floxif | e916d3d1bd3b910338339aeb00fc1c82a01ade79c9630e3efa9a478bbede50ab

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
Size

11.9MB
MD5

d3476fcabe9b55db4444e8f8ceb80021
SHA1

7a7ff13697e79cb389fc3bca78a002f1e19e83ab
SHA256

e916d3d1bd3b910338339aeb00fc1c82a01ade79c9630e3efa9a478bbede50ab
SHA512

b2c2db28d3e89ecdfad7c735d62eafcba3ff54034f0f636dd2fe12e60e4fc79d8769b2d13041b095401dc25d9cf4c1b168550ef11df1865f003ad907901989c3
SSDEEP

196608:KMFo0ab2MnxuUfkBfoz17N/e/AmdAPJ1KpvGkKQMfKIfBAN/CIQm3EY:FKHb2MnxumkOz17N/EA3J14+kKQMfKIu

Score

10^/10

floxif backdoor defense_evasion discovery persistence privilege_escalation trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x0007000000024060-11.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000024060-11.dat	acprotect

Executes dropped EXE 16 IoCs

pid	Process
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4652	icsys.icn.exe
980	explorer.exe
2716	spoolsv.exe
4008	svchost.exe
4588	spoolsv.exe
2928	svchost.exe
3292	explorer.exe
4480	svchost.exe
3700	explorer.exe
2384	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
5016	icsys.icn.exe
4456	explorer.exe
4568	svchost.exe
4628	svchost.exe
3268	explorer.exe

Loads dropped DLL 20 IoCs

pid	Process
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4652	icsys.icn.exe
980	explorer.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
2716	spoolsv.exe
4008	svchost.exe
4588	spoolsv.exe
2928	svchost.exe
3292	explorer.exe
4480	svchost.exe
3700	explorer.exe
2384	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
2384	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
2384	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
5016	icsys.icn.exe
4456	explorer.exe
4568	svchost.exe
3268	explorer.exe
4628	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/752-14-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x0007000000024060-11.dat	upx
behavioral1/memory/4652-28-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/980-40-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/752-55-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2716-58-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4008-68-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4652-73-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4588-78-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4588-81-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2716-84-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/980-86-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2928-88-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3292-94-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2928-97-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3700-112-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4480-116-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4008-111-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3292-110-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2384-123-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4480-104-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3700-130-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2384-137-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/5016-139-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/5016-144-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/752-146-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4652-150-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/980-152-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4008-153-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4456-167-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4568-174-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4568-180-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4456-183-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3268-200-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4628-205-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4628-211-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3268-214-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
980	explorer.exe
4008	svchost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
Token: SeDebugPrivilege	4652	icsys.icn.exe
Token: SeDebugPrivilege	980	explorer.exe
Token: SeDebugPrivilege	2716	spoolsv.exe
Token: SeDebugPrivilege	4008	svchost.exe
Token: SeDebugPrivilege	2928	svchost.exe
Token: SeDebugPrivilege	3292	explorer.exe
Token: SeDebugPrivilege	4480	svchost.exe
Token: SeDebugPrivilege	3700	explorer.exe
Token: SeDebugPrivilege	2384	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
Token: SeDebugPrivilege	5016	icsys.icn.exe
Token: SeDebugPrivilege	4456	explorer.exe
Token: SeDebugPrivilege	4568	svchost.exe
Token: SeDebugPrivilege	3268	explorer.exe
Token: SeDebugPrivilege	4628	svchost.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
4652	icsys.icn.exe
4652	icsys.icn.exe
980	explorer.exe
980	explorer.exe
2716	spoolsv.exe
2716	spoolsv.exe
4008	svchost.exe
4008	svchost.exe
4588	spoolsv.exe
4588	spoolsv.exe
2928	svchost.exe
2928	svchost.exe
3292	explorer.exe
3292	explorer.exe
4480	svchost.exe
4480	svchost.exe
3700	explorer.exe
3700	explorer.exe
2384	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
2384	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
5016	icsys.icn.exe
5016	icsys.icn.exe
4456	explorer.exe
4568	svchost.exe
4456	explorer.exe
4568	svchost.exe
4628	svchost.exe
3268	explorer.exe
4628	svchost.exe
3268	explorer.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 752	4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe	88
PID 4344 wrote to memory of 752	4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe	88
PID 4344 wrote to memory of 752	4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe	88
PID 4344 wrote to memory of 4652	4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe	90
PID 4344 wrote to memory of 4652	4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe	90
PID 4344 wrote to memory of 4652	4344	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe	90
PID 4652 wrote to memory of 980	4652	icsys.icn.exe	92
PID 4652 wrote to memory of 980	4652	icsys.icn.exe	92
PID 4652 wrote to memory of 980	4652	icsys.icn.exe	92
PID 980 wrote to memory of 2716	980	explorer.exe	93
PID 980 wrote to memory of 2716	980	explorer.exe	93
PID 980 wrote to memory of 2716	980	explorer.exe	93
PID 2716 wrote to memory of 4008	2716	spoolsv.exe	94
PID 2716 wrote to memory of 4008	2716	spoolsv.exe	94
PID 2716 wrote to memory of 4008	2716	spoolsv.exe	94
PID 4008 wrote to memory of 4588	4008	svchost.exe	95
PID 4008 wrote to memory of 4588	4008	svchost.exe	95
PID 4008 wrote to memory of 4588	4008	svchost.exe	95
PID 2672 wrote to memory of 2928	2672	cmd.exe	104
PID 2672 wrote to memory of 2928	2672	cmd.exe	104
PID 2672 wrote to memory of 2928	2672	cmd.exe	104
PID 2492 wrote to memory of 3292	2492	cmd.exe	105
PID 2492 wrote to memory of 3292	2492	cmd.exe	105
PID 2492 wrote to memory of 3292	2492	cmd.exe	105
PID 1344 wrote to memory of 4480	1344	cmd.exe	106
PID 1344 wrote to memory of 4480	1344	cmd.exe	106
PID 1344 wrote to memory of 4480	1344	cmd.exe	106
PID 820 wrote to memory of 3700	820	cmd.exe	107
PID 820 wrote to memory of 3700	820	cmd.exe	107
PID 820 wrote to memory of 3700	820	cmd.exe	107
PID 752 wrote to memory of 2384	752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe	108
PID 752 wrote to memory of 2384	752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe	108
PID 752 wrote to memory of 2384	752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe	108
PID 752 wrote to memory of 5016	752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe	109
PID 752 wrote to memory of 5016	752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe	109
PID 752 wrote to memory of 5016	752	2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe	109
PID 2736 wrote to memory of 4456	2736	cmd.exe	133
PID 2736 wrote to memory of 4456	2736	cmd.exe	133
PID 2736 wrote to memory of 4456	2736	cmd.exe	133
PID 2072 wrote to memory of 4568	2072	cmd.exe	134
PID 2072 wrote to memory of 4568	2072	cmd.exe	134
PID 2072 wrote to memory of 4568	2072	cmd.exe	134
PID 464 wrote to memory of 3268	464	cmd.exe	140
PID 464 wrote to memory of 3268	464	cmd.exe	140
PID 464 wrote to memory of 3268	464	cmd.exe	140
PID 1336 wrote to memory of 4628	1336	cmd.exe	141
PID 1336 wrote to memory of 4628	1336	cmd.exe	141
PID 1336 wrote to memory of 4628	1336	cmd.exe	141

C:\Users\Admin\AppData\Local\Temp\2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4344
- \??\c:\users\admin\appdata\local\temp\2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
  c:\users\admin\appdata\local\temp\2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:752
- - \??\c:\users\admin\appdata\local\temp\2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
    c:\users\admin\appdata\local\temp\2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2384
- - C:\Windows\Resources\Themes\icsys.icn.exe
    C:\Windows\Resources\Themes\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5016
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4652
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:980
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2716
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4008
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:2492
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe RO
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:2672
- \??\c:\windows\resources\svchost.exe
  c:\windows\resources\svchost.exe RO
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:820
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe RO
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:1344
- \??\c:\windows\resources\svchost.exe
  c:\windows\resources\svchost.exe RO
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe RO
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- \??\c:\windows\resources\svchost.exe
  c:\windows\resources\svchost.exe RO
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:464
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe RO
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:1336
- \??\c:\windows\resources\svchost.exe
  c:\windows\resources\svchost.exe RO
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe.tmp

Filesize
11.9MB

MD5
096c794ee3a5bc0f0ae68e85ec3ea500

SHA1
c9c8193d7636d162740421b5c71d7353f86daec8

SHA256
c4f585fc7558866c0fb11f61c90ecd6e7c255de982d168c26af0097141557b76

SHA512
87560f8b7613def6c8937bcb78c9181e60404e5108deb5f6f31fcbd8c9cba98941e336e9a9611941cdb8796c6390049d954214ea4e4be5bd6a6763678fce42c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-04-03_d3476fcabe9b55db4444e8f8ceb80021_amadey_floxif_hijackloader_ngrbot_remcos_rhadamanthys_smoke-loader_swisyn.exe

Filesize
11.7MB

MD5
16e8b3a160189379958789c3ce35c87c

SHA1
58a8ef82975ca5224b532d41ea460aaa5b885ac3

SHA256
c1f166810d20b2ffe4e4ebe25b15fef7899eb9faeb4e6207cd05160ec3bc3387

SHA512
e046b8752b9695a0a58d027b2123a548f270288ee130edcb1cd340e5147a9337b442a06af76771a409943fe17fb23cb75c5d10fb75a43a23f660f22181c67c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\4FD513E42F0.tmp

Filesize
11.7MB

MD5
7bb265306f7b4480a365d1ebffb511b6

SHA1
13f765613ccfac3d1dbd06f727ab52d55d65054f

SHA256
c0ddf2e5b00791548ec13c9d114c31219e8c6f30d7f8a69b061def21034fa440

SHA512
15627c895bddbc6d2c9cf27bb170b69f8a01755cbe35d595dc38ccef997791dc9ebfa208f4ecc37914809573e2079c4f4ea1ef02e763a5d32d59d48595b4bcb7

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
7a5aa1e5181bcecb87da6dbda6cae5d8

SHA1
4203f59bdfc11c16b00fabfab2d3711bdba8e711

SHA256
60ce0d21439c50487ac7b020294a936fe84cf250d328c53924c3ff2fc102a9a6

SHA512
6d518854ca5fe6d1bf895b71d2deb590e6cdfdc1b21a48d49b9af3feb57b802a6d1530a6237fba1b140ccc670275ee093e87214c6a442e6daa29c043fc5f857d

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
bf053d895f63a127981fe605dfbf44f6

SHA1
fc3a50b5db02765cc0dac0a50a13f28c794bf85c

SHA256
71804ec89a4bc7fefbe199e0de6dadb087fe0f466745d219c4f6e6e95d9d5660

SHA512
f4685d2c4c80608d67ce3f66b5fda1d9351297b2b1b800af6dadd7986d72c1b21427e47576d12fe69aef122ee9b077c5e9ee75bc1b15c0774d0080ba67c3d345

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
ea4af861d2b431ac896e264575f844a4

SHA1
902450a46705fa3e7a6d45d780212703cf13593b

SHA256
324540988cdce6455b57b0387939be97fc49176f324cb8d74e8c8bcf0c17b0c2

SHA512
0ec9e5a0d3307c7997cb99116c5b09283d04c22bef7af98b71d31f7121420c5cd903f970cc1cce325127961329783ceb62c64f5b61dbdd38dac88ac5c8c6e58c

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
73b597a4e2e01ce0d19cd353312549df

SHA1
d49b4588786c5b52dadfe6d5afd7901f41f72009

SHA256
0cf374a43e2a2cb8193ee6d8ff546bdcc519eb723a2bbcc941047453516ab5b5

SHA512
3bfc50e2611e1f9562c04aaef5c9b1f1714998cc328664dbb9f3a3d7e51b87ce680c70b4790aa8f16717baf3470d8972c754e08aa79cb06e63a9f46311b1b584

Download Submit
memory/752-19-0x000000000040E000-0x0000000000411000-memory.dmp

Filesize
12KB

Download
memory/752-146-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/752-147-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/752-14-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/752-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/752-47-0x00000000038E0000-0x00000000038FF000-memory.dmp

Filesize
124KB

Download
memory/752-46-0x00000000038E0000-0x00000000038FF000-memory.dmp

Filesize
124KB

Download
memory/752-55-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/980-38-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/980-86-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/980-152-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/980-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/980-40-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2384-136-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2384-137-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2384-127-0x0000000002130000-0x0000000002160000-memory.dmp

Filesize
192KB

Download
memory/2384-123-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2384-122-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2384-126-0x0000000002130000-0x0000000002160000-memory.dmp

Filesize
192KB

Download
memory/2716-58-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2716-83-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2716-84-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2928-88-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2928-97-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2928-96-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3268-214-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3268-200-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3268-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3292-110-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3292-113-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3292-94-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3700-130-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3700-129-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3700-112-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4008-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4008-111-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4008-153-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4008-68-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4344-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4344-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4456-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4456-183-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4456-167-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4480-116-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4480-115-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4480-104-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4568-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4568-174-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4568-180-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4588-81-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4588-78-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4588-80-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4628-205-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4628-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4628-211-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4652-149-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4652-150-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4652-73-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4652-28-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5016-145-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5016-144-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5016-139-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download