Overview

overview

10

Static

static

10

1214e5f9de...98.exe

windows7-x64

6

1214e5f9de...98.exe

windows10-2004-x64

7

236020bb91...f6.exe

windows7-x64

10

236020bb91...f6.exe

windows10-2004-x64

10

25dc70a3de...60.exe

windows7-x64

10

25dc70a3de...60.exe

windows10-2004-x64

10

54de718b63...d9.exe

windows7-x64

1

54de718b63...d9.exe

windows10-2004-x64

3

7ae9504811...a4.exe

windows7-x64

10

7ae9504811...a4.exe

windows10-2004-x64

10

9c2554e79b...a0.exe

windows7-x64

10

9c2554e79b...a0.exe

windows10-2004-x64

10

a568f22004...3b.exe

windows7-x64

10

a568f22004...3b.exe

windows10-2004-x64

8

aefd0c7794...37.exe

windows7-x64

10

aefd0c7794...37.exe

windows10-2004-x64

10

d68b4d6cec...27.exe

windows7-x64

10

d68b4d6cec...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2024, 02:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe

  • Size

    206KB

  • MD5

    70c771952bc897446d3ddad90541a1e6

  • SHA1

    b00b50a893e4552651c4a5c38cf4bb9aed7a101e

  • SHA256

    aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337

  • SHA512

    33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d

  • SSDEEP

    3072:UVqoCl/YgjxEufVU0TbTyDDalW49D9fMiSE9CCHGOn54yWgW9tFwyMJjVQbE/FGl:UsLqdufVUNDapD9fMs9u7

Score
10/10
discoveryevasionexecutionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
    "C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4596
    • \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 
      c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3952
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1908
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4984
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4592
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2208
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3652
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4152
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2760
      • C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1704
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4724
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3828
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2416
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2924
      • C:\Users\Admin\AppData\Local\Temp\Services32.exe
        "C:\Users\Admin\AppData\Local\Temp\Services32.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3096
        • \??\c:\users\admin\appdata\local\temp\services32.exe 
          c:\users\admin\appdata\local\temp\services32.exe 
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:432
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5056
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1044
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:5008
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4748
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3812
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit
            5⤵
              PID:2284
              • C:\Windows\system32\schtasks.exe
                schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"
                6⤵
                • Scheduled Task/Job: Scheduled Task
                PID:3588
          • C:\Windows\Resources\Themes\icsys.icn.exe
            C:\Windows\Resources\Themes\icsys.icn.exe
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3848
            • \??\c:\windows\resources\themes\explorer.exe
              c:\windows\resources\themes\explorer.exe
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4064
      • C:\Windows\Resources\Themes\icsys.icn.exe
        C:\Windows\Resources\Themes\icsys.icn.exe
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2492
        • \??\c:\windows\resources\themes\explorer.exe
          c:\windows\resources\themes\explorer.exe
          3⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:384
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe SE
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4524
            • \??\c:\windows\resources\svchost.exe
              c:\windows\resources\svchost.exe
              5⤵
              • Modifies visiblity of hidden/system files in Explorer
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3468
              • \??\c:\windows\resources\spoolsv.exe
                c:\windows\resources\spoolsv.exe PR
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:5100

    Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Scheduled Task/Job

          1
          T1053

          Scheduled Task

          1
          T1053.005

          Defense Evasion

          Hide Artifacts

          1
          T1564

          Hidden Files and Directories

          1
          T1564.001

          Modify Registry

          2
          T1112

          Credential Access

          Discovery

          Query Registry

          2
          T1012

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            e3161f4edbc9b963debe22e29658050b

            SHA1

            45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

            SHA256

            1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

            SHA512

            006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            9c740b7699e2363ac4ecdf496520ca35

            SHA1

            aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

            SHA256

            be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

            SHA512

            8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            98baf5117c4fcec1692067d200c58ab3

            SHA1

            5b33a57b72141e7508b615e17fb621612cb8e390

            SHA256

            30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

            SHA512

            344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            eb1ad317bd25b55b2bbdce8a28a74a94

            SHA1

            98a3978be4d10d62e7411946474579ee5bdc5ea6

            SHA256

            9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

            SHA512

            d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            6e09573715495338a569f0316d59af57

            SHA1

            1a9fd3073801c241b276cdb8b3d7035afbcd0c8d

            SHA256

            bdad2d4c1b3475754cb3b9ef41a9eda243f46e30117539f81399c977a459b570

            SHA512

            61add4e0cfef5f138e95f0d941c39c0bce038a47fbc262d5622a0fdf46621231653adfcca3b81bef3a662a37c288e1e9644bed44591551aea5399a370afaeced

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            cadef9abd087803c630df65264a6c81c

            SHA1

            babbf3636c347c8727c35f3eef2ee643dbcc4bd2

            SHA256

            cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

            SHA512

            7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            e60eb305a7b2d9907488068b7065abd3

            SHA1

            1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

            SHA256

            ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

            SHA512

            95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            6f3b96b24f06e2d37a46e43e8b784f56

            SHA1

            7be6702c5867f359e913eeeecdd5b76698589295

            SHA256

            8e386afeed28e1d282d9a0294dd2e9402dcb807f7c77aca8426314c20057e720

            SHA512

            d760999531a77a9adf2b4dc019ce3b43ac3a8cad825398b3a09818afe8deaa177d37219a26dd8a432c00c9cff7858efc43cae2375edc996bb0136c92c39c9dfb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Services32.exe
            Filesize

            206KB

            MD5

            70c771952bc897446d3ddad90541a1e6

            SHA1

            b00b50a893e4552651c4a5c38cf4bb9aed7a101e

            SHA256

            aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337

            SHA512

            33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ywg5otfm.skp.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 
            Filesize

            71KB

            MD5

            5552f88a40afa2e2fef5acbd590ac812

            SHA1

            5afef5451811830c1ec3108cd7ee66a0418a6186

            SHA256

            9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f

            SHA512

            6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
            Filesize

            11KB

            MD5

            d1f4a92a1672d7d22a90e2567523d03e

            SHA1

            a1683621e2103e1df1ce22def923e4ef62ddcd11

            SHA256

            48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b

            SHA512

            2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a

            Download Submit

          • C:\Windows\Resources\Themes\explorer.exe
            Filesize

            135KB

            MD5

            24e684c621f2354b6287b11405f3c3c2

            SHA1

            3f52e2241b1730c3acbe8db13c1869573ef8f218

            SHA256

            eb7e1e151297219d27245794d6a3faaa24ebd32279cb8a284065466dc5d2e262

            SHA512

            836ad7da5203d419d81456e827d8e681cdff0cb321168741f5ab086b68ca4329e7164c9a4135e301f90c4ef8e9273a70d912c6c208e92a981deadc963e8e3aec

            Download Submit

          • C:\Windows\Resources\Themes\icsys.icn.exe
            Filesize

            135KB

            MD5

            f2667d617c1c5156004ea365bc759c1c

            SHA1

            10592eb1cd290802867f1fa13470717fa5643f59

            SHA256

            e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792

            SHA512

            1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

            Download Submit

          • C:\Windows\Resources\spoolsv.exe
            Filesize

            135KB

            MD5

            7dd78064814c92d4f8e17ab0935cc6cf

            SHA1

            13734c3be6c167ce02dda7e01988a0b876ab0e2c

            SHA256

            89df528d75d03349735632797e97721723fa2df9143b7a74e7e4dfdf906040cf

            SHA512

            cc7cc8a2e7a2ebf08c749847d0f991d2b769fb4d108b3c4ba09b2cb71a2b0b705d768aee0cdaa21728c0df5aaaac7a918aebb09a59d66e764e5e30a7be0f3d13

            Download Submit

          • C:\Windows\Resources\svchost.exe
            Filesize

            135KB

            MD5

            ca676929f34234927d97507477e720af

            SHA1

            879a057586e823be95b87163d752708fded0ed03

            SHA256

            10ea3722c62132914e953007aff7befe599820b7c1c7ed4bc9a197d8ad407e58

            SHA512

            aaefc470bf63b3a6028a23a58bca3d386be564e1c80abb63baecb1d6341d69819fbad33ebd49619da42ed91424729409962e267373cfca95f5c7c505c82ec84b

            Download Submit

          • memory/384-235-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/1704-233-0x0000000000970000-0x0000000000976000-memory.dmp

            Filesize

            24KB

            Download

          • memory/1704-120-0x00000000000E0000-0x00000000000E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2492-98-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/3096-124-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/3096-232-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/3468-236-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/3848-231-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/3952-61-0x00007FFD7FAC3000-0x00007FFD7FAC5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3952-100-0x0000000000D40000-0x0000000000D4C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/3952-9-0x00007FFD7FAC3000-0x00007FFD7FAC5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3952-10-0x0000000000380000-0x0000000000396000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4064-230-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/4524-97-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/4596-0-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/4596-99-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download

          • memory/4984-23-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4984-17-0x0000023D201C0000-0x0000023D201E2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4984-21-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4984-22-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4984-26-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/5100-96-0x0000000000400000-0x000000000041F000-memory.dmp

            Filesize

            124KB

            Download