5f423a4f624dbc6411dd0653fe49bb960a406ba099f20248d45fd91e9326c1e1

Resubmissions

20-06-2024 20:22

240620-y5qgrazfkk 10

20-06-2024 18:55

240620-xkvejawhkq 10

Analysis

max time kernel
52s
max time network
44s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

16.6MB
MD5

d4c24856daa2edf79bd799e83f0a7e68
SHA1

6d75c42674416078e020060ace152eb94b0a47fc
SHA256

5f423a4f624dbc6411dd0653fe49bb960a406ba099f20248d45fd91e9326c1e1
SHA512

6b94b058c08c33cebdbcf8af3c30aec45695cad4f210db76da19c61c057bbbb3383e380d05fd100b976a04c445f8c0283a87584d9ea2f0b3647ae9730b94aa81
SSDEEP

393216:qlJ41TXb46gZ9A9xLj7wAAA7AnxsdAAnBoVakGUIQUTAp:cKl4GL3X7eVAn6VakGUIop

Score

10^/10

evasion execution persistence trojan

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\winhb.sys	Loader.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loader.exe

Executes dropped EXE 7 IoCs

pid	Process
2188	loader.exe
2780	icsys.icn.exe
2712	explorer.exe
2980	spoolsv.exe
2528	svchost.exe
2620	spoolsv.exe
2432	Loader.exe

Loads dropped DLL 11 IoCs

pid	Process
3032	Loader.exe
3032	Loader.exe
2388	Process not Found
2780	icsys.icn.exe
2712	explorer.exe
2980	spoolsv.exe
2528	svchost.exe
1360	Process not Found
2188	loader.exe
2428	Process not Found
1360	Process not Found

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	loader.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	loader.exe
File opened for modification	C:\Windows\System32\IME\SHARED\namef.ini	loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	Loader.exe
File opened for modification	C:\Windows\System32\IME\SHARED\namef.ini	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2188	loader.exe
2432	Loader.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Loader.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	Loader.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1092	sc.exe
1720	sc.exe
1768	sc.exe
2248	sc.exe
1348	sc.exe
2604	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3032	Loader.exe
3032	Loader.exe
3032	Loader.exe
3032	Loader.exe
3032	Loader.exe
3032	Loader.exe
3032	Loader.exe
3032	Loader.exe
3032	Loader.exe
3032	Loader.exe
3032	Loader.exe
3032	Loader.exe
3032	Loader.exe
3032	Loader.exe
3032	Loader.exe
3032	Loader.exe
2780	icsys.icn.exe
2780	icsys.icn.exe
2780	icsys.icn.exe
2780	icsys.icn.exe
2780	icsys.icn.exe
2780	icsys.icn.exe
2780	icsys.icn.exe
2780	icsys.icn.exe
2780	icsys.icn.exe
2780	icsys.icn.exe
2780	icsys.icn.exe
2780	icsys.icn.exe
2780	icsys.icn.exe
2780	icsys.icn.exe
2780	icsys.icn.exe
2780	icsys.icn.exe
2780	icsys.icn.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2712	explorer.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2712	explorer.exe
2528	svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	2188	loader.exe
Token: SeSecurityPrivilege	2188	loader.exe
Token: SeBackupPrivilege	2188	loader.exe
Token: SeSecurityPrivilege	2188	loader.exe
Token: SeBackupPrivilege	2432	Loader.exe
Token: SeSecurityPrivilege	2432	Loader.exe
Token: SeBackupPrivilege	2432	Loader.exe
Token: SeSecurityPrivilege	2432	Loader.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3032	Loader.exe
3032	Loader.exe
2780	icsys.icn.exe
2780	icsys.icn.exe
2712	explorer.exe
2712	explorer.exe
2980	spoolsv.exe
2980	spoolsv.exe
2528	svchost.exe
2528	svchost.exe
2620	spoolsv.exe
2620	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2188	3032	Loader.exe	28
PID 3032 wrote to memory of 2188	3032	Loader.exe	28
PID 3032 wrote to memory of 2188	3032	Loader.exe	28
PID 3032 wrote to memory of 2188	3032	Loader.exe	28
PID 3032 wrote to memory of 2780	3032	Loader.exe	29
PID 3032 wrote to memory of 2780	3032	Loader.exe	29
PID 3032 wrote to memory of 2780	3032	Loader.exe	29
PID 3032 wrote to memory of 2780	3032	Loader.exe	29
PID 2780 wrote to memory of 2712	2780	icsys.icn.exe	31
PID 2780 wrote to memory of 2712	2780	icsys.icn.exe	31
PID 2780 wrote to memory of 2712	2780	icsys.icn.exe	31
PID 2780 wrote to memory of 2712	2780	icsys.icn.exe	31
PID 2712 wrote to memory of 2980	2712	explorer.exe	32
PID 2712 wrote to memory of 2980	2712	explorer.exe	32
PID 2712 wrote to memory of 2980	2712	explorer.exe	32
PID 2712 wrote to memory of 2980	2712	explorer.exe	32
PID 2980 wrote to memory of 2528	2980	spoolsv.exe	33
PID 2980 wrote to memory of 2528	2980	spoolsv.exe	33
PID 2980 wrote to memory of 2528	2980	spoolsv.exe	33
PID 2980 wrote to memory of 2528	2980	spoolsv.exe	33
PID 2528 wrote to memory of 2620	2528	svchost.exe	34
PID 2528 wrote to memory of 2620	2528	svchost.exe	34
PID 2528 wrote to memory of 2620	2528	svchost.exe	34
PID 2528 wrote to memory of 2620	2528	svchost.exe	34
PID 2712 wrote to memory of 2564	2712	explorer.exe	35
PID 2712 wrote to memory of 2564	2712	explorer.exe	35
PID 2712 wrote to memory of 2564	2712	explorer.exe	35
PID 2712 wrote to memory of 2564	2712	explorer.exe	35
PID 2188 wrote to memory of 2480	2188	loader.exe	37
PID 2188 wrote to memory of 2480	2188	loader.exe	37
PID 2188 wrote to memory of 2480	2188	loader.exe	37
PID 2188 wrote to memory of 2476	2188	loader.exe	38
PID 2188 wrote to memory of 2476	2188	loader.exe	38
PID 2188 wrote to memory of 2476	2188	loader.exe	38
PID 2528 wrote to memory of 372	2528	svchost.exe	36
PID 2528 wrote to memory of 372	2528	svchost.exe	36
PID 2528 wrote to memory of 372	2528	svchost.exe	36
PID 2528 wrote to memory of 372	2528	svchost.exe	36
PID 2188 wrote to memory of 1956	2188	loader.exe	39
PID 2188 wrote to memory of 1956	2188	loader.exe	39
PID 2188 wrote to memory of 1956	2188	loader.exe	39
PID 2476 wrote to memory of 1720	2476	cmd.exe	43
PID 2476 wrote to memory of 1720	2476	cmd.exe	43
PID 2476 wrote to memory of 1720	2476	cmd.exe	43
PID 2480 wrote to memory of 1092	2480	cmd.exe	44
PID 2480 wrote to memory of 1092	2480	cmd.exe	44
PID 2480 wrote to memory of 1092	2480	cmd.exe	44
PID 2188 wrote to memory of 1624	2188	loader.exe	45
PID 2188 wrote to memory of 1624	2188	loader.exe	45
PID 2188 wrote to memory of 1624	2188	loader.exe	45
PID 2188 wrote to memory of 2804	2188	loader.exe	46
PID 2188 wrote to memory of 2804	2188	loader.exe	46
PID 2188 wrote to memory of 2804	2188	loader.exe	46
PID 2188 wrote to memory of 2432	2188	loader.exe	48
PID 2188 wrote to memory of 2432	2188	loader.exe	48
PID 2188 wrote to memory of 2432	2188	loader.exe	48
PID 2432 wrote to memory of 1964	2432	Loader.exe	50
PID 2432 wrote to memory of 1964	2432	Loader.exe	50
PID 2432 wrote to memory of 1964	2432	Loader.exe	50
PID 2432 wrote to memory of 1648	2432	Loader.exe	51
PID 2432 wrote to memory of 1648	2432	Loader.exe	51
PID 2432 wrote to memory of 1648	2432	Loader.exe	51
PID 2432 wrote to memory of 1924	2432	Loader.exe	52
PID 2432 wrote to memory of 1924	2432	Loader.exe	52

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- \??\c:\users\admin\appdata\local\temp\loader.exe
  c:\users\admin\appdata\local\temp\loader.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\system32\sc.exe
      sc stop iqvw64e.sys
      4⤵
      Launches sc.exe
      PID:1092
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\system32\sc.exe
      sc delete iqvw64e.sys
      4⤵
      Launches sc.exe
      PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2804
- - C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys
      4⤵
      PID:1964
    - - C:\Windows\system32\sc.exe
        
        sc stop iqvw64e.sys
        5⤵
        Launches sc.exe
        
        PID:2248
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys
      4⤵
      PID:1648
    - - C:\Windows\system32\sc.exe
        
        sc delete iqvw64e.sys
        5⤵
        Launches sc.exe
        
        PID:1768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1456
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
      4⤵
      PID:1380
    - - C:\Windows\system32\sc.exe
        
        sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
        5⤵
        Launches sc.exe
        
        PID:1348
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C sc start windowsproc
      4⤵
      PID:1764
    - - C:\Windows\system32\sc.exe
        
        sc start windowsproc
        5⤵
        Launches sc.exe
        
        PID:2604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2052
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2780
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2980
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2620
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:24 /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:372
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
16.4MB

MD5
327092a833ff1a1fe98759130a68dc82

SHA1
ac40dfdb950623e1d85dcd918510ef8cce5189a5

SHA256
44d7aa13d14a57fdb319181045f2f761564cdc2624bed125fb88f800f83b27e3

SHA512
91ec884270e07dfe26de3260ae4b3a912bac6a4eb274f913961b4d8227d48c3bdbd9a311a644bc76b0187077f845808488d7ebfaa718e6ca96d99715a22c18a3

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
33308dd5d6e4763919335c1560e0bdc6

SHA1
b55ae6ae76e82a0cb0d314c63d337d2e19bc916e

SHA256
0bb80f01eff8edd9c263c74e08272a2f0c842128aa7fb9d4699b7feafd50409e

SHA512
93f4966335b7ba217441c5abdfe6a1f205bc680d28921f473ceb11d69aebd0c9ead006e50d08b9feef12e30536c97d10981cc32c3778f461ca9af0d76c3855a5

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
7e4f991a3e97bfbcde9d938a86b332dd

SHA1
6a34bce8b30b4b03c4ee6755a46e06a39c5130a8

SHA256
23c62929ff60868db51e974e049b655aae1c6f3709e2a2284f971bc26adbc839

SHA512
5022c7cb6fa709dfe84b670e50d6e9dab3349e1ac857e02ff78608ba94c31508baf8d351c2ba11256f05e761d75265f0c71a98f7c59b1afe9af919e4c4d1288f

Download Submit
C:\Windows\System32\IME\SHARED\namef.ini

Filesize
16B

MD5
f32dea2b04dc3f7dca1ab634f22e501a

SHA1
069f843cc7f23a2a957af76feb337713893f2e7e

SHA256
b8386a42222a00e4844a222153a0e7ab20229eb7f788916a4e83d5f2997ec855

SHA512
864cc622d8c2433a6961fd9ac7713802034c0b60e4c85db7f2ad6f61aea83a0e8476d332802c5fe483564d7a5e8ebeb08a2ca98a4b2fb136484d6353ba31a4f4

Download Submit
\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
16.4MB

MD5
771eb39dd1312a63bb974018cb70d1b4

SHA1
94d751af62d417ff127ec0890179b5412b5e9e41

SHA256
98007690007fc38b33912f4113ccd7ddddbf881adfea23bf5cf53031666f2cfb

SHA512
4f9c5cefb8d9329ca7145fe15c0ab8bc445e5b9430776eaf06c51e810c14cb96a6cb679e36cf5713c3f1576e26199b72d6a8b1c819305a7d18f4c59b39e32af5

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
902bc13c7b437a5ea7814a56c7083c7e

SHA1
61ec421d2c0d10c50fb3fdd0ebe040ea1eba07e8

SHA256
a2006295e0e65e89662634bb44b688b670ed4596ab419aab6f54bb40a0340e7b

SHA512
032c3fb9f425730aa3cdbc1e9d602cc1381b6da845e5308aea44124eaccb489f7911e86c211d4248539c1e9b1145451c5c8e2ac15c051191ae4515f913f5649a

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
62905096192e73fbfef50325b65138f5

SHA1
a87cf22c181b82f6ddfe599b7692061faf60263c

SHA256
c5a4fd0c786d5c5e99c347359ac4cc2282938a18c29b239a87328def9b7df886

SHA512
4dda13ae11c153ef655aa36db9c0a429a42ea5a325157a33b69a56e0865998f0d73175dcb42dd4e14d787a99e6343f222980a163cd8dbc05627d290fcb9c2f5c

Download Submit
memory/2188-65-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/2188-64-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/2188-79-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/2188-67-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/2188-32-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/2188-66-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/2432-82-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/2432-83-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/2432-84-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/2432-90-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/2432-91-0x0000000140000000-0x0000000142564000-memory.dmp

Filesize
37.4MB

Download
memory/2528-58-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/2528-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2620-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2712-34-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2780-69-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2780-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2980-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2980-51-0x0000000000340000-0x000000000035F000-memory.dmp

Filesize
124KB

Download
memory/2980-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3032-70-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3032-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3032-35-0x0000000000290000-0x00000000002AF000-memory.dmp

Filesize
124KB

Download
memory/3032-20-0x0000000002D10000-0x0000000005274000-memory.dmp

Filesize
37.4MB

Download