3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
Size

767KB
MD5

27cd44d454364f2d822eaace466fed38
SHA1

3019af2f3dd3d2de1c101be8d92c27fd25c40e5b
SHA256

3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d
SHA512

2ff8c1e56e3dc0f2e576af34b0ebb1041563b5f12d19a38c112f107090d6051deed5d35f42189858cae4d5140cf062e99c9ce3defc0997a9ff71afff140446d2
SSDEEP

12288:uFUNDat1JSgyPzsB7kmIFZUUvHqnuFT+wUV5/ZhReTr6dARuYKpQZ8gZ5NOij:uFOa/0BG9gGUvH+uwwsqtOij

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe

Executes dropped EXE 7 IoCs

pid	Process
836	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
1956	icsys.icn.exe
1828	explorer.exe
1344	spoolsv.exe
4212	svchost.exe
3896	Activator.exe
5084	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Activator.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Activator.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Activator.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Activator.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Activator.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Activator.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Activator.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Activator.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Activator.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Activator.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Activator.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Activator.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Activator.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Activator.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Activator.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Activator.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	Activator.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Activator.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Activator.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Activator.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1956	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4212	svchost.exe
1828	explorer.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
1956	icsys.icn.exe
1956	icsys.icn.exe
1828	explorer.exe
1828	explorer.exe
1344	spoolsv.exe
1344	spoolsv.exe
4212	svchost.exe
4212	svchost.exe
5084	spoolsv.exe
5084	spoolsv.exe
3896	Activator.exe
3896	Activator.exe
3896	Activator.exe
3896	Activator.exe
3896	Activator.exe
3896	Activator.exe
3896	Activator.exe
3896	Activator.exe
3896	Activator.exe
3896	Activator.exe
3896	Activator.exe
3896	Activator.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 836	628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	84
PID 628 wrote to memory of 836	628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	84
PID 628 wrote to memory of 836	628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	84
PID 628 wrote to memory of 1956	628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	85
PID 628 wrote to memory of 1956	628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	85
PID 628 wrote to memory of 1956	628	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	85
PID 1956 wrote to memory of 1828	1956	icsys.icn.exe	86
PID 1956 wrote to memory of 1828	1956	icsys.icn.exe	86
PID 1956 wrote to memory of 1828	1956	icsys.icn.exe	86
PID 1828 wrote to memory of 1344	1828	explorer.exe	87
PID 1828 wrote to memory of 1344	1828	explorer.exe	87
PID 1828 wrote to memory of 1344	1828	explorer.exe	87
PID 836 wrote to memory of 3896	836	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	88
PID 836 wrote to memory of 3896	836	3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe	88
PID 1344 wrote to memory of 4212	1344	spoolsv.exe	90
PID 1344 wrote to memory of 4212	1344	spoolsv.exe	90
PID 1344 wrote to memory of 4212	1344	spoolsv.exe	90
PID 4212 wrote to memory of 5084	4212	svchost.exe	91
PID 4212 wrote to memory of 5084	4212	svchost.exe	91
PID 4212 wrote to memory of 5084	4212	svchost.exe	91

C:\Users\Admin\AppData\Local\Temp\3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
"C:\Users\Admin\AppData\Local\Temp\3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628
- \??\c:\users\admin\appdata\local\temp\3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
  c:\users\admin\appdata\local\temp\3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Users\Admin\AppData\Local\Temp\ckz_NDRP\Activator.exe
    "C:\Users\Admin\AppData\Local\Temp\ckz_NDRP\Activator.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:3896
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1956
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1344
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4212
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3a9837b6435b62d0caeac4c051bfd5f640fc8cfefb0d6090743b6290f4b3648d.exe

Filesize
646KB

MD5
5dcf8b61cb54552f12ef76a8e9051049

SHA1
c4ad616c976e77d3ab7debc86983442d30fca158

SHA256
be77b0bcd4a4ca799b9dd768e931a747be97f9770edc87b5dd6bd5c0558a5af5

SHA512
4555a0a937f7f40fdc03a9d0ed680065ef10849d87ec64d4b2fc5061ff8d7745031502e702fc5a396090658a925f7e13ff775cf7c337ec61b2a635cf4c523f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckz_NDRP\Activator.exe

Filesize
262KB

MD5
4b54c2c5ac3d82da68c2acf328dd1d24

SHA1
632ffbdf3a0257b83b009508c69a5ee4fe4b9781

SHA256
e35748b6ecd496f4c2aa26db894e1e7b61fbe44501aa2ee5d44103f87bf68420

SHA512
2ffc781347c468b11b18c91fcd49b48998f589bbb0add0939b448ba1dd5010fa24b299218dd09f5f00ae68a29782c9cbefa17a543453c8bf3272b233021e9e37

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
130KB

MD5
a88529705c2f6a371c8372ee612464a1

SHA1
36259fa5cc1bdd23af409bb88845542d7536582e

SHA256
a5ca198d2cd5e6b7bbd37d1fd2453ffa609019afba654ff8ca29b0751ee2ba63

SHA512
aff932852c95eb269e92f36545add30135802266bc76867e8f4be5d57649707f276e95bc6ce6352d8d168f1db45027d2d6d41c0bbf1471009cd39f026adc0a3b

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
121KB

MD5
c8481b583be0bdd69350f9e5a22eb22a

SHA1
47295aedb88e000cfb3048be15b7194fb69c8bfd

SHA256
6a502ed8a7760463483209d536ab740d0beff9b6c3c57dc0a62cb7be4ab8eaf9

SHA512
8bfcf2f8c01f12fed0f4848f05ae8cf71b68520fd5afe34c0626866f6b28c0c56069be0fb616df84b614ca48082e2cc58871933b64163da355479ec942ab7dfe

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
130KB

MD5
faa0080c99c5d321bd3320653ac62ebc

SHA1
5c190bd720806dca3196a6399e605b6908895394

SHA256
58eb9114c41bed6d31c0d0598ab38e3aea908183a4e49cfc812b55b98a7a72fb

SHA512
df537b717a715326dbe51267acd32a9a31c5bcc3dbe18808e5457ff27c1a4317e6832effe83f7121b1423c3f8fee51e525a60a5024b5a16dccf60d61e9d721c8

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
130KB

MD5
613552a2171b3facd3191eba470381b8

SHA1
4eff1dcf67345f2fdc1df905cc5fcf9e4e68a49d

SHA256
b884cd031b577e180166c2b784e1951831803d5f19e82f8fce79af57c4d6fcaa

SHA512
0a6f4fb324675c6997da703357526dc006e4b9c0e921bb54ab57086346b698e8ae372a146750c285c405f850beba53709eefccd39460e871379d8abbe74fb039

Download Submit
memory/628-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3896-60-0x0000000000C20000-0x0000000000C44000-memory.dmp

Filesize
144KB

Download
memory/3896-59-0x0000000000540000-0x0000000000588000-memory.dmp

Filesize
288KB

Download
memory/3896-61-0x000000001B6D0000-0x000000001B879000-memory.dmp

Filesize
1.7MB

Download
memory/3896-62-0x000000001B6D0000-0x000000001B879000-memory.dmp

Filesize
1.7MB

Download
memory/3896-63-0x000000001B6D0000-0x000000001B879000-memory.dmp

Filesize
1.7MB

Download
memory/3896-64-0x000000001B6D0000-0x000000001B879000-memory.dmp

Filesize
1.7MB

Download
memory/3896-65-0x000000001B6D0000-0x000000001B879000-memory.dmp

Filesize
1.7MB

Download
memory/3896-67-0x000000001B6D0000-0x000000001B879000-memory.dmp

Filesize
1.7MB

Download
memory/3896-68-0x000000001B6D0000-0x000000001B879000-memory.dmp

Filesize
1.7MB

Download