3d21e8820a9412170545454822ff722db99437c2cd001d6f7799eecd43959fb6

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
Size

5.8MB
MD5

97367e6676b234dd98d17dddb05466c5
SHA1

0612d0d3885c55001aa76dc0abadff342fd5899b
SHA256

3d21e8820a9412170545454822ff722db99437c2cd001d6f7799eecd43959fb6
SHA512

5e9b286162fe1ab8875d39955508749ef9854862553672f23c6c7df497a8c46011182ba3f2487f10b7907a156add3d12ae143c595dcb33c4916273870c5ab325
SSDEEP

98304:KrTt3xlZ22u2jxbQV+Fpm9JAFV5CNFEI8PUe7f3Ffg7xIecSuXo+IWNun:KrTtXlQAFyXAUG3UxIeaY+c

Score

10^/10

defense_evasion discovery persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 14 IoCs

pid	Process
2412	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
5524	icsys.icn.exe
3840	explorer.exe
3252	spoolsv.exe
5352	svchost.exe
5068	spoolsv.exe
3244	svchost.exe
3160	explorer.exe
4872	svchost.exe
4980	explorer.exe
4608	svchost.exe
1284	explorer.exe
4004	explorer.exe
4664	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3840	explorer.exe
5352	svchost.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
5524	icsys.icn.exe
5524	icsys.icn.exe
3840	explorer.exe
3840	explorer.exe
3252	spoolsv.exe
3252	spoolsv.exe
5352	svchost.exe
5352	svchost.exe
5068	spoolsv.exe
5068	spoolsv.exe
3244	svchost.exe
3244	svchost.exe
3160	explorer.exe
4872	svchost.exe
3160	explorer.exe
4872	svchost.exe
4980	explorer.exe
4980	explorer.exe
4608	svchost.exe
4608	svchost.exe
1284	explorer.exe
1284	explorer.exe
4004	explorer.exe
4664	svchost.exe
4664	svchost.exe
4004	explorer.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 2412	3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe	87
PID 3680 wrote to memory of 2412	3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe	87
PID 3680 wrote to memory of 2412	3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe	87
PID 3680 wrote to memory of 5524	3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe	90
PID 3680 wrote to memory of 5524	3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe	90
PID 3680 wrote to memory of 5524	3680	2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe	90
PID 5524 wrote to memory of 3840	5524	icsys.icn.exe	91
PID 5524 wrote to memory of 3840	5524	icsys.icn.exe	91
PID 5524 wrote to memory of 3840	5524	icsys.icn.exe	91
PID 3840 wrote to memory of 3252	3840	explorer.exe	92
PID 3840 wrote to memory of 3252	3840	explorer.exe	92
PID 3840 wrote to memory of 3252	3840	explorer.exe	92
PID 3252 wrote to memory of 5352	3252	spoolsv.exe	93
PID 3252 wrote to memory of 5352	3252	spoolsv.exe	93
PID 3252 wrote to memory of 5352	3252	spoolsv.exe	93
PID 5352 wrote to memory of 5068	5352	svchost.exe	94
PID 5352 wrote to memory of 5068	5352	svchost.exe	94
PID 5352 wrote to memory of 5068	5352	svchost.exe	94
PID 4792 wrote to memory of 3244	4792	cmd.exe	101
PID 4792 wrote to memory of 3244	4792	cmd.exe	101
PID 4792 wrote to memory of 3244	4792	cmd.exe	101
PID 4780 wrote to memory of 3160	4780	cmd.exe	104
PID 4780 wrote to memory of 3160	4780	cmd.exe	104
PID 4780 wrote to memory of 3160	4780	cmd.exe	104
PID 4996 wrote to memory of 4872	4996	cmd.exe	105
PID 4996 wrote to memory of 4872	4996	cmd.exe	105
PID 4996 wrote to memory of 4872	4996	cmd.exe	105
PID 4864 wrote to memory of 4980	4864	cmd.exe	106
PID 4864 wrote to memory of 4980	4864	cmd.exe	106
PID 4864 wrote to memory of 4980	4864	cmd.exe	106
PID 5748 wrote to memory of 4608	5748	cmd.exe	127
PID 5748 wrote to memory of 4608	5748	cmd.exe	127
PID 5748 wrote to memory of 4608	5748	cmd.exe	127
PID 2036 wrote to memory of 1284	2036	cmd.exe	128
PID 2036 wrote to memory of 1284	2036	cmd.exe	128
PID 2036 wrote to memory of 1284	2036	cmd.exe	128
PID 5400 wrote to memory of 4004	5400	cmd.exe	134
PID 5400 wrote to memory of 4004	5400	cmd.exe	134
PID 5400 wrote to memory of 4004	5400	cmd.exe	134
PID 6116 wrote to memory of 4664	6116	cmd.exe	135
PID 6116 wrote to memory of 4664	6116	cmd.exe	135
PID 6116 wrote to memory of 4664	6116	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3680
- \??\c:\users\admin\appdata\local\temp\2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
  c:\users\admin\appdata\local\temp\2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2412
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5524
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3252
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5352
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:4780
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe RO
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:4792
- \??\c:\windows\resources\svchost.exe
  c:\windows\resources\svchost.exe RO
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:4996
- \??\c:\windows\resources\svchost.exe
  c:\windows\resources\svchost.exe RO
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:4864
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe RO
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe RO
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:5748
- \??\c:\windows\resources\svchost.exe
  c:\windows\resources\svchost.exe RO
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\themes\explorer.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:5400
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe RO
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\windows\resources\svchost.exe RO
1⤵
- Suspicious use of WriteProcessMemory
PID:6116
- \??\c:\windows\resources\svchost.exe
  c:\windows\resources\svchost.exe RO
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2025-04-04_97367e6676b234dd98d17dddb05466c5_black-basta_hijackloader_luca-stealer_swisyn.exe

Filesize
5.6MB

MD5
157edf9cd030cd45bfb7d294e2cdc372

SHA1
2fc6106cbda69025ca630541d3fb69395a5b84a1

SHA256
ed81428d6c785af3499c529963a5e2cbbe6147ee83782ceb551f3c98e0eefbb0

SHA512
a30be3e8ae79136d28e00c5f81520da49fc6ed07d6fd719122a47c3dbb18baf2d36056d3c28139a691f05ffaf97fc91e9aeec3969780078777003e81166d8b9a

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
111947e5076a8b7cae9d62375ef3a60b

SHA1
f9a94e122fda16a39c54f7696cb35920e7bd8f3f

SHA256
c85d91d119c16392c05dfc4ef87753784a89f973dbb38a12ac477df9e3863944

SHA512
bfbc488053c867e9b76630af62a0ed29abda380e15865676e25c119c92d926fcb3fdbc8faa85d8d9ddb59238c30158f0882d942a9d81391fdb2a71e31ca089e6

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d26843313bf25c916db07b2a8c032a00

SHA1
4ce226c4b3b033f83ca3755d41d3bb4639ac88a1

SHA256
5c0da48b13c3f250e7b74467f17e3a2bf2f4cc223573cf05b5722df0dfa007d3

SHA512
1c5708b9c1d3557955c372bd9f355644153e5e7d278f96d26416c66fecca23eda26b683389598a8500023f5dd67649a07e365ac257151b92b39030110549e261

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
cf048bfc388f2e25b09ba724f727463b

SHA1
ddd91372a79b2ab10178a53d9ae369304bab5086

SHA256
538b0df846a0043cecefc13181a6f294b9b66cf676b794d5c10bcc99ed52d9c1

SHA512
2b42a50943bb83ab5623c21178c01738017406c2be3e2cec4b7fdba672da34612daa0dc5af9441cc2b9480704d92fdd842a2ec390abffeabc9676ec0063a84ae

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
d9e469167319c717481ba902cde7b77e

SHA1
c6b23adaec3c8feda70345e9781f741aa8e37240

SHA256
74127f3ecdaf2ed083ce49c7a114391c23997e3070a45a2ec04744d3dad53394

SHA512
a02268622c9964fd3eb56a9c8d0d0a2e40a3e278c84faab4b2dcf6f194362e297669354b7a38d5bb9cd00307b455d48d70a84950cfdbbb878b10b668c1844bed

Download Submit
memory/1284-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3160-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3244-49-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3244-51-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3252-43-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3680-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3680-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3840-77-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4004-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4608-72-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4664-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4872-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4980-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5068-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5352-78-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5524-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download