	88
PID 4996 wrote to memory of 696	4996	cmd.exe	92
PID 4996 wrote to memory of 696	4996	cmd.exe	92
PID 4996 wrote to memory of 696	4996	cmd.exe	92
PID 4064 wrote to memory of 4304	4064	RDEHKD.exe	94
PID 4064 wrote to memory of 4304	4064	RDEHKD.exe	94
PID 4064 wrote to memory of 4304	4064	RDEHKD.exe	94
PID 4304 wrote to memory of 3652	4304	icsys.icn.exe	95
PID 4304 wrote to memory of 3652	4304	icsys.icn.exe	95
PID 4304 wrote to memory of 3652	4304	icsys.icn.exe	95
PID 3652 wrote to memory of 944	3652	explorer.exe	96
PID 3652 wrote to memory of 944	3652	explorer.exe	96
PID 3652 wrote to memory of 944	3652	explorer.exe	96
PID 944 wrote to memory of 5064	944	spoolsv.exe	97
PID 944 wrote to memory of 5064	944	spoolsv.exe	97
PID 944 wrote to memory of 5064	944	spoolsv.exe	97
PID 5064 wrote to memory of 4308	5064	svchost.exe	98
PID 5064 wrote to memory of 4308	5064	svchost.exe	98
PID 5064 wrote to memory of 4308	5064	svchost.exe	98
PID 5064 wrote to memory of 3284	5064	svchost.exe	99
PID 5064 wrote to memory of 3284	5064	svchost.exe	99
PID 5064 wrote to memory of 3284	5064	svchost.exe	99
PID 5064 wrote to memory of 1848	5064	svchost.exe	112
PID 5064 wrote to memory of 1848	5064	svchost.exe	112
PID 5064 wrote to memory of 1848	5064	svchost.exe	112
PID 5064 wrote to memory of 3944	5064	svchost.exe	121
PID 5064 wrote to memory of 3944	5064	svchost.exe	121
PID 5064 wrote to memory of 3944	5064	svchost.exe	121

C:\Users\Admin\AppData\Local\Temp\6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6b0956eb828c9de80de6e4144e904ae0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Users\Admin\AppData\Local\Temp\RDEHKD.exe
  "C:\Users\Admin\AppData\Local\Temp\RDEHKD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4064
- - \??\c:\users\admin\appdata\local\temp\rdehkd.exe
    c:\users\admin\appdata\local\temp\rdehkd.exe
    3⤵
    - Executes dropped EXE
    PID:1364
- - C:\Users\Admin\AppData\Local\icsys.icn.exe
    C:\Users\Admin\AppData\Local\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:944
      - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4308
        
        C:\Windows\SysWOW64\at.exe
        
        at 22:36 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\at.exe
        
        at 22:37 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\at.exe
        
        at 22:38 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        7⤵
        
        PID:3944
- C:\Users\Admin\AppData\Local\Temp\RACHIY.exe
  "C:\Users\Admin\AppData\Local\Temp\RACHIY.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn PTTWEY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn PTTWEY.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
    3⤵
    - Creates scheduled task(s)
    PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RACHIY.exe

Filesize
74KB

MD5
dcdc109069b6e0d80d776c143fecde3f

SHA1
761589c94ba8c2fd57d3ae9666a0fdc0d1b72eb5

SHA256
fe44f050ab9ea33f87acef449ed57157a331a19956207d6243522676c894e284

SHA512
85365775caa1f85c585b4979519357421ec0239d900513c0aadf28d9d238f6548164c3573141b3e272a6d4376129204a7ceba9b2c4b31c8fbdfd13cb814b73b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RDEHKD.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdehkd.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
5df1e6298db0f0a4d533fb3ccf3571b8

SHA1
8026a4d428f3f616b93311f31ee3a81e3e987e37

SHA256
016c0eaac7627de3ad8b42938358a55653fbb6c76601e29d054479c493f720c0

SHA512
b272fb6c9707436cfd522abf526a5f65b01f5bb0b813407368133f60e06e7407acadb734dea077d8f93dc20cfa689905ef1601820c499eb654ce07544b43ed7b

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
a412387d693f3d2a22d0ea0594497e51

SHA1
81a677a5437d376c96b0f7301ed9eada4cb1ed17

SHA256
2286e097266ef6b5d9fbc6a913fee97ea860488ab06a9ed83d8b8b1874870ff0

SHA512
003f819c50bfc4113b22a163f0569ba63f88f0bb167d89de0523087fd9dc74278d7baca4413b440d16ce277c88b62e16a4c3f728c526909fda10119ce2738edf

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
c8a57d85770b419393b32863b1daee97

SHA1
3fcbd1c1412b6b0f9b4950257f6dae64f1c8ea23

SHA256
212080b88ed8c7989e05a1b9044702250d6bb3b4895815469f641caad53811bb

SHA512
17ff3ab49cc55acf32429d126171a3355540d30d4349e916b38e89e34f9ba40bdc5e381461d20ee26b380dbfd5718dd96cd9e0491fb909d20a88a76301f79e51

Download Submit
C:\Windows\System\svchost.exe

Filesize
206KB

MD5
914673296b3888ec694ea20daad9baf4

SHA1
b05ee49e8b02d2fe6c5ceb6c27e95a0c50770f19

SHA256
5b2b2105a567cd787fb6c57b1cfd93e0f3278923e31bfecc8dc35115da926921

SHA512
a2fd402619851215cc60745abd3196640b6d70b91292d7371adedcf1d7b090b7e069bcaaa6d67facfe64049e6a07c50726bb5211ae6efda3cf1063094267f34b

Download Submit
\??\PIPE\atsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/792-82-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/944-60-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/944-78-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4064-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4308-75-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download