xred | cbdbf7b8d3a975561d669c99d48f00f4b72aa96220663be3e1001633d175058a

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1999X UPDATED 20 SEPTEMBER.exe
Size

8.8MB
MD5

8b712c53db526f81706a3f314911eefa
SHA1

5c1e92d76a546a71836bae1455b7f56561274654
SHA256

cbdbf7b8d3a975561d669c99d48f00f4b72aa96220663be3e1001633d175058a
SHA512

10020e4ae6330ccd8242f5a997ece7edbd39e0e42d8f9e89bff1c75c49d2c8bcff66975950762156f6f473d20bff2ed94bafcd1ed7f14641d100f1ce8dcd0d69
SSDEEP

196608:iLhT7iP/BPp7F5Egmo4f7GVdF2VOm5DXRMLor9DR4OL7ectBS9/pU/b:ixmvR5ELx0JeDXRMMrZeOL7eIBS9/pIb

Score

10^/10

xred backdoor discovery evasion persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	1999x updated 20 september.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 11 IoCs

pid	Process
4468	1999x updated 20 september.exe
4344	icsys.icn.exe
4028	explorer.exe
1300	spoolsv.exe
4092	svchost.exe
4132	spoolsv.exe
812	Synaptics.exe
2372	._cache_Synaptics.exe
2816	._cache_synaptics.exe
3252	icsys.icn.exe
1676	explorer.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	1999x updated 20 september.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	1999X UPDATED 20 SEPTEMBER.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1999X UPDATED 20 SEPTEMBER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1999x updated 20 september.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1999x updated 20 september.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
372	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4344	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4028	explorer.exe
4092	svchost.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
5056	1999X UPDATED 20 SEPTEMBER.exe
5056	1999X UPDATED 20 SEPTEMBER.exe
4344	icsys.icn.exe
4344	icsys.icn.exe
4028	explorer.exe
4028	explorer.exe
1300	spoolsv.exe
1300	spoolsv.exe
4092	svchost.exe
4092	svchost.exe
4132	spoolsv.exe
4132	spoolsv.exe
2372	._cache_Synaptics.exe
2372	._cache_Synaptics.exe
372	EXCEL.EXE
372	EXCEL.EXE
3252	icsys.icn.exe
3252	icsys.icn.exe
1676	explorer.exe
372	EXCEL.EXE
1676	explorer.exe
372	EXCEL.EXE
372	EXCEL.EXE
372	EXCEL.EXE
372	EXCEL.EXE
372	EXCEL.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 4468	5056	1999X UPDATED 20 SEPTEMBER.exe	85
PID 5056 wrote to memory of 4468	5056	1999X UPDATED 20 SEPTEMBER.exe	85
PID 5056 wrote to memory of 4468	5056	1999X UPDATED 20 SEPTEMBER.exe	85
PID 5056 wrote to memory of 4344	5056	1999X UPDATED 20 SEPTEMBER.exe	87
PID 5056 wrote to memory of 4344	5056	1999X UPDATED 20 SEPTEMBER.exe	87
PID 5056 wrote to memory of 4344	5056	1999X UPDATED 20 SEPTEMBER.exe	87
PID 4344 wrote to memory of 4028	4344	icsys.icn.exe	88
PID 4344 wrote to memory of 4028	4344	icsys.icn.exe	88
PID 4344 wrote to memory of 4028	4344	icsys.icn.exe	88
PID 4028 wrote to memory of 1300	4028	explorer.exe	89
PID 4028 wrote to memory of 1300	4028	explorer.exe	89
PID 4028 wrote to memory of 1300	4028	explorer.exe	89
PID 1300 wrote to memory of 4092	1300	spoolsv.exe	90
PID 1300 wrote to memory of 4092	1300	spoolsv.exe	90
PID 1300 wrote to memory of 4092	1300	spoolsv.exe	90
PID 4092 wrote to memory of 4132	4092	svchost.exe	91
PID 4092 wrote to memory of 4132	4092	svchost.exe	91
PID 4092 wrote to memory of 4132	4092	svchost.exe	91
PID 4468 wrote to memory of 812	4468	1999x updated 20 september.exe	92
PID 4468 wrote to memory of 812	4468	1999x updated 20 september.exe	92
PID 4468 wrote to memory of 812	4468	1999x updated 20 september.exe	92
PID 812 wrote to memory of 2372	812	Synaptics.exe	95
PID 812 wrote to memory of 2372	812	Synaptics.exe	95
PID 812 wrote to memory of 2372	812	Synaptics.exe	95
PID 2372 wrote to memory of 2816	2372	._cache_Synaptics.exe	99
PID 2372 wrote to memory of 2816	2372	._cache_Synaptics.exe	99
PID 2372 wrote to memory of 3252	2372	._cache_Synaptics.exe	100
PID 2372 wrote to memory of 3252	2372	._cache_Synaptics.exe	100
PID 2372 wrote to memory of 3252	2372	._cache_Synaptics.exe	100
PID 3252 wrote to memory of 1676	3252	icsys.icn.exe	101
PID 3252 wrote to memory of 1676	3252	icsys.icn.exe	101
PID 3252 wrote to memory of 1676	3252	icsys.icn.exe	101

C:\Users\Admin\AppData\Local\Temp\1999X UPDATED 20 SEPTEMBER.exe
"C:\Users\Admin\AppData\Local\Temp\1999X UPDATED 20 SEPTEMBER.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056
- \??\c:\users\admin\appdata\local\temp\1999x updated 20 september.exe
  "c:\users\admin\appdata\local\temp\1999x updated 20 september.exe "
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2372
    - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
        
        c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
        5⤵
        Executes dropped EXE
        
        PID:2816
    - - C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3252
      - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1676
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4344
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1300
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4092
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4132

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
8.0MB

MD5
d5eeed5294dfeb93be92dd144d7f2933

SHA1
35a7cac1b47d63fb6f1b33edd54ebba26df1952f

SHA256
002f2527578321676701c1c6a869fae4ecdb238cf05138979bae79efbfdce6f7

SHA512
31b06c451c959c299bc81b50247b64c8201b6d8e28fe80403199c7d7d17a6ce7a2ad25a89618871f67cc509fc9962acd2e05cb009bfcf9b0fa73d28557ac9c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\1999x updated 20 september.exe

Filesize
8.7MB

MD5
c340d6073313ffcbbc065b665582e740

SHA1
602dbad5d1f19d8b849cd93c644d91501a72264d

SHA256
65eb21fcc39901e51073fbfde1d88cb65833747b8fd191410007e2bb1627620b

SHA512
fc97f335dd5d2f325db68d5f2ab9378b5e4f60fd934b2676cdad677eff5b056785eba1223a98e5bd048cb6f9798ff39fecb021fb21e34588b024616a8877d12b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9D75E00

Filesize
20KB

MD5
bf6641de1ec35be6a0c95405b9a56ec4

SHA1
df78a90567d5dc83189e54e5b250384c53d309d4

SHA256
6c4bec71bcea86c9f7ea144ea3782d0c1d9ab81cbadbb3ce13a9e9d97999cd74

SHA512
055474e9b928f9919ff81a29d558294a69b3fbaff6eeec9fea87f9e807c6bdd02c52f4ebb8cc943eb09934a0d4a6ece09c6b25525de9dc315d82632703b188da

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe2dCVWM.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
0d6d0a12c20ffefc6437aa84bfd6b31a

SHA1
cf1e278ec415697aa516f1bc75958984e949f2bc

SHA256
f07710f0cfc6a8244e27c0d9361cc684bd06f7d4993eec2d47d07cd80babde89

SHA512
76882e59812b9b362854b03e79d314b897f75de78c35ee439734faf60b1f621656076bf95793b0c75e0c2177ee091cd4bbcb3bcb43c15a77c8127f93f79c9156

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
fb48b82239d91a3962551a19fb6d3864

SHA1
c927206df59c002da404858ec13498307ab5b27e

SHA256
c2b252077a7cda01ed6ecba0b1234224791f4a7ac03a489daf769550a9bf3e7d

SHA512
00232230ef5a654d6429b67bbee5d4f28f8457295ae74f24224af0b805b264355abbaba147861d8a07a94c25f5cbd50605d079c6ea9deadd6599263f1e929b95

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
6ce9a35f26ebe6ab2459bd15d1539a11

SHA1
a4087ff45b1112668cb5d3622ae664ad3e2a1894

SHA256
e9c22145f23d4af670605a63340f2fcb7aad17a3208ad8ccd89da40b990499a0

SHA512
8ed877b443100f65d186d1b0c699f73a6416fb3a17563250b737a79ea09193c60942bfa03f0015b63f0cb1d00a996c7c155787e5ae86f4a52d43da1edf0fc008

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
d889bac4743405ec0f827b4124365948

SHA1
77f36860947d228d7d818d1c8f9a419ee6aed57c

SHA256
74654e23d68d21d96fb571a29607b421ecb8f914313c13bbed4f2f0927bbcfe8

SHA512
29962ca385661895b28d61c3a2746a504eca262bdbaccff7c450191901ab306c45f0a69a67f6ea266013c337871a3da0b9e7202405ea264755ed666efcc6e5b9

Download Submit
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe

Filesize
7.8MB

MD5
2e5d7f2c2ad4570bccb74014aadc4fbb

SHA1
e574ae9e92a77205fc3bf54ccf49888b393e640c

SHA256
634318fc02c5f4190c51f3557af1a27215ae4f29fd15debf109570ed9978994c

SHA512
1f5fda7d4bff56709d5fdba799b7bc8983b0bd28678b74c1a85b7ca18b5407d6218894e7c037df7ec588a2bfcd0615d4dc9551a4d275006e15949d6b7b0c22fb

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
db067615d2c0a58e79088c6c757f835c

SHA1
68018466e5983f84b8ac7aa577b5941eaacb9ab2

SHA256
657d77f2f70211620348f10fb0d9693411ef3a0d98ed47f68d7f8b5735a3e9f4

SHA512
23547563a603767a1f6c8cf792a140978f1265fcd64f35ca7bc6be3cad8ec71045d3f7c6d8540b4fcace6246019fa25ce9f47c847f76b910b0b67d82d832f565

Download Submit
memory/372-190-0x00007FFF66910000-0x00007FFF66920000-memory.dmp

Filesize
64KB

Download
memory/372-188-0x00007FFF69270000-0x00007FFF69280000-memory.dmp

Filesize
64KB

Download
memory/372-189-0x00007FFF66910000-0x00007FFF66920000-memory.dmp

Filesize
64KB

Download
memory/372-184-0x00007FFF69270000-0x00007FFF69280000-memory.dmp

Filesize
64KB

Download
memory/372-186-0x00007FFF69270000-0x00007FFF69280000-memory.dmp

Filesize
64KB

Download
memory/372-185-0x00007FFF69270000-0x00007FFF69280000-memory.dmp

Filesize
64KB

Download
memory/372-187-0x00007FFF69270000-0x00007FFF69280000-memory.dmp

Filesize
64KB

Download
memory/812-254-0x0000000000400000-0x0000000000CB8000-memory.dmp

Filesize
8.7MB

Download
memory/812-285-0x0000000000400000-0x0000000000CB8000-memory.dmp

Filesize
8.7MB

Download
memory/1300-33-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1300-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1676-206-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2372-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2372-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3252-207-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4028-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4092-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4132-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4344-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4468-118-0x0000000000400000-0x0000000000CB8000-memory.dmp

Filesize
8.7MB

Download
memory/4468-9-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/5056-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5056-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download